Vulnerabilities, vendors and enterprises. The three words often come together, to the horror of all concerned sites. Enterprises often lack sufficient patch management policy and incident response groups, or disregard the importance of proper education on security-related subjects. Thus, the frequency of zero-day and spear phishing attacks (among others) only seems inevitable.
Vulnerabilities are just like open doors that let malware in a system, program, browser, and sometimes games. Software vendors usually issue a security advisory and patch once a vulnerability is disclosed. However, cyber criminals often have enough time to exploit these weaknesses before the vendor finds out what is going on, or before the necessary patch is released.
Learn More about Exploit Kit Attacks
In many cases, weeks or months before the vulnerabilities are found pass by, leaving an opened door for exploitation that can continue from several hours to several months. Widely-spread software such as browsers, browser plug-ins and Java/ Adobe Flash products are often prone to vulnerabilities and their malicious exploitation.
If you follow the daily portion of IT security news, you know exactly what we mean. In theory, any organization (both from public and private sectors) can become a victim of a security incident. In practice, there’s a lot to learn and keep in mind in order to spare yourself and your organization from security breaches, or to minimize the damages of such.
Let’s start from the beginning..
CVE 101 – Common Vulnerabilities and Exposures
The good news is there are several big databases that are focused on CVE researching and reporting. One of them is https://www.cvedetails.com.
First of all, let us explain what a CVE is. The abbreviation stands for Common Vulnerabilities and Exposures.
Basically, a CVE can be referred as to a catalog of known security threats. As visible by the name, the threats are usually divided into two big sub-categories:
So, how do we understand vulnerabilities? Basically, vulnerability is nothing but a software mistake that enables a bad actor to attack a system or network by directly accessing it. Vulnerabilities can permit an attacker to act as a super-user or even a system admin and granting him full access privileges.
Exposure is different than vulnerability. It provides a malicious actor with indirect access to a system or a network. An exposure could enable a hacker to harvest sensitive information in a covert manner.
The CVE Catalog Definition
CVEs serve to standardize the way disclosed vulnerabilities and exposures are identified; a process which is quite important to security administrators. Thanks to the standardization, they could access specific technical details about active threats through the CVE information sources.
The CVE database is sponsored by the US Department of Homeland Security and US-CERT. The not-for-profit organization MITRE maintains the CVE catalog and the website that is available to the public. MITRE also manages the CVE Compatibility Program that promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities.
Here’s a list of the software vendors that are participating as CVE Numbering Authorities (published on https://cve.mitre.org/cve/cna.html):
- Adobe Systems Incorporated (Adobe issues only)
- Apple Inc. (Apple issues only)
- Attachmate (Attachmate/Novell/SUSE/NetIQ issues only)
- BlackBerry (BlackBerry issues only)
- Cisco Systems, Inc. (Cisco issues only)
- Debian GNU/Linux (Linux issues only)
- EMC Corporation (EMC issues only)
- FreeBSD (primarily FreeBSD issues only)
- Google Inc. (Chrome, Chrome OS, and Android Open Source Project issues only)
- Hewlett-Packard Development Company, L.P. (HP issues only)
- IBM Corporation (IBM issues only)
- Microsoft Corporation (Microsoft issues only)
- Mozilla Corporation (Mozilla issues only)
- Oracle (Oracle issues only)
- Red Hat, Inc. (Linux issues only)
- Silicon Graphics, Inc. (SGI issues only)
- Symantec Corporation (Symantec issues only)
- Ubuntu Linux (Linux issues only)
Not any company can participate as a CNA. There are several requirements that need to be met:
First of all, a CNA should be a major software vendor with a significant user base and a particular security advisory capability. The other option to become a CNA is being an established third party that acts as a neutral collaborate between researchers and vendors.
Furthermore, as pointed out by MITRE, the CNA must be a settled distribution point for first-time vulnerability disclosures.
By following the CVE requirement to identify public issues, the CNA must only assign CVE-IDs to security issues that will be made public. Lastly, it must follow liable announcement practices that are widely accepted in security communities. All these requirements serve to make sure no mistakes happen.
The Exploit Database
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
The Exploit DB can be used for submitting samples. However, several rules have to be followed in order for the team to accept the submittal. More at https://www.exploit-db.com/submit/.
Why Are CVE Databases Important and What Is Incident Response
In November 2013, FireEye pointed out the increasing volume of targeted attacks. Today, industry stats still reveal a staggering percent of websites having multiple vulnerabilities. Things are getting even worse, because in 2015 we’re seeing cyber crime be more initiative than ever before, and cyber criminals crafting innovative ways to reach their breach goals. For example, in January KrebsOnSecurity published an article in which an underground forum called Enigma was revealed. It is only one of a growing community of private cyber crime forums, which have redefined the meaning of targeted attacks. The bid-and-ask forums such as Enigma connect crooks who are looking for access to specific data, resources or systems with capable and motivated malicious coders.
Despite the fact that spear phishing attacks are currently popular and many people are willing to pay for acquiring sensitive information this way, zero-day exploits shouldn’t be underestimated as well. At the very least, as visible by the exemplary image above, phishing attacks can be pointed at exploiting a particular known vulnerability. The major cross-site scripting vulnerability in Internet Explorer from January this year could open the door to phishing attacks and illustrated how this type of cyber threats endanger users.
Another zero-day attack that didn’t go unnoticed concerned Adobe. In October it was confirmed that a particular vulnerability affected Flash version 184.108.40.206. The vulnerability was then cataloged as CVE-2015-7645. This is the vulnerability’s description from MITRE’s database:
Adobe Flash Player 18.x through 220.127.116.11 and 19.x through 18.104.22.168 on Windows and OS X and 11.x through 22.214.171.1245 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
What was quite peculiar about this attack was that a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player was leveraged. By exploiting it, attackers could install malware on end users’ machines. Those attacks were reported to affect only government agencies as part of a long-term espionage campaign initiated by a group known as Pawn Storm.
Since such attacks are a daily event in numerous organizations, incident response is a must.
Incident response is an organized approach to addressing and managing the effects of a security breach. The goal of IR is to deal with the breach in the best way possible by limiting the damage and reducing the recovery expenses. A good incident response plan contains a policy that defines what an incident is and administers a step-by-step tutorial that should be followed strictly when an attack takes place.
The SANS Institute has compiled six steps to dealing with an incident a.k.a. an attack in the most sufficient way:
- Preparation. Enterprises should educate their employees and IT personnel of the importance of updated security measures and train them to respond to computer and network security incidents in a swift and adequate manner.
- Identification. The response team is signaled whenever a possible breach takes place, and should decide whether it is a security incident or something else. The team is often advised to contact the CERT Coordination Center, which tracks and records Internet security activities and collects the most recent information on viruses and worms.
- Containment. The response team decides on the severity and span of the issue. Disconnecting all affected systems and devices to prevent further damage is also applied.
- Eradication. The response team proceeds with the investigation to disclose the origin of the attack. The root cause of the problem and all malicious code leftovers are eradicated.
- Recovery. Data and software are restored from clean backup files, making sure that no vulnerabilities are left. Systems are monitored for any sign of proneness to a flaw.
- Lessons learned. The response team analyzes the attack and the way it was dealt with, and prepares recommendations for better future response and for the sake of incident prevention.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter