Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Cody Pierce, Director of Vulnerability Research

About myself

6 years researching vulnerabilities at Endgame 4 years as a senior researcher for TippingPoint Zero Day

Initiative Discovered dozens of vulnerabilities in major vendor

software for over a decade

Vulnerabilities do not compromise systems. An exploit is needed to effectively demonstrate the

impact of flaws.

Sample

Vulnerabilities covering 2006 - 2014 NVD CVE XML data set CVSS Score Medium+ Counted vendors have a minimum of 5 CVE per year or

15 CVE total. Category grouping using CWE (Common Weakness

Enumeration) Exploits cross-referenced by CVE ID with Metasploit,

Core Impact, and Canvas

Sample Size

18,027 Qualifying CVE Entries 34% of Total CVE Entries

2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

3500

CVE Entries

Total CVEs over timeN

umbe

r of C

VEs

Resource Management/Use After Free10%

Race Condition1%

Cross-Site Request Forgery (CSRF)

2%Cryptographic Issues

3%Improper Authentication/Authenti-

cation Bypass3%

Privilege Escalation13%

Credentials Management1%

Credential Management0%

Information Exposure5%

Information Management Errors

0%Numeric Errors

5%

Format String0%

Buffer Mismanagement21%

Code Injection5%

SQL Injection4%

Cross Site Scripting11%

Command Injection/Shell Injection

0%

Command Injection0%

Input Validation0%

Link Following/Symlink At-tack1%

Path Traversal2%Input Validation

12%

Data Handling0%

Design Flaw0%

Configuration1%

Total CWE distribution

2006 2007 2008 2009 2010 2011 2012 2013 20140

100

200

300

400

500

600

700

Auth Bypass Buffer Mismanagement Privilege EscalationInput Validation SQL Injection

Sampling of CWE over timeN

umbe

r of C

VEs

Observation

Vulnerability discoveries are increasing but category distribution appears consistent

Why?

An increase in the size of the security community, and advancement in tools and techniques has led to the increase in vulnerability discoveries

2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

3500

Exploited CVE Total CVE

CVEs compared to CVE exploitsN

umbe

r of C

VEs

Resource Management/Use After Free6% Race Condition

1%

Cross-Site Request Forgery (CSRF)

0%Cryptographic Issues

1%Improper Authentica-tion/Authentication

Bypass2%

Privilege Escalation10%

Credentials Man-agement

1%Information Exposure

2%Numeric Errors

3%Format String

1%

Buffer Mismanagement38%

Code Injection14%

SQL Injection2%

Cross Site Scripting1%

Command Injection/Shell Injec-

tion2%

Command Injection0%

Link Following/Symlink Attack

0%

Path Traversal5%

Input Validation11%

Data Handling0%

Configuration1%

Exploited CWE distribution

2006 2007 2008 2009 2010 2011 2012 2013 20140

10

20

30

40

50

60

Sampling of Exploited CWE Over Time

Auth Bypass Buffer Mismanagement Privilege EscalationInput Validation SQL Injection

Sampling of exploited CWE over time

Observation

The number of public exploits is small and in relative decline compared to vulnerabilities

Why?

• Few – or zero – exploits are needed to have an effective arsenal

• Unpatched and misconfigured systems are the norm. No reason to make new exploits when old ones still work!

• Writing exploits is getting harder and more expensive

Exploit mitigations

Exploit mitigations are very effective and can often prevent 0day attacks.

Proper implementation has directly led to a relative decline in exploit development.

19 types of mitigations available today ???

Why am I still getting hacked?

Mitigations typically only apply to memory corruption vulnerabilities.

It’s hard enough to patch and properly configure software, much less upgrade compilers, applications, and operating systems.

Exploitation often has a behavior. Using these behaviors we can increase the detection and

prevention of a greater number of flaws on current and legacy systems.

Behavior analysis

Exploit Indicators (Process/ Thread creation)

Behavior

Abnormal process creation

• New thread entry point outside of loaded modules code section

Intent

Stage next phase of persistence or privilege escalation

Avoid user detection

Attackers spawn malicious code in new contexts.

Exploit Indicators(Library Usage)

Behavior

Loading non-ASLR libraries

Loading DLLs over the network into memory

Loading abnormal libraries

Intent

Bypassing Mitigations Exploit vulnerabilities in

legacy components Exploit vulnerabilities in

library loading

Attackers use weaknesses in legacy libraries to exploit software and bypass mitigations.

Exploit Indicators(Memory Usage)

Behavior

Abnormal Memory usage Allocations of consistent

sizes Large contiguous

memory blocks Executable Memory

Intent

Reliably corrupt memory Control Use After Free

conditions Create predictable

addresses

Attackers often have to control the memory layout of software being exploited.

Behavioral Analysis

Is complementary to mitigations Detects and prevent exploitation of unknown

threats Correlate environmental data like network flows Adapts through additional modeling

Key Takeaways

Vulnerability discoveries are increasing Exploitation of some vulnerability categories is

on the decline A small exploit arsenal is still effective Mitigations have raised the difficulty of memory

corruption exploitation Exploitation, Malware, and Adversarial behaviors

often generate a signal Abnormal behavioral monitoring can add to the

defensive posture of systems

For more information contact: egs-info@endgame.com