Monthly Archives: September 2019

How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.

NetCAT – a new side-channel vulnerability. Who should be concerned?

15 September 2019

Swati Khandelwal’s report (1) on NetCAT, published on 9/11/2019 in The Hacker News, scared me somewhat. Security researchers (2) from the Vrije University in Amsterdam discovered a new type of side-channel attack in Intel server processors which can be exploited across the network. This is really frightening.

As always in the case of hardware vulnerabilities, NetCAT is broadly discussed in the security community. A Google search for “CVE-2019-11184” shows 6.340 hits (as of 9/14/2019 8 pm).

CVE-2019-11184 CVSS V3 Specification

CVE-2019-11184: CVSS V3.1 Specification

Intel (3) classified CVE-2019-11184 as follows: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack vector Adjacent is defined in the CVSS V3.1 specification document as follows: “The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.”

With this, the attacker must have compromised the network before he can start the attack. In addition, the attacker must compromise “a machine which communicates over RDMA to an application server that supports DDIO”.(2)

So, NetCAT is not that dangerous than the reports suggest.

What goals can be achieved by exploiting this vulnerability?

In secured networks with latest patches applied, this technique can be used to spy on all kind of secrets, e.g. the passwords of high privileged accounts, for the complete takeover of the network.

What organizations should be concerned?

CVE-2019-11184 Threat Landscape

CVE-2019-11184 Threat Actor Targets

My conclusion: From a technical point of view, NetCAT shows again the shortcomings of the current processor architectures. Regarding the applicability in attacks, NetCAT is somewhat overestimated.

Have a great weekend.

References

  1. Khandelwal S. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs [Internet]. The Hacker News. 2019 [cited 2019 Sep 12]. Available from: https://thehackernews.com/2019/09/netcat-intel-side-channel.html
  2. Kurth M, Gras B, Andriesse D, Giuffrida C, Bos H, Razavi K. NetCAT: Practical Cache Attacks from the Network. 2019. Available from: https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
  3. Intel Security Center. INTEL-SA-00290 [Internet]. Intel Security Center. 2019 [cited 2019 Sep 12]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html