SVID: Structured Vulnerability Intelligence for Building Deliberated Vulnerable Environment
Authors: Wenqing Fan, Yixuan Cheng, Wei Huang
Abstract:
The diversity and complexity of modern IT systems make it almost impossible for internal teams to find vulnerabilities in all software before the software is officially released. The emergence of threat intelligence and vulnerability reporting policy has greatly reduced the burden on software vendors and organizations to find vulnerabilities. However, to prove the existence of the reported vulnerability, it is necessary but difficult for security incident response team to build a deliberated vulnerable environment from the vulnerability report with limited and incomplete information. This paper presents a structured, standardized, machine-oriented vulnerability intelligence format, that can be used to automate the orchestration of Deliberated Vulnerable Environment (DVE). This paper highlights the important role of software configuration and proof of vulnerable specifications in vulnerability intelligence, and proposes a triad model, which is called DIR (Dependency Configuration, Installation Configuration, Runtime Configuration), to define software configuration. Finally, this paper has also implemented a prototype system to demonstrate that the orchestration of DVE can be automated with the intelligence.
Keywords: DIR Triad Model, DVE, vulnerability intelligence, vulnerability recurrence.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.3669184
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 599References:
[1] NIST. National vulnerability database. https://nvd.nist.gov/. Retrieved: April 26, 2019.
[2] Lily Hay Newman. Everything we know about Facebook’s massive security breach. https://www.wired.com/story/facebook-security-breach-50-million-accounts/. Retrieved: April 26, 2019.
[3] McAffee Corporation, McAfee Labs - Threat-Report, In: 2017, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf.
[4] DOD. Hacking the pentagon. https://www.usds.gov/report-to-congress/2017/fall/hack-the-pentagon/. Retrieved: April 26, 2019.
[5] Taylor Hatmaker. Google’s bug bounty program pays out $3 million, mostly for Android and Chrome exploits. https://techcrunch.com/2017/01/31/googles-bug-bounty-2016/. Retrieved: April 26, 2019.
[6] Tom Warren. Microsoft will now pay up to $250,000 for Windows 10 security bugs. https://www.theverge.com/2017/7/26/16044842/microsoft-windows-bug-bounty-security-flaws-bugs-250k. Retrieved: April 26, 2019.
[7] Mu, Dongliang, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. "Understanding the reproducibility of crowd-reported security vulnerabilities." In 27th {USENIX} Security Symposium ({USENIX} Security 18), pp. 919-936. 2018.
[8] Steven Musil. Researcher posts Facebook bug report to Mark Zuckerberg's wall. https://www.cnet.com/news/researcher-posts-facebook-bug-report-to-mark-zuckerbergs-wall/. Retrieved: April 26, 2019.
[9] Menges, Florian, and Günther Pernul. "A comparative analysis of incident reporting formats." Computers & Security 73 (2018): 87-101.
[10] Asgarli, Elchin, and Eric Burger. "Semantic ontologies for cyber threat sharing standards." In 2016 IEEE Symposium on Technologies for Homeland Security (HST), pp. 1-6. IEEE, 2016.
[11] Dong, Y., Guo, W., Chen, Y., Xing, X., Zhang, Y., & Wang, G. Towards the Detection of Inconsistencies in Public Security Vulnerability Reports.
[12] Tounsi, W., & Rais, H. (2018). A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & security, 72, 212-233.
[13] CISA. Traffic Light Protocol (TLP) definitions and usage. https://www.us-cert.gov/tlp. Retrieved: April 26, 2019.
[14] Steinberger, J., Sperotto, A., Golling, M., & Baier, H. (2015, May). How to exchange security events? overview and evaluation of formats and protocols. In 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM) (pp. 261-269). IEEE.
[15] Mavroeidis, V., & Bromander, S. (2017, September). Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In 2017 European Intelligence and Security Informatics Conference (EISIC) (pp. 91-98). IEEE.
[16] Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication, 800(61), 1-147.
[17] The twelve-factor app. https://12factor.net/. Retrieved: April 26, 2019.
[18] GNS3. https://www.gns3.com/. Retrieved: April 26, 2019.
[19] NIST. Official Common Platform Enumeration (CPE) dictionary. https://nvd.nist.gov/Products/CPE. Retrieved: April 26, 2019.
[20] Semantic versioning 2.0.0. https://semver.org/. Retrieved: April 26, 2019.
[21] Rapid7 Corporation. Metasploit. https://www.metasploit.com/. Retrieved: April 26, 2019.
[22] MITRE Corporation. Common weakness enumeration. https://cwe.mitre.org/index.html. Retrieved: April 26, 2019.
[23] MITRE Corporation. Common attack pattern enumeration and classification. https://capec.mitre.org/. Retrieved: April 26, 2019.
[24] CISA. Common Vulnerabilities and Exposures. https://cve.mitre.org/. Retrieved: May 13, 2019.