Blog

Archive for April 9th, 2019

Blue + Red: An Infosec Purple Pyramid, (Wed, Apr 10th)

Introduction

Pyramids provide a good image of tiered activity.  In 2015, I wrote a diary about a Security Operations Center (SOC) analyst pyramid of activity SOC analysts will encounter when monitoring their networks for malicious network traffic.

But in recent months, I’ve used a pyramid to show tiered responsibilities under a mature information security (infosec) program.  Today’s diary provides my view of infosec as a tiered purple pyramid.

Blue + red = purple

Conventional wisdom divides infosec into defensive and offensive roles.  Defensive roles fall under a blue team responsible for monitoring network assets and responding to incidents.  Offensive roles fall under a red team responsible for detecting any weaknesses in our infrastructure.  This presents a rather misleading view of red team as attackers and blue team as defenders.

In recent years, the phrase “purple team” has appeared with various meanings.  Some sources describe purple team as a combination of blue and red team functions.  Other sources define purple as a separate team that coordinates the efforts of blue and red team members.

However, blue and red teams both serve the same objective: protecting our information technology (IT) assets.  We can view blue and red team functions within the combined model of a purple infosec pyramid.


Shown above:  An infosec purple pyramid.

Managing Assets

The base of this pyramid covers all tasks for managing your IT assets.  These functions include:

  • Inventory management
  • Access controls
  • Software patching and updates
  • Hardware refreshes

These basic IT functions are essential to supporting the remaining tiers of an infosec pyramid.  Without inventory management, we cannot properly secure our infrastructure, because we don’t fully understand everything on our network.  Access controls are also critical to ensure only properly-authorized people are utilizing our IT assets.  Some of these roles may not be handled by security personnel, but they directly affect the security of our network.

Assess and Monitor

This tier of the pyramid involves both blue and red team functions.  Red team members assess network security through vulnerability scans, while blue team members monitor the network for intrusions or other malicious activity.  These assessments should be periodic and relatively frequent.  Monitoring should be constant, with near-real-time detection and analysis of suspicious activity.

Probe and Respond

When vulnerabilities are discovered through assessments, red team members probe to determine how easy they are to exploit.  If blue team monitoring reveals malicious activity, security personnel must respond.  This tier consists of activity like penetration tests and incident response procedures.

Report

The top tier of the purple pyramid is based on reporting.  Red team members send the results of assessments and penetration tests to managers and other decision makers.  Blue team members report on malicious activity and how the issues were resolved.  Decision makers use this data to adjust processes and procedures in lower tiers of the pyramid.  This should provide a continual cycle of feedback designed to improve an organization’s security.

Final words

Blue and red team functions can mislead people into thinking they are opposing roles working against each other.  However, these functions are better seen as a combined color with the same objective o protecting our IT assets.  When viewed within the tiered model of a purple infosec pyramid, we can better understand how blue and red teams work together to provide an effective defense.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft April 2019 Patch Tuesday, (Tue, Apr 9th)

This month we got patches for 74 vulnerabilities total. From those, 16 are critical and 2 have been exploited in the wild.

Both exploited vulnerabilities (CVE-2019-0859 and CVE-2019-0803) are related to Win32k component which fails to properly handle objects in memory and may permit a local attacker to elevate privileges and execute arbitrary code in kernel mode. 

It is also worth mentioning a remote code execution vulnerability in GDI+ (Windows Graphics Device Interface) which affects the EMF (Enhanced MetaFile) parser. An attacker could exploit this vulnerability by convincing users to open specially crafted EML files in scenarios such as a file hosted on a web server or an e-mail attachment. Multiple Microsoft programs, especially Office suite, uses GDI+ component.

We got 5 vulnerabilities in the Jet Database Engine. Jet Database vulnerabilities are often exploitable via Office documents. But none of the vulnerabilities are labeled as critical. 

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
ASP.NET Core Denial of Service Vulnerability
%%cve:2019-0815%% No No Less Likely Less Likely Important    
April 2019 Adobe Flash Security Update
ADV190011 No No Critical    
Azure DevOps Server Elevation of Privilege Vulnerability
%%cve:2019-0875%% No No Less Likely Less Likely Important    
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2019-0812%% No No Critical 4.2 3.8
%%cve:2019-0829%% No No Critical 4.2 3.8
%%cve:2019-0806%% No No Critical 4.2 3.8
%%cve:2019-0810%% No No Critical 4.2 3.8
%%cve:2019-0860%% No No Critical 4.2 3.8
%%cve:2019-0861%% No No Critical 4.2 3.8
DirectX Information Disclosure Vulnerability
%%cve:2019-0837%% No No Less Likely Less Likely Important 5.5 5.0
GDI+ Remote Code Execution Vulnerability
%%cve:2019-0853%% No No Less Likely Less Likely Critical 7.8 7.8
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2019-0846%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-0847%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-0851%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-0877%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-0879%% No No Less Likely Less Likely Important 7.8 7.0
Latest Servicing Stack Updates
ADV990001 No No Critical    
MS XML Remote Code Execution Vulnerability
%%cve:2019-0790%% No No Less Likely Less Likely Critical 7.8 7.0
%%cve:2019-0791%% No No Less Likely Less Likely Critical 7.8 7.0
%%cve:2019-0792%% No No Less Likely Less Likely Critical 7.8 7.0
%%cve:2019-0793%% No No More Likely More Likely Critical 7.8 7.0
%%cve:2019-0795%% No No Less Likely Less Likely Critical 7.8 7.0
Microsoft Browsers Tampering Vulnerability
%%cve:2019-0764%% No No Less Likely Less Likely Important 2.4 2.2
Microsoft Edge Information Disclosure Vulnerability
%%cve:2019-0833%% No No Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2019-0828%% No No Less Likely Less Likely Important    
Microsoft Exchange Spoofing Vulnerability
%%cve:2019-0858%% No No Less Likely Less Likely Important    
%%cve:2019-0817%% No No Less Likely Less Likely Important    
Microsoft Graphics Components Remote Code Execution Vulnerability
%%cve:2019-0822%% No No More Likely More Likely Important    
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
%%cve:2019-0823%% No No Important    
%%cve:2019-0824%% No No Less Likely Less Likely Important    
%%cve:2019-0825%% No No Less Likely Less Likely Important    
%%cve:2019-0826%% No No Less Likely Less Likely Important    
%%cve:2019-0827%% No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2019-0830%% No No Less Likely Less Likely Important    
%%cve:2019-0831%% No No Less Likely Less Likely Important    
Microsoft Scripting Engine Information Disclosure Vulnerability
%%cve:2019-0835%% No No Less Likely Less Likely Important 4.3 3.9
OLE Automation Remote Code Execution Vulnerability
%%cve:2019-0794%% No No More Likely More Likely Important 7.8 7.0
Office Remote Code Execution Vulnerability
%%cve:2019-0801%% No No More Likely More Likely Important    
Open Enclave SDK Information Disclosure Vulnerability
%%cve:2019-0876%% No No Important    
SMB Server Elevation of Privilege Vulnerability
%%cve:2019-0786%% No No Less Likely Less Likely Critical 7.8 7.0
Scripting Engine Memory Corruption Vulnerability
%%cve:2019-0739%% No No Critical 4.2 3.8
%%cve:2019-0752%% No No More Likely More Likely Important 6.4 5.8
%%cve:2019-0753%% No No More Likely More Likely Critical 6.4 5.8
%%cve:2019-0862%% No No More Likely More Likely Important    
Team Foundation Server Cross-site Scripting Vulnerability
%%cve:2019-0866%% No No Less Likely Less Likely Important    
%%cve:2019-0867%% No No Less Likely Less Likely Important    
%%cve:2019-0868%% No No Less Likely Less Likely Important    
%%cve:2019-0870%% No No Less Likely Less Likely Important    
%%cve:2019-0871%% No No Less Likely Less Likely Important    
%%cve:2019-0874%% No No Important    
Team Foundation Server HTML Injection Vulnerability
%%cve:2019-0869%% No No Less Likely Less Likely Important    
Team Foundation Server Spoofing Vulnerability
%%cve:2019-0857%% No No Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2019-0803%% No Yes Detected More Likely Important 7.0 6.3
%%cve:2019-0685%% No No More Likely More Likely Important 7.8 7.0
%%cve:2019-0859%% No Yes Detected More Likely Important 7.8 7.0
Win32k Information Disclosure Vulnerability
%%cve:2019-0848%% No No Less Likely Less Likely Important 4.7 4.2
%%cve:2019-0814%% No No More Likely More Likely Important 4.7 4.2
Windows Admin Center Elevation of Privilege Vulnerability
%%cve:2019-0813%% No No Important    
Windows CSRSS Elevation of Privilege Vulnerability
%%cve:2019-0735%% No No More Likely More Likely Important 7.0 6.3
Windows Elevation of Privilege Vulnerability
%%cve:2019-0805%% No No More Likely More Likely Important 6.7 6.0
%%cve:2019-0841%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2019-0730%% No No More Likely More Likely Important 6.7 6.0
%%cve:2019-0731%% No No More Likely More Likely Important 6.8 6.1
%%cve:2019-0796%% No No More Likely More Likely Important 6.3 5.7
%%cve:2019-0836%% No No More Likely More Likely Important 7.0 6.3
Windows GDI Information Disclosure Vulnerability
%%cve:2019-0802%% No No Less Likely Less Likely Important 4.7 4.2
%%cve:2019-0849%% No No Less Likely Less Likely Important 4.7 4.2
Windows IOleCvt Interface Remote Code Execution Vulnerability
%%cve:2019-0845%% No No Less Likely Less Likely Critical 7.5 6.7
Windows Information Disclosure Vulnerability
%%cve:2019-0838%% No No Less Likely Less Likely Important 6.6 5.9
%%cve:2019-0839%% No No Less Likely Less Likely Important 4.4 4.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-0840%% No No More Likely More Likely Important 5.5 5.0
%%cve:2019-0844%% No No More Likely More Likely Important 5.5 5.0
Windows Remote Code Execution Vulnerability
%%cve:2019-0856%% No No Less Likely Less Likely Important 7.3 6.6
Windows Security Feature Bypass Vulnerability
%%cve:2019-0732%% No No More Likely More Likely Important 5.3 4.8
Windows TCP/IP Information Disclosure Vulnerability
%%cve:2019-0688%% No No Less Likely Less Likely Important 5.3 4.9
Windows VBScript Engine Remote Code Execution Vulnerability
%%cve:2019-0842%% No No Less Likely Less Likely Important 6.4 5.8

 


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →