Monday, June 25, 2012

Measurements & Risk Stats

Slides:
https://github.com/JasonMOliver/Misc/blob/master/ShmooCon%20EP%20Talk.pdf

Code:
https://github.com/JasonMOliver/Java_Parsers/blob/master/XMLVulnStats.java
https://github.com/JasonMOliver/Java_Parsers/blob/master/XMLTableStats.java

I have been working on a talk this week for ShmooCon Epilogue

http://novahackers.blogspot.com/2012/01/shmoocon-epilogue-speakers-and-location.html

For the people who missed the talk I will have the slides and video if possible posted on the media blog soon.



Epilogue: Jason Oliver-Risk Reporting Metrics from Georgia Weidman on Vimeo.

---

In the talk I go over some ideas I have been playing with to answer a few key questions all of us techs get on Risk Assessments;
  • What is the X worst machine(s)?
  • What is the over all risk level of my network?
  • What fix would have the most risk reduction effect?
In an effort to give a quantifiable answer to these questions I created a few scripts that work with .nessus V2 files. Please not the the theory in the talk can be applied to any vulnerability data but I wanted to some some actual implementation of theory with the scripts.

The first script XMLVulnStats.java will work from a .nessus file or multiple .nessus files and give you the following summery data - this script requires Excel to do some of the front end math. Due to the use of Excel the impact levels can be modified after the fact to gain more accurate results.

The command-line works as follows:

java XMLVulnStats Output.xls *.nessus

The output will be a table with the following columns

 IP Address
 Total CVSS Count - This totals the CVSS score for all Vulns on the Host
 Critical Count
 High Count
 Medium Count
 Low Count
 None Count
 Host Criticality - Adjustable figure between 100-1000 ranking hosts
 Risk Score - Total CVSS * Host Criticality
 Total Vuln - Total of Critical, High, Med, Low Vulns
 Average CVSS


Additionally you will get an Average System Risk Level calculation based on the averages for all hosts.

Note that you will need to set the Host Criticality for your system after the script is run based on system knowledge. In the Federal / NIST space I have been using a spread based on the FIPS 199 level (i.e. if its a moderate system hosts are ranked between 400-600 based on impact, workstations 400, domain controllers 600, etc)

The second script XMLTableStats.java is a simple edit of one of my older scripts that adds a column for Host Count.

The over all value of this is it will allow you to rank fix / repair order by vulnerability.

Simple run the script;
java -Xms32m -Xmx1024m XMLTableStats *.nessus > Output.xls

Then in Excel sort by Risk Factor, CVSS Score, Host Count

This will give you a fix list based on highest level of vulnerability then by quantity of hosts effected thus giving you the biggest bang for your buck if you fix by patch / issue.

Hope this helps - I hope to extend the research a bit and perfect the theory, I have only been playing with the numbers for a month or two so any feed back would be appreciated.

Keep in mind what a measurement really is - for the most part it is anything that helps you understand a figure more than before. This is not designed to be a perfect number that is definitive, its designed to give you a quantifiable baseline to work from that is for sure better than what you had before.

cheers

JSN


Update: The talk has been posted on the media blog if you are interested.

No comments:

Post a Comment