Jussi Eronen emphasizes the importance of an engineering approach to finding and handling vulnerabilities in a mass context. He discusses the different types of disturbances and issues reported to the National Cyber Security Center Finland along with the vulnerability handling process and standards for handling and disclosing vulnerabilities. Eronen also suggests prioritizing vulnerabilities based on EPS scores and the immediate risk of exploitation, and utilizing resources such as the CVE database and the SEI CERT Coordination Center. He also discusses various methods for vulnerability scanning, including using third-party systems and prioritizing vulnerabilities based on severity. Finally, Eronen discusses the challenges of getting system owners to update vulnerable devices and suggests that effective communication and automated systems could help address this issue.
00:00:00 In this section, Jussi Eronen talks about the importance of an engineering approach to finding vulnerabilities in a large-scale, mass context. He mentions how his work in vulnerabilities evolved from trying to find them to figuring out what to do with the vulnerabilities once they were found. Eronen then gives an overview of the different types of disturbances and issues that are reported to the National Cyber Security Center Finland, explaining how vulnerabilities can play a major role in some cases. He ends by discussing the vulnerability handling process and the importance of having standards for handling and disclosing vulnerabilities.
00:05:00 In this section, Jussi Eronen discusses the process of vulnerability handling after a disclosure has been made and a fix has been implemented. He emphasizes the importance of defenders checking their infrastructure for vulnerabilities and prioritizing them based on context, then acting to implement a fix or accept the risk. Eronen acknowledges that even with industry solutions in place, vulnerabilities can still be exploited and removed vulnerable systems from the internet may be necessary for network safety. He suggests prioritizing vulnerabilities reported in the media and utilizing resources like the CVE database and the SEI CERT Coordination Center to prioritize vulnerabilities.
00:10:00 In this section, Jussi Eronen talks about vulnerability handling and how to prioritize which vulnerabilities to address first. He explains that vulnerabilities in a vulnerability catalog that have a high EPS score and are likely to be exploited soon should be prioritized. The process begins by identifying Finland's networks from routing and monitoring autonomous systems. There are currently 245 autonomous systems he is interested in, totaling to close to 15-16 million IP addresses. They also collect data from different registries and services to look at vulnerabilities in Finnish brands and passive DNS certificate transparency.
00:15:00 In this section, Jussi Eronen discusses how vulnerability scanning can be done using third-party systems as a starting point and how to prioritize which vulnerabilities are more important. He also mentions the importance of staying updated and current with data to accurately find vulnerable systems and gives a hypothetical example of searching for vulnerabilities in Oracle. Eronen suggests starting with installation instructions and Google searches to narrow down the search and prioritize vulnerabilities based on their severity.
00:20:00 In this section, the speaker discusses vulnerabilities and how to handle them. He talks about the discrepancies between Showdown and Census, which have different search terms and port ranges, leading to varying results. He notes that while Census has a more comprehensive port range, it also has more dated results due to the difficulties of scanning everything all the time. The speaker suggests using a port scan to obtain the necessary information and emphasizes the importance of making sure there is a genuine problem before alerting anyone, leading into a discussion about the legal debates surrounding scanning and the need for clearer guidelines.
00:25:00 In this section, the speaker discusses vulnerability handling and how it is important to have a clear position on what is accepted in vulnerability research. They emphasize the importance of being better than the bad guys and finding ways to determine vulnerabilities in systems. The speaker talks about how version numbers are the easiest way to determine vulnerabilities and cites examples of software, such as Exchange and Confluence, that make it easy to find version numbers. However, there are some cases where version numbers are not readily available or do not change with patches, making it harder for defenders. The speaker also praises Showdown for adhering to documentation and having a lot of tags that can be useful for vulnerability research.
00:30:00 In this section, Jussi Eronen discusses vulnerability handling and the use of Showdown for searching for vulnerabilities, noting that although Showdown is not as precise as Censys, it still has creative insights. Eronen suggests that omitting version numbers may not be effective in deterring attackers, as attackers will attack regardless. If version detection fails, Eronen suggests attempting to exploit something to see if it is vulnerable, but notes that this can be tricky given the limits on committing crimes as a public servant. Eronen provides a simple example of a CVE for Apache, where attackers will often target the password file, and suggests using a head request to obtain the status code as a safe way to do so. Eronen also touches on instances where vulnerabilities are already known and being actively used in attacks, using the exchange vulnerability from a few years ago as an example.
00:35:00 In this section, Jussi Eronen talks about vulnerability handling and how his team identified vulnerable systems. They sent out messages to the owners of compromised systems, telling them to check their parts levels and the signs of a breach. Eronen's team also used a tool to scan for web shells that attackers might have inserted, and then sent messages to the owners of those systems. The team emphasized the need to check for compromise signs, reboot, and clean the system. They sent these messages through operators to customers of ISPs, and in some cases, when advisory blogs were not clear enough, Eronen's team had privileged customers who were approaching them.
00:40:00 In this section, Jussi Eronen discusses how he handled a cyber attack on a system due to well-monitored access and audit logs that allowed him to retrieve all necessary details. When investigating the malware in the system, he discovered a Trojan or backdoor component, which he traced back to a CNC that communicated something that looked global. After some massaging and decryption, Eronen discovered the credentials needed to open a backdoor channel on that port and retrieve sensitive information. Basic vulnerability handling involves performing security checks and making updates, but when coordinating vulnerability efforts, one can try to prepare for the impact of the vulnerability as well.
00:45:00 In this section of the video, Jussi Eronen discusses the vulnerability handling process for the Heartbleed vulnerability in 2014. This involved building a more effective scanner and packaging it into a virtual machine which was given to the government to check their internal networks. They also analyzed the vulnerability and built early warning systems and honey nets to monitor for incoming connections, while preparing remediation packages and removal guides. Eronen introduces the problems of IoT and routers with malicious payloads inserted on web pages, which try to enumerate through the local network and change DNS settings, and calls for solutions to be found.
00:50:00 In this section, the speaker discusses the vulnerability of small office routers and how it has been exploited by criminals for years. He explains how these routers often have old vulnerabilities that remain unpatched, making them an easy target for criminals to gain control of an individual's device. The speaker warns that once the criminals have control, they can exploit the vulnerabilities that were previously unknown or neglected, and access the user's internal network, causing potentially severe damage. The definition of vulnerability is also discussed, highlighting the importance of considering misconfigurations as a vulnerability.
00:55:00 In this section, Jussi Eronen discusses the challenge of getting system owners to update vulnerable devices, with tens of thousands of open portmap instances, hundreds of SSDPs, and over 140 memcasts. While traditional defense mechanisms fail to address the vast number of vulnerabilities, simply taking down servers would not be practical. Eronen recommends that the community should work to effectively communicate the need for updates, and that automated systems could be used to respond to malware threats, while vulnerabilities will remain a fact of life.