SESSION ID: OST-T11 Open Source Tooling for Threat Analysis and Attack Surface Management Rey Bango & Gabe Stocco Microsoft Corporation #RSAC #RSAC Keynote: Collaborating to Improve Open Source Security: How the Ecosystem Is Stepping Up Session ID: KEY-F02S Moscone South February 28, 2020 9:50am – 10:40am Mark Russinovich Chief Technology Officer Microsoft Azure 2 State of the Octoverse Report 2018 Source: https://datastudio.google.com/u/0/reporting/0ByGAKP3QmCjLU1JzUGtJdTlNOG8/page/Q3DM 5 #RSAC State of the Octoverse Report 2018 6 #RSAC #RSAC 8 #RSAC GitHub Data To-Date Source: https://datastudio.google.com/u/0/reporting/0ByGAKP3QmCjLU1JzUGtJdTlNOG8/page/Q3DM 9 #RSAC OSS Projects @ Microsoft Visual Studio Code PowerShell TypeScript The Windows Terminal Microsoft Edge Webhint 10 #RSAC Attack Surface Analyzer MSTIC Jupyter and Python Security Tools 11 #RSAC Attack Surface Analyzer #RSAC Attack Surface Analyzer 2.0 • Microsoft Attack Surface Analyzer (ASA) detects system configuration changes resulting from software installations* • ASA 2.0 is a rewrite of the original tool available since 2012 that has helped IT professionals secure their systems for years • Now includes support for Windows 10, Linux or macOS • Released in April 2019 as Open Source on Github *Virus scanners & digital certificate checks don’t help identify system changes made from installing software. 13 #RSAC System Attack Surface Risks • File System – malicious or inadvertent changes can corrupt system files that make up key functions of your system or grant access to private data • User Accounts – persistent rogue elevated accounts can grant access to hijack your system • System Services – background processes may be introduced that perform rogue operations like capturing sensitive data and even shut down existing key security modules • Network Ports – can expose your system to unknown remote entities • Digital Certificates – determine what remote domains and package signatures are trusted • Registry (Windows only) –controls system startup actions, device drivers, services, and more Most software probably only does what is says but it pays to know. 14 #RSAC Attack Surface Analyzer Coverage Each one requires special tools and knowledge to identify changes made System Attack Surface COM Events Groups Firewall Services Accounts Ports Files Certs Registry Microsoft Attack Surface Analyzer Reports Help 15 #RSAC Attack Surface Analyzer 2.1 • Collects Many Different Verticals     • • • Firewall settings System Services System Logs COM Objects (Windows)     Files Registry Network Ports Users and Groups New user defined analysis rules system  Define analysis rules on any collected field using choice of operator Default ruleset  e.g. flags executables without ASLR enabled  Community contributions for default rules are encouraged. Docker-based detonation chamber available 16 Using Attack Surface Analyzer 1. 2. 3. 4. Create a base or initial scan on a clean system. Install and run your product or application. Take another scan. Use the results analysis to identify system changes 17 #RSAC #RSAC Typical Users DevOps Engineers that want to reduce the system attack surface introduced by their own software IT Security Auditors that want to evaluate risks from third-party software 18 #RSAC ASA Demo #RSAC Built for Everyone • Microsoft uses the Attack Surface Analyzer as part of our security development lifecycle practices (SDL) • The classic version of the tool is still available with limited Windows support • Attack Surface Analyzer 2.0 runs on Windows 10, Linux and macOS • It comes with an Electron GUI or CLI interface to fit your needs 20