WEBVTT

00:07.310 --> 00:12.830
In this episode, we're going to discuss Cvss common vulnerability scoring system as well as threat

00:12.860 --> 00:13.460
modeling.

00:13.460 --> 00:18.890
We're going to decide or go into action with how threat modeling corresponds with the Cvss scoring and

00:18.890 --> 00:20.150
prioritization.

00:20.150 --> 00:23.600
When we go through these different episodes, I want you to pay close attention to the different threat

00:23.630 --> 00:25.910
modeling frameworks that we're going to decide on.

00:25.910 --> 00:32.660
And I also want to point out Cvss and how that can be utilized for your prioritization through different

00:32.660 --> 00:34.640
vulnerability management that we discussed earlier.

00:34.670 --> 00:39.710
The Common Vulnerability Scoring System, or Cvss, is currently utilizing version three.

00:39.740 --> 00:40.160
Now.

00:40.160 --> 00:44.870
This differs slightly from version two, as in we just put in the medium category, which wasn't used

00:44.870 --> 00:49.040
to be there, but you just need to be aware that that's just the newer system that's being utilized.

00:49.040 --> 00:54.290
When we talk about Cvss, it's broken in from zero through ten, with ten being the most critical and

00:54.290 --> 00:54.890
zero being.

00:54.890 --> 00:56.330
There's no threat whatsoever.

00:56.360 --> 01:01.130
Very rarely are you going to see a no threat or a zero whenever we see a your vulnerability.

01:01.310 --> 01:05.120
Matter of fact, I don't think I've seen one ever in my entire time as a cybersecurity expert.

01:05.120 --> 01:10.040
At the critical level, you usually have root level access, which is easily accessible and requires

01:10.040 --> 01:11.330
an immediate response.

01:11.330 --> 01:17.750
We identify this as anything from 9.0 all the way to 10.0, and has different variations based on what

01:17.750 --> 01:18.650
you're looking for.

01:18.680 --> 01:23.720
The important part here for critical level is that root level access that is easily accessible.

01:23.720 --> 01:28.400
If we take impact and we multiply it by EAS, then we get our Cvss score.

01:28.430 --> 01:30.170
That's the easiest way to explain it.

01:30.170 --> 01:37.910
So I have something that's very easy to access, i.e. a tool that's on a MSF venom, or maybe Metasploitable,

01:37.910 --> 01:42.950
and that tool is able to use on a live system that gains root access.

01:42.950 --> 01:47.240
That will give us a very high score, because it doesn't take a lot of technical knowledge or knowledge

01:47.240 --> 01:49.640
of the system in order to exploit that problem.

01:49.640 --> 01:53.390
This is where a majority of our prioritization is going to come into play.

01:53.420 --> 01:59.540
They recommend an immediate response when it comes to something in the 9.0 to 10.0 atmosphere of a cvss

01:59.570 --> 02:00.080
escort.

02:00.160 --> 02:04.150
Now I want to point out that we also want to utilize a little bit of common sense in here.

02:04.150 --> 02:09.280
If we just took the pure logic of the scoring system, then we really wouldn't need cybersecurity analysts.

02:09.280 --> 02:11.650
You need to remember that you're an expert in your field.

02:11.650 --> 02:17.050
If I've got something that is a window based vulnerability, but the vulnerability is only for a Linux

02:17.050 --> 02:19.510
based system, then we have a false positive.

02:19.510 --> 02:23.080
And you as a cybersecurity expert, need to be able to go in and annotate.

02:23.080 --> 02:26.050
That is a false positive and doesn't need to be looked at.

02:26.080 --> 02:30.100
You'll see little problems and idiosyncrasies as you become more and more experienced with the analyst

02:30.100 --> 02:33.670
process, but while it's one of the big ones, next we have high.

02:33.700 --> 02:37.360
Now, high means usually that we have escalated privileges with the vulnerability.

02:37.390 --> 02:42.160
You have to have some technical knowledge and they recommend within four weeks that we fix this problem.

02:42.190 --> 02:46.480
Now that's a big jump from an immediate response, i.e. something really bad is going to happen.

02:46.480 --> 02:51.430
So we have to fix it now versus four weeks from now with an escalated privileges.

02:51.430 --> 02:55.840
This usually doesn't provide us root access, but it does mean that they have some administrative control

02:55.840 --> 02:58.930
and they have to use some technical skill to actually get into it.

02:58.960 --> 03:04.000
However, you could have something with root level access that has some technical skill.

03:04.000 --> 03:09.760
It's not an all or none atmosphere, so be aware of that when you're looking through Cvss scores.

03:10.270 --> 03:11.590
Then we have a medium.

03:11.590 --> 03:16.450
This provides us limited access or requires knowledge in order to exploit the problem.

03:16.450 --> 03:19.660
This usually means that I've got something that has limited access.

03:19.660 --> 03:24.610
They don't really have admin access, but maybe they can log in as the user and do some damage to the

03:24.610 --> 03:25.960
machines or the network.

03:25.990 --> 03:30.070
It also has some required knowledge requirements, meaning you're not going to get somebody that just

03:30.070 --> 03:31.210
is fresh off the boat.

03:31.210 --> 03:33.820
Never seen a computer before being able to access this.

03:33.850 --> 03:39.040
Your script kiddies usually are going to be writing on those medium access, but again, it does come

03:39.040 --> 03:39.820
in different flavors.

03:39.820 --> 03:45.550
I could have limited access with easy accessible usually would denote a high, but maybe a very high

03:45.550 --> 03:46.690
on the medium charts.

03:46.690 --> 03:47.590
Then we have low.

03:47.620 --> 03:52.840
Low is usually minimal business impact meaning that there yes there's a vulnerability, but if somebody

03:52.840 --> 03:55.270
gets access to it, they're really not going to be able to affect systems.

03:55.270 --> 03:58.270
Maybe they can read data and the data isn't sensitive.

03:58.270 --> 04:01.170
So yeah, it's a problem, but it's not a big problem.

04:01.200 --> 04:06.630
This also usually requires physical access, meaning that the user or the malicious actor has to physically

04:06.630 --> 04:11.190
be able to access our machines, either through a port or through the keyboard itself.

04:11.190 --> 04:13.260
This is where the Loa comes into play.

04:13.290 --> 04:19.170
Now, in terms of exploitation, they can also have something that requires root access, but usually

04:19.170 --> 04:24.630
require a physical access as well, and may score into the medium to high range depending on the different

04:24.630 --> 04:27.120
level or access or ease of usability.

04:27.150 --> 04:31.080
Once they give physical access, it's important to note that Cvss has.

04:31.080 --> 04:33.330
Scoring system is an arbitrary system.

04:33.330 --> 04:36.960
It really is in the eyes of the beholder and what they feel at the time.

04:36.960 --> 04:42.720
When that comes into play, you may have somebody that views a vulnerability or a problem with a high

04:42.720 --> 04:45.000
impact different than somebody else.

04:45.000 --> 04:46.020
This is the problem.

04:46.020 --> 04:49.770
And the best thing about a cvss score, which means that it's arbitrary.

04:49.800 --> 04:54.930
You really have to take your grain of salt into it, and you have to use some common sense when negotiating

04:54.930 --> 04:56.760
the cvss scoring system.

04:56.760 --> 05:02.790
However, with that said as an analyst, you may be called into question if you see a high CVS score

05:02.820 --> 05:04.980
that you didn't have a knee jerk reaction to.

05:05.010 --> 05:10.950
Managers that don't truly understand cybersecurity always go to that number as a predetermined range

05:10.950 --> 05:12.360
that they want to fix first.

05:12.390 --> 05:13.890
This is also a problem.

05:13.890 --> 05:17.010
It could also lead you to additional confines as well.

05:17.040 --> 05:18.300
But be aware of that.

05:18.300 --> 05:22.890
Your job as a cybersecurity analyst is to understand the technical perspectives of those scores, and

05:22.890 --> 05:27.450
how they interplay with the systems that you have within your network, but also be able to speak as

05:27.450 --> 05:32.880
a business analyst and go through and go, yes, it's a critical, but it's not that critical to a system.

05:32.880 --> 05:34.050
And here's why.

05:34.080 --> 05:36.420
Be prepared to write those reports on this slide.

05:36.420 --> 05:40.080
You can understand how cvss metrics or scores come into play.

05:40.080 --> 05:41.850
They're broken into three different groups.

05:41.850 --> 05:46.410
We have our basic method group, our temporal metric group and our environmental metric group.

05:46.440 --> 05:51.570
Now each group is responsible for a different aspect of the Cvss scoring process.

05:51.570 --> 05:57.090
The basic group usually includes different things like the vector, the compatibility of the impact

05:57.090 --> 06:01.700
where the integrity comes into play, how the user interaction comes into play.

06:01.700 --> 06:02.870
This is pure and simple.

06:02.900 --> 06:06.710
The basics of any type of vulnerability that you may see on a system.

06:06.710 --> 06:09.260
Then we take the temporal metric group.

06:09.260 --> 06:11.240
This is the exploit code maturity.

06:11.270 --> 06:12.890
How long is the code been out?

06:12.890 --> 06:17.240
Is it something that's in our Metasploit framework that somebody just can gain easily?

06:17.240 --> 06:23.990
Access to temporal metrics are fundamentally just what kind of ease is the environment that I'm using

06:23.990 --> 06:27.350
for, or the tool in which I'm utilizing to break into the system?

06:27.350 --> 06:32.600
Again, if I have a highly complex tool that somebody has to write brand new code for, and the basic

06:32.600 --> 06:39.170
metric group is the attack vector, where it's very easy to go through port SSH 22 to gain access into

06:39.170 --> 06:39.890
the system.

06:39.890 --> 06:44.720
We may have a higher or lower cvss score based on that algorithm.

06:44.810 --> 06:48.650
Easy to get access to the system, but very high code.

06:48.650 --> 06:50.480
Probably land us somewhere in the middle.

06:50.510 --> 06:52.670
Finally we have the environmental metric group.

06:52.670 --> 06:57.380
This is the confidentiality, integrity and availability and modified base metric.

06:57.380 --> 07:03.600
When it comes into play, meaning that I could have a basic metric group plus a temporal metric group.

07:03.600 --> 07:06.060
But I also need to include that environmental.

07:06.090 --> 07:13.530
Environmental metric group, meaning that if it's impacting my integrity of my data, maybe the confidentiality

07:13.530 --> 07:18.510
of my data, or the availability of my networks or systems, and at what level they're impacting those

07:18.510 --> 07:20.100
different aspects as well.

07:20.100 --> 07:26.850
If I've got something that is hard to to access with an ease of vector, meaning that the attack vector

07:26.880 --> 07:28.890
could be on that port 22 we talked about.

07:28.890 --> 07:34.710
But it takes a lot of good scripting and coding to actually pull this code off or this attack off,

07:34.710 --> 07:38.790
and then it affects my, I don't know, availability by 1%.

07:38.790 --> 07:45.420
That may land us on a low Cvss score if I flip that around and we said, well, it affects my availability

07:45.420 --> 07:49.770
because it is a denial of service attack and they can knock the entire network off the ground, maybe

07:49.770 --> 07:52.440
that moves that low up to a medium or even a high level.

07:52.470 --> 07:59.140
Understanding these three basic, basic metric groups associated with Cvss scoring isn't really required

07:59.140 --> 08:02.020
at an in-depth level, but you should have a high level understanding.

08:02.050 --> 08:07.060
Understanding the basic, the temporal and the environmental and what those constitute on each level.

08:07.090 --> 08:11.170
Threat modeling comes at different aspects of where our threat comes into play.

08:11.200 --> 08:17.230
That means if I have a threat, I need to identify the capability, the attack vector and surface that

08:17.230 --> 08:18.550
they're most likely to come on.

08:18.580 --> 08:21.910
The likelihood of that attack coming into play and what impact it has.

08:21.940 --> 08:27.190
Now, we kind of touched on this a little bit with our Cvss scoring metric, but you need to understand

08:27.190 --> 08:29.800
it from a threat modeling aspect as well.

08:29.830 --> 08:31.360
Capability of a threat.

08:31.390 --> 08:33.700
How capable is the threat that we're coming into play?

08:33.700 --> 08:35.500
Is it a script kiddie or an apt?

08:35.740 --> 08:39.070
Those matter when we're looking at different threats and threat modeling.

08:39.070 --> 08:40.390
What's the attack surface?

08:40.420 --> 08:42.610
Is it a windows machine or a Linux machine?

08:42.610 --> 08:48.280
Maybe it's a mac, maybe it's a firewall of a specific vendor that we don't even have in our network.

08:48.280 --> 08:53.530
What vector are they utilizing and does it have to be physical, i.e. in person, or can it be over

08:53.560 --> 08:55.690
a simple port like HTTP?

08:55.870 --> 09:01.180
We need to understand the threat vector or the attack vector that this threat is most likely to utilize.

09:01.180 --> 09:03.910
What's the likelihood of this threat taking place?

09:03.940 --> 09:05.260
Is it as an easy threat?

09:05.290 --> 09:09.850
I.e. if it's a script kiddie and there's a tool already out for there, and all they have to do is press

09:09.850 --> 09:11.950
the enter button after punching enter IP address.

09:11.980 --> 09:13.960
Probably a very high likelihood.

09:13.990 --> 09:18.670
However, again, if we have to do high scripting and they have to program the tool themselves, probably

09:18.670 --> 09:20.560
a very unlikely likelihood.

09:20.590 --> 09:22.090
And then finally impact.

09:22.090 --> 09:25.090
What's the impact of all of our network infrastructure.

09:25.090 --> 09:28.660
Is it going to take down our entire system or is it barely going to be touched?

09:28.660 --> 09:31.390
That impact really comes into play on different levels.

09:31.420 --> 09:35.800
Are they able to utilize a tool with a high likelihood of easy attack vector?

09:35.830 --> 09:40.990
Maybe the attack surface is our entire network, and the capability of the attacker is very high because

09:40.990 --> 09:46.420
it's an easily, readily available tool that a script kiddie might use, then our impact is very low.

09:46.450 --> 09:49.780
Well, that means to a high likelihood, but low impact.

09:49.780 --> 09:53.830
When we talk about threat modeling, you need to understand from a cybersecurity analytical point of

09:53.830 --> 10:00.220
view that threat modeling encompasses how busy or how in depth we need to be with our threat hunting.

10:00.220 --> 10:06.250
Meaning that if I have a very complex virus that's going to go into our system, but it takes a lot

10:06.280 --> 10:11.740
of fortitude, a lot of, uh, of technical knowledge that its impact is quite low and the likelihood

10:11.740 --> 10:12.520
is quite low.

10:12.550 --> 10:15.100
Then my Cvss score would also be quite low.

10:15.100 --> 10:16.990
But we're looking at from a diverse perspective.

10:16.990 --> 10:22.630
Without that cvss score, I need to make an intellectual decision on how much we go into that threat

10:22.630 --> 10:24.700
as far as defensive structure comes into play.

10:24.700 --> 10:29.800
When you're going about threat modeling, understand that as a cybersecurity analyst, you need to understand

10:29.800 --> 10:31.720
your threats from an intrinsic level.

10:31.720 --> 10:36.820
This is where understanding your network, your capabilities, your mitigations, and your impact to

10:36.820 --> 10:40.660
your systems based on those different vulnerabilities or threats really comes into play.

10:40.660 --> 10:43.450
This is what separates the experts from the novices.

10:43.450 --> 10:47.920
Within threat modeling, we have two basic frameworks that you need to be familiar with.

10:47.920 --> 10:49.450
The first one is stride.

10:49.450 --> 10:53.290
This was developed by Microsoft several years ago and is still is used today.

10:53.290 --> 10:58.350
And it stands for spoofing, tampering, information disclosure Denial of Service, and an elevation

10:58.350 --> 10:59.190
of privileges.

10:59.190 --> 11:04.590
This is fairly easy model to identify when it comes into threats, and we utilize this in such a way

11:04.590 --> 11:11.040
that where if I see a threat, such as maybe an internal access to our systems via malware, I can go

11:11.040 --> 11:13.560
through and say, oh, is it spoofing an IP address?

11:13.590 --> 11:15.810
If it is, then that's something to be aware of.

11:15.810 --> 11:17.010
What is it tampering with?

11:17.010 --> 11:18.180
What is it interacting with?

11:18.180 --> 11:20.220
How is it fooling around with that system?

11:20.220 --> 11:21.540
That is something I need to be aware of.

11:21.570 --> 11:27.390
You can literally go step by step and identify each portion of the stride model to impact how it would

11:27.390 --> 11:29.970
utilize for threat modeling within your internal systems.

11:29.970 --> 11:31.200
This is the pasta model.

11:31.200 --> 11:35.190
Now this is the process for attack simulation and threat analysis.

11:35.220 --> 11:41.040
It's a risk centric modeling framework that uses seven stages to encourage analysts to solicit input

11:41.040 --> 11:44.880
from operations, governance, architecture, and of course, development.

11:44.880 --> 11:51.120
This comes into play where we really want our network analysts or our security analysts to really understand

11:51.120 --> 11:53.040
that, hey, I'm not alone in this field.

11:53.040 --> 11:56.670
I can reach out to other experts and get their input as well.

11:56.670 --> 12:01.230
If you're living in this little bubble within cybersecurity, you're probably going to lose track of

12:01.230 --> 12:01.950
what's going on.

12:01.950 --> 12:06.450
We can't be experts at everything, and this is where the pasta model really comes into play.

12:06.450 --> 12:12.210
It really encourages you as an analyst to reach out and go, hey, I see this problem operations.

12:12.210 --> 12:13.440
Have you seen this before?

12:13.440 --> 12:14.940
What are you doing on your end?

12:14.970 --> 12:15.840
What do you think?

12:15.840 --> 12:16.980
What about governance?

12:16.980 --> 12:20.190
What about the network architects and the architecture that comes into play?

12:20.220 --> 12:25.230
How are they utilizing the different, uh, hardware within the network architecture to develop different

12:25.230 --> 12:26.910
vulnerabilities associated with it?

12:26.910 --> 12:31.560
And then finally, our application development, what are they doing on their side that could impact

12:31.560 --> 12:32.610
cybersecurity?

12:32.610 --> 12:37.650
When it comes to the pasta model, it really is all about touching bases with those different people

12:37.650 --> 12:41.550
and those different departments to get a better picture of the cybersecurity as a whole.

12:41.580 --> 12:46.530
Now that we've gone through the Cvss scoring and how it's implemented, I really wanted to take an opportunity

12:46.530 --> 12:53.790
to go through and explain some of the questions that you might see on the Cisa exam, and how you need

12:53.790 --> 13:00.200
to prepare yourself in order to answer those questions, For instance, under the first.org website

13:00.200 --> 13:02.150
you can see a basic introduction.

13:02.150 --> 13:06.140
And if we scroll down you can start to see how the metrics are calculated.

13:06.140 --> 13:10.160
You can see the basic metric group, the temporal, the environmental.

13:10.160 --> 13:16.460
And if we scroll down some more, you can see the different little abbreviations that they provide based

13:16.460 --> 13:17.690
on each of those.

13:17.690 --> 13:22.670
It's important that you actually read through and understand these abbreviations, because you might

13:22.670 --> 13:29.750
have a question that literally uses those abbreviations, and you're required to pick the highest or

13:29.750 --> 13:32.720
the most likely metric that you would tackle.

13:32.720 --> 13:36.350
If you understand the abbreviations, it makes the question very easy.

13:36.350 --> 13:39.860
If you don't understand it, it's like picking out a needle in a haystack.

13:39.890 --> 13:41.600
You really don't know what you're looking at.

13:41.600 --> 13:45.440
So as we're going through, if you scroll down a little bit more, you can see the attack vector.

13:45.440 --> 13:50.990
And we have an N for network, an A for adjacent and L for local and a P for physical.

13:51.020 --> 13:58.130
The attack complexity is either low or high L and H accordingly And then finally, the privilege requirements

13:58.130 --> 14:02.480
are either N, L, or H according to what it's looking for.

14:02.510 --> 14:06.020
Finally, user interaction it's either n or R.

14:06.050 --> 14:14.270
So if you see a question that has a required user interaction but is considered high and you're meeting

14:14.270 --> 14:21.560
up with that, and in comparison to say something that has a low or no user interaction with a high,

14:21.560 --> 14:25.100
which one would be more likely for you to spend your time on?

14:25.130 --> 14:32.420
Well, obviously having no user interaction compared to a required user action, we would go after the

14:32.450 --> 14:36.590
no user interaction as our primary purpose, right?

14:36.620 --> 14:43.130
And so it's really important for you to be able to look at these abbreviations and then accordingly

14:43.130 --> 14:45.860
answer questions corresponding to them.

14:45.860 --> 14:50.480
So again it's not as simple as just saying UI as in user interaction.

14:50.480 --> 14:53.510
You'll literally see something that says UI colon.

14:53.510 --> 15:00.640
And then n or R Or you might see something that says PR colon, and then it may have an N and L or an

15:00.640 --> 15:05.980
H, and you need to be able to read that in order to answer the questions that may be posed on the Cysa

15:06.010 --> 15:06.730
exam.

15:06.760 --> 15:10.240
Same with confidentiality, integrity and availability.

15:10.240 --> 15:16.270
So be aware that while I've only covered the very first portions of it in the basic metrics, you could

15:16.270 --> 15:22.510
also see something for temporal or even environmental, and you need to know those little abbreviations

15:22.510 --> 15:24.100
as you're going through the exam.

15:24.130 --> 15:30.850
The other website that I wanted to show you is Nist.gov calculator, and it provides a great scenario

15:30.850 --> 15:34.180
to kind of give it more of an easier way to look at it.

15:34.180 --> 15:39.850
For me, I actually memorize things better when I can go through and play with it, and in this case,

15:39.850 --> 15:44.560
I can look at the base score metrics and it pretty much provides it for me.

15:44.560 --> 15:53.290
I can go attack the AV and then call it N, which is much, much like you would see on the basic, uh,

15:53.290 --> 15:54.130
exam.

15:54.130 --> 15:55.840
And so I can go through and I can play with these.

15:55.870 --> 16:01.280
And then in the temporal metrics and environmental metrics, you could also see impact metrics and then

16:01.280 --> 16:05.450
the impact sub score or confidentiality requirements or CR.

16:05.480 --> 16:09.230
So as you're going through this I highly recommend that you go through this website.

16:09.230 --> 16:11.030
Definitely play around with it.

16:11.030 --> 16:13.100
Uh kind of see what they're asking for.

16:13.100 --> 16:14.030
And the capabilities.

16:14.030 --> 16:18.680
If you go in there blind, it wouldn't surprise me if you don't view it very well on those specific

16:18.680 --> 16:19.700
exam questions.

16:19.700 --> 16:24.860
Within this episode, we talked about Cvss scores and how they're utilized, what makes up the score,

16:24.860 --> 16:27.200
and how those scores impact what we're trying to do.

16:27.230 --> 16:31.700
As far as prioritization goes, we also talked about different thought modeling and how that threat

16:31.730 --> 16:33.980
modeling imposes across us as an analyst.

16:33.980 --> 16:38.720
And we discovered that both the stride as well as the pasta model and how those come into play with

16:38.720 --> 16:45.950
us as a cybersecurity analyst for the Cisa exam, what you really need to take it from this is Cvss.

16:45.980 --> 16:50.690
We really need to understand from a basic high level overview, a how those courses come into play and

16:50.690 --> 16:56.370
where we need to utilize prioritization based on that threat modeling or based on that Cvss score.

16:56.370 --> 17:00.480
When it comes to threat modeling, how do we impact the different threats that are impacting our different

17:00.510 --> 17:02.790
networks and the different trends associated with it?

17:02.820 --> 17:07.650
We need to understand how stride works, as well as the pasta model, and what separates those two models

17:07.650 --> 17:10.050
and how we should interfere with them or interact with them.

17:10.080 --> 17:16.080
As an analyst, you should expect to see questions on pasta, as in, hey, what are the different aspects

17:16.080 --> 17:21.360
or departments that I might need to reach out to if I was utilizing the pasta model methodology?

17:21.390 --> 17:25.680
You also need to look at the stride model and understand the different acronyms associated with it.

17:25.710 --> 17:26.520
Spoofing.

17:26.520 --> 17:31.680
So on all the way down to elevation of privileges, you need to understand cvss scoring and expect to

17:31.680 --> 17:35.010
see again scenario based questions based on both of them.

17:35.010 --> 17:40.740
You may see something where, hey, I've got this threat associated with my, uh, with my systems,

17:40.740 --> 17:43.410
and it's talking about tampering with specific items.

17:43.410 --> 17:45.090
Now, they won't use the word tampering.

17:45.090 --> 17:46.980
They'll use a different word that means tampering.

17:46.980 --> 17:51.930
And you're expected to know, hey, this corresponds with tampering of the T of the stride model.

17:51.930 --> 17:55.770
Expect to see different scenario based questions on that and you should be good to go.