- Francisco Artes, Stefan Frei
- Whitepaper (archive): Modeling Exploit Evasions in Layered Security (pdf)
- Archive: Blackhat Talk Slides (pdf)
Maltego is a program that can be used to determine the relationships and real world links between many things, and has been adapted by NSS Labs to show the relationship and correlation of unblocked exploits through a layered security stack of hardware and software tools.
Utilizing the empirical data collected during NSS Labs' tests on next generation firewalls (NGFW), intrusion prevention services (IPS), breach detection systems (BDS), endpoint security, browser security, and antivirus engines, paired with data on exploit availability of popular crimeware kits or penetration testing tools (e.g. Metasploit) NSS Labs is able to model layered defense stacks and illustrate exploits that are able to evade detection by the entire stack. NSS Labs can also simulate popular or customer specific software portfolios, allowing mapping simulations specific to their infrastructure environment.
Utilizing the relationship mapping capabilities of Maltego, it is possible to correlate results from multiple tests and infer dependencies that were not visible from the standard charts and tables. Models can be created to represent the current deployment of devices and software within a specific environment. From those models NSS can determine which current evasion techniques are capable of bypassing which security devices, and which exploits will be effective against which workstations and servers. Hardware or software can be swapped in and out of the model to simulate and illustrate changes in the security posture.
This is all possible due to the correlation of undetected exploits through the layers of the stack. Even within a single layer there is often correlation of exploitable vulnerabilities across the major vendors. For example, of the fifteen vendor-tuned IPS devices tested by NSS in 2012, eleven can be bypassed by the same exploit, identified as 2008-038 by NSS Labs. There is only one combination of two layered IPS devices that would block all currently tested exploits.
Modeling allows CISO/CSOs to identify and properly address exposures within the infrastructure for which they are responsible.