Vulnerability Research 101
*This is part of an ongoing series from Rezilion titled Enlightened Engineering: Reflections From Rezilion’s Tech Team
By: Ofri Ouzan, Security Researcher, Rezilion
Almost everyone involved in the security world was abuzz around newly published CVEs that made lots of noise in the media.
Everyone was tweeting about the new vulnerability, and each company wanted to be the first to out all the juicy information about it to bring their own unique perspective.
And you, as a security researcher in your company or one that is working independently on security research, want to be someone that creates the best and most interesting research content about the CVEs. Moreover, you don’t want to be late to the party.
How would you do that?
It’s important to be clear and mention that this blog post is not going to inform you how to search for new vulnerabilities.
This blog post will however, show you what the steps are for investigating existing vulnerabilities (CVEs) and how to write research based on your findings.
Why Do I Want to Talk About This Issue?
I was always involved in the security world but in different parts of it – investigating attack vectors and attack techniques. In my current role, among other things, I’m assigned with exploring existing vulnerabilities, validating in which specific situations they apply, and finding mitigations and remediations for them.
Moving to a security researcher role in investigating vulnerabilities was a bit confusing, and a struggle for me at first.
For example, if the vulnerability was new, I didn’t always find enough information to investigate it. On the other hand, if the vulnerability was old there was often too much written about it, and I found myself drowning in confusion.
I believe that this blog post will mostly help people who are in the following groups:
• People who want to become security researchers in the vulnerability field
• Security researchers in companies that write researchers of new CVEs
• Independent security researchers
After you understand the concepts well (I suggest you read more about them and also experiment), we can move to the actual steps that helped me while investigating vulnerabilities and writing research.
First of all, choose the CVE you want to focus on.
You can use the CVE Trends website which presents information about the latest trending vulnerabilities. It presents people’s tweets, related posts, and github repos of the vulnerability.
After choosing the CVE, try to collect as much relevant data on it as possible.
You can find general information about CVEs in websites such as: NVD and Mitre. These websites present the vulnerability details such as description, base score, related links, etc. In order to read about the vulnerability you will want use its CVE name. This way you won’t find yourself flooded by all of the content out there. I recommend that you get familiar with famous security websites such as Medium and The Hacker News.
To find more juicy information about the vulnerability, I also suggest that you to look either research that was written by a big security company, or research that is widely shared and liked across the social media sphere.
Understand the Vulnerability
The next phase after collecting relevant information regarding the vulnerability is to read about and understand it.
For that purpose, try to ask yourself questions to understand which information is missing in your head to complete the full picture of the vulnerability.
• Which software/applications are affected?
• Does the vulnerability pose a high risk? Why?
• What is the goal the attacker will achieve by exploiting the vulnerability?
• What is the impact on the systems/software/network?
A few aspects worth exploring are:
- Environment – Understand which platforms are vulnerable. For example container, software, application etc. In order to simulate the vulnerability, you will need to search for a vulnerable platform according to the findings and establish the environment. Sometimes you will need to download a container image and run it on docker, sometimes you will need to install applications with specific versions or even deploy new softwares. If the vulnerable platform is a container, try to search for the CVE and ‘vulnerable container’ phrase.
- Mitigations and Remediations – Find mitigations and remediations of the vulnerability, or think about ways to secure and avoid the vulnerability. Usually there are websites that list the vulnerability mitigations, so try using them to search for the CVE and ‘mitigation’. For example: ‘cve_yyyy_xxxx mitigation’.
- Exploitation – Find POCs and exploitations, or try to come up with your own exploit. You can find POCs of the vulnerability by typing the CVE and ‘POC’ or ‘Exploit’ word (usually only famous CVEs have POCs) or by searching for the CVE through these websites: exploit-db, In The Wild and CISA.
Simulate the Vulnerability
Now it is time for some hands-on experience with the vulnerability.
After setting up the proper environment, run the exploit or the POC on it. Try to mitigate the vulnerability in the container against the exploit and then run the exploit again to validate the mitigation. This will enable you to truly understand the different constraints around effective exploitation of the vulnerability.
The best advice I could give you is to be in a mindset that doubts what you read. Do not believe everything you read, usually it’s not 100% percent accurate!
The people who write those research reports are human, and can be wrong about the information they provide.
Always try to think outside the box and question yourself and others – this is what makes a good researcher.
Document Your Research
At each step, record your investigation flow and write down everything you find. Take screenshots and document both successful and unsuccessful attempts. Detailed documentation will help you remember the state of mind you were in during the investigation and will help if/when you decide to publish your findings. It is much more tricky to try to remember what led you to arrive at certain conclusions/breakthroughs after the fact. Even though your research may contain information collected from few other sources, which is good and makes your research more reliable, try to provide your own perspective on the issue and bring your own unique value.
Make sure you understand the vulnerability flow and why you chose this vulnerability, emphasize the importance of securing and mitigating this vulnerability, what things the attacker can achieve by exploiting it, and what are the possible consequences of exploitation.
If your research relies on other research, add a shoutout and give credit to them. This can work to encourage new connections between researchers.
Finally, remember to doubt everything you read, including this blog of mine, which was written and relies solely on my own experiences.