Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
PREDICTING EXPLOITABILITY
@MROYTMAN
“Prediction is very difficult, especially
about the future.”
-Neils Bohr
3 Types of “Data-Driven”
Too many vulnerabilities.
How do we derive risk from
vulnerability in a data-driven
manner?
PROBLEM
EXPLOITABILITY
1. RETROSPECTIVE
2. REAL-TIME
3. PREDICTIVE
EXPLOITABILITY
1. RETROSPECTIVE
2. REAL-TIME
3. PREDICTIVE
Analyst Input
Vulnerability Management
Programs Augmenting Data
Retrospective
Temporal Score Estimation
Vulnerability
Rese...
EXPLOITABILITY
1. RETROSPECTIVE
2. REAL-TIME
3. PREDICTIVE
ATTACKERS
ARE FAST
0 5 10 15 20 25 30 35
CVSS*10
EDB
MSP
EDB+MSP
Breach*Probability*(%)
Positive Predictive Value of remediating a
vulnerabil...
DATA OF FUTURE PAST
Q: “Of my current vulnerabilities, which ones
should I remediate?”
A: Old ones with stable, weaponized...
FUTURE OF DATA PAST
Q: “A new vulnerability was just released. Do we
scramble?”
A:
EXPLOITABILITY
1. RETROSPECTIVE
2. REAL-TIME
3. PREDICTIVE
Machine Learning?
Enter: AWS ML
70% Training, 30% Evaluation Split N = 81303
All Models:
L2 regularizer
1 gb
100 passes over the data
Receiver operating
c...
Model 1: Baseline
-CVSS Base
-CVSS Temporal
-Remote Code Execution
-Availability
-Integrity
-Confidentiality
-Authenticati...
LMGTFY:
Moar Simple?
Model 2: Patches
-CVSS Base
-CVSS Temporal
-Remote Code Execution
-Availability
-Integrity
-Confidentiality
-Authenticatio...
Model 3: Affected Software
-CVSS Base
-CVSS Temporal
-Remote Code Execution
-Availability
-Integrity
-Confidentiality
-Aut...
Model 4: Words!
-CVSS Base
-CVSS Temporal
-Remote Code Execution
-Availability
-Integrity
-Confidentiality
-Authentication...
Model 5: Vulnerability Prevalence
-CVSS Base
-CVSS Temporal
-Remote Code Execution
-Availability
-Integrity
-Confidentiali...
Moar Simple?
Moar Simple?
Exploitability
-Track Predictions
vs. Real Exploits
-Integrate 20+
BlackHat Exploit
Kits - FP
reduction?
-Find better vulnerability
descr...
Thanks!
@MROYTMAN
Predicting Exploitability
Predicting Exploitability
Predicting Exploitability
Upcoming SlideShare
Loading in …5
×

Predicting Exploitability

1,269 views

Published on

Data driven decision making can be retrospective, real-time, or predictive. We use Amazon Machine Learning to predict the probability that a vulnerability will become exploited, using only the data available when a vulnerability is released.

Published in: Internet
  • Be the first to comment

Predicting Exploitability

  1. 1. PREDICTING EXPLOITABILITY @MROYTMAN
  2. 2. “Prediction is very difficult, especially about the future.” -Neils Bohr
  3. 3. 3 Types of “Data-Driven”
  4. 4. Too many vulnerabilities. How do we derive risk from vulnerability in a data-driven manner? PROBLEM
  5. 5. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  6. 6. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  7. 7. Analyst Input Vulnerability Management Programs Augmenting Data Retrospective Temporal Score Estimation Vulnerability Researchers
  8. 8. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  9. 9. ATTACKERS ARE FAST
  10. 10. 0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value of remediating a vulnerability with property X:
  11. 11. DATA OF FUTURE PAST Q: “Of my current vulnerabilities, which ones should I remediate?” A: Old ones with stable, weaponized exploits
  12. 12. FUTURE OF DATA PAST Q: “A new vulnerability was just released. Do we scramble?” A:
  13. 13. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  14. 14. Machine Learning?
  15. 15. Enter: AWS ML
  16. 16. 70% Training, 30% Evaluation Split N = 81303 All Models: L2 regularizer 1 gb 100 passes over the data Receiver operating characteristics for comparisons
  17. 17. Model 1: Baseline -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date
  18. 18. LMGTFY:
  19. 19. Moar Simple?
  20. 20. Model 2: Patches -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists
  21. 21. Model 3: Affected Software -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products
  22. 22. Model 4: Words! -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5
  23. 23. Model 5: Vulnerability Prevalence -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5 -Vulnerability Prevalence -Number of References
  24. 24. Moar Simple?
  25. 25. Moar Simple?
  26. 26. Exploitability
  27. 27. -Track Predictions vs. Real Exploits -Integrate 20+ BlackHat Exploit Kits - FP reduction? -Find better vulnerability descriptions - mine advisories for content? FN reduction? Future Work -Predict Breaches, not Exploits -Attempt Models by Vendor -There are probably two exploitation processes here.
  28. 28. Thanks! @MROYTMAN

×