17ª edição da Security BSides São Paulo, uma conferência gratuita sobre segurança da informação e cultura hacker, também conhecida como BSidesSP.
Desta vez, estivemos duplamente representados pelo nosso Head de Produto, Leonardo Pinheiro e pelo nosso Head of Threat and Detection Research, Rodrigo Montoro. Imperdível! ;)
Ambos apresentaram a palestra "Exploit Prediction Scoring System (EPSS) – Aperfeiçoando a priorização de vulnerabilidades de forma efetiva". Confira!
Scanning the Internet for External Cloud Exposures via SSL Certs
Bsides SP 2022 - EPSS - Final.pptx
1. Exploit Prediction
Scoring System (EPSS)
Leonardo Pinheiro
Head of Product
Rodrigo Montoro
Head of Threat & Detection Research
@spookerlabs
2. About us
Clavis Segurança da Informação
● Head of Threat & Detection Research at Clavis Security
● Living in Florianópolis (Silicon Island)
● Author of 2 patented technologies (US Patent Office)
● Speaker in different conferences (Brazil,USA,Canada)
● Proud Dad and Husband
● Full Ironman triathlon (2x)
● Crossfit and Powerlifting
Rodrigo Montoro
● Head of Product at Clavis Security
● Living in Campinas
● Electrical Engineering at Unicamp with AI Specialization at
Texas Tech University
● International work experience / exchange
● Software engineer by nature, Business developer by passion
● Gym Addicted
Leonardo Pinheiro
4. AGENDA
Common Vulnerabilities and Exposures (CVE) &
Common Vulnerability Scoring System v3 (CVSS)
Vulnerability Management & Challenges
Exploit Prediction Scoring System (EPSS)
1
1 Real world use and analysis
1 Conclusions
5. 5
Clavis Segurança da Informação
Common Vulnerability
and Exposures (CVE)
&
Common Vulnerability Scoring
System (CVSS)
6. What is a vulnerability ?
Clavis Segurança da Informação
Weakness in an information system, system security
procedures, internal controls, or implementation that could be
exploited or triggered by a threat source.
A code or tool used to take advantage of a vulnerability is called an
exploit.
source: https://csrc.nist.gov/glossary/term/vulnerability
7. Common Vulnerability Exposure (CVE)
Clavis Segurança da Informação
source: https://www.ondeso.com/wp-content/uploads/2020/09/cve-summary-freebie-ondeso.pdf
8. Some statistics about vulnerabilities (CVE)
Clavis Segurança da Informação
Source: https://www.cvedetails.com/browse-by-date.php
9. Top 25 vendors
Clavis Segurança da Informação
Source:https://www.cvedetails.com/top-50-vendors.php
10. Common Vulnerability Scoring System (CVSS)
Clavis Segurança da Informação
The Common Vulnerability Scoring System (CVSS) is a method used
to supply a qualitative measure of severity.
CVSS is not a measure of risk.
CVSS consists of three metric groups: Base, Temporal, and
Environmental.
source: https://nvd.nist.gov/vuln-metrics/cvss
https://www.first.org/cvss/calculator/3.0
13. Some statistics
Clavis Segurança da Informação
source: https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=1999-01-01&enddate=2022-11-11
Baixa Médio Alto Critico
Nem tudo é crítico
14. Top 25 vendors 2022
Clavis Segurança da Informação
Source:https://www.cvedetails.com/top-50-vendors.php
16. What is vulnerability management ?
Clavis Segurança da Informação
source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/
Most companies prioritize vulnerabilities
based on volume rather than business
risk
One of the biggest challenges in
Continuous Vulnerability Management is
not only mapping existing vulnerabilities
within the park, but also where to start
solving the problem
17. Challenge - How to prioritize ?
Clavis Segurança da Informação
18. Not always CVSS higher means bigger problems
Clavis Segurança da Informação
Impact
Probability
20. Motivation around EPSS
Clavis Segurança da Informação
Past research has shown that firms are able to fix between 5% and 20% of known
vulnerabilities per month.
Secondly, only a small subset (2%-7% of published vulnerabilities are ever seen to be
exploited in the wild)
21. What is EPSS ?
Clavis Segurança da Informação
The Exploit Prediction Scoring System (EPSS) is an open, data-driven
effort for estimating the likelihood (probability) that a software vulnerability
will be exploited in the wild.
The EPSS model produces a probability score between 0 and 1 (0% and
100%). The higher the score, the greater the probability that a vulnerability
will be exploited (in the next 30 days).
22. EPSS | Data Architecture
Clavis Segurança da Informação
MITRE’s CVE List
“Tags” Days published
Published Exploit
Security Scanners
CVSS v3 Vector
Vendor
Real Attacks
XG Boost | Poisson Regression
EPSS
24. EPSS Model performance
Clavis Segurança da Informação
Coverage => number of exploited vulnerabilities prioritized (TP) divided by the total number
of exploited vulnerabilities (TP + FN)
Efficiency => number of exploited vulnerabilities prioritized (TP) divided by the total number
of prioritized vulnerabilities (TP+FP).
28. EPSS x CVSS
Clavis Segurança da Informação
CVE 2019-11580
Atlassian Crowd and Crowd Data Center had the
pdkinstall development plugin incorrectly enabled
in release builds. Attackers who can send
unauthenticated or authenticated requests to a
Crowd or Crowd Data Center instance can exploit
this vulnerability to install arbitrary plugins, which
permits remote code execution on systems running
a vulnerable version of Crowd or Crowd Data
Center.
CVE 2017-0061
A use-after-free vulnerability can occur during XSL
transformations when the source document for the
transformation is manipulated by script content
during the transformation. This results in a potentially
exploitable crash. This vulnerability affects
Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <
58.
30. Analysis …
Clavis Segurança da Informação
Variação da volumetria baseado na criticidade
Of the 40,037 critical vulnerabilities,
2,000 have an EPSS > 0.9
31. Analysis | CVSS X EPSS
Clavis Segurança da Informação
Prioritize
Deprioritize
32. Analysis | Priorização
Clavis Segurança da Informação
Vulnerability CVSS
Microsoft Internet Explorer Unsupported Version Detection 10
SSL Version 2 and 3 Protocol Detection 9,8
Microsoft XML Parser (MSXML) and XML Core Services Unsupported 10
Google Chrome < 107.0.5304.110 Multiple Vulnerabilities 9,6
FortiClient Windows Unquoted Service Path vulnerability(FG-IR-19-281) 10
Vulnerability CVSS EPSS
Apache < 2.4.49 Multiple Vulnerabilities 10 0.97
Apache Tomcat AJP Connector Request Injection (Ghostcat) 9.8 0.96
Windows Server 2012 June 2017 Security Updates 9.8 0.96
Oracle WebLogic Server Remote Code Execution Vulnerability
(Oracle Security Alert Advisory - CVE-2019-2725)
9.8 0.96
KB4499175: Windows 7 and Windows Server 2008 R2 May
2019 Security Update (MDSUM/RIDL)
(MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
(BlueKeep)
9.8 0.96
Prioritization based on CVSS and volumetry Prioritization based on EPSS and CVSS
34. Conclusions
Clavis Segurança da Informação
● Prioritization is hard, make your life easier
● You won't get everything fix
● Fix what really matters
● Add other contexts to prioritization
● Don't rely ONLY on EPSS