Michael Roytman, profile picture
Uploaded byMichael Roytman
1,360 views

O'Reilly Security New York - Predicting Exploitability Final

The document discusses methods for predicting the exploitability of vulnerabilities through retrospective, real-time, and predictive analyses, highlighting the challenges of managing numerous vulnerabilities. It emphasizes the need for data-driven approaches, utilizing machine learning models to classify if vulnerabilities will have exploits, and outlines various models that consider factors such as CVSS scores and patch existence. The ultimate goal is to enhance vulnerability management by effectively predicting which vulnerabilities to prioritize for remediation.

Embed presentation

Download to read offline
PREDICTING EXPLOITABILITY @MROYTMAN
“Prediction is very difficult, especially about the future.” -Niels Bohr
3 Types of “Data-Driven” Retrospective Analysis & Reporting Here-and-now Real-time processing & dashboards Predictions To enable smart applications
Too many vulnerabilities. How do we derive risk from vulnerability in a data-driven manner? Problem
Exploitability 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE Exploitability
Analyst Input Vulnerability Management Programs Augmenting Data Retrospective - Model: CVSS Temporal Score Estimation Vulnerability Researchers
1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE Exploitability
Real-Time - The Data Vulnerability Scans (Qualys, Rapid7, Nessus, etc): • 7,000,000 Assets (desktops, servers, urls, ips, macaddresses) • 1,400,000,000 Vulnerabilities (unique asset/CVE pairs) Exploit Intelligence - Successful Exploitations • ReversingLabs’ backend metadata •Hashes for each CVE •Number of found pieces of malware corresponding to each hash • Alienvault Backdoor •“attempted exploits” correlated with open vulnerabilities
ATTACKERS ARE FAST Cumulative Probability of Exploitation
0 5 10 15 20 25 30 35 40 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value of remediating a vulnerability with property X:
Q: “Of my current vulnerabilities, which ones should I remediate?” A: Old ones with stable, weaponized exploits Data of Future Past
Q: “A new vulnerability was just released. Do we scramble?” A: Future of Data Past
1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE Exploitability
Classifier = Will a vulnerability have an exploit written and published? [YES OR NO]
Enter: AWS ML
N = 81303All CVE. Described By: 1. National Vulnerability Database 2. Common Platform Enumeration 3. Occurrences in Kenna Scan Data Labelled as Exploited/Not Exploited: 1. Exploit DB 2. Metasploit 3. D2 Elliot 4. Canvas 5. Blackhat Exploit Kits Predictive - The Data
70% Training, 30% Evaluation Split N = 81303 L2 regularizer 1 gb 100 passes over the data Receiver operating characteristics for comparisons All Models
Distribution is not uniform. 77% of dataset is not exploited 1. Accuracy of 77% would be bad Precision matters more than Recall 1. No one would use this model absent actual exploit available data. 2. False Negatives matter less than false positives - wasted effort Predictive - The Expectations We are not modeling when something will be exploited, just IF 1. Could be tomorrow or in 6 months. Re-run the model every day
Model 1: Baseline -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date
LMGTFY:
Moar Simple? Sample Bad Chart Sample Good Chart
Model 2: Patches -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists
Model 3: Affected Software -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products
Model 4: Words! -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5
Model 5: Vulnerability Prevalence -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5 -Vulnerability Prevalence -Number of References
Model 6: Overfitting Fixes -2015 onward -Exclude: “in the wild” “as seen” “exploited”
Exploitability
-Track Predictions vs. Real Exploits -Integrate 20+ BlackHat Exploit Kits - FP reduction? -Find better vulnerability descriptions - mine advisories for content? FN reduction? -Predict Breaches, not Exploits -Attempt Models by Vendor Future Work
Too many vulnerabilities. How do we derive risk from vulnerability in a data-driven manner? Problem
1. Gather data about known successful attack paths 2. Issue forecasts where data is lacking in order to predict new exploits 3. Gather MORE data about known successful attack paths Solution
These will have exploits in 2017… CVE-2016-0959 Released: 6/28/2017 No Exploit in ExploitDB, Metasploit, or Canvas Flash buffer overflow, predicted that an exploit will be released
Thanks! @MROYTMAN

More Related Content

PDF
SHOWDOWN: Threat Stack vs. Red Hat AuditD
byThreat Stack
 
PDF
Using security to drive chaos engineering
byDinis Cruz
 
PPTX
Real time classification of malicious urls.pptx 2
byDaniyar Mukhanov
 
PPTX
Splunk live! Customer Presentation – Prelert
bySplunk
 
PDF
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
bySkybox Security
 
PDF
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
bySven Krasser
 
PDF
Using security to drive chaos engineering - April 2018
byDinis Cruz
 
PDF
Demystifying observability
byAbigail Bangser
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
byThreat Stack
 
Using security to drive chaos engineering
byDinis Cruz
 
Real time classification of malicious urls.pptx 2
byDaniyar Mukhanov
 
Splunk live! Customer Presentation – Prelert
bySplunk
 
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
bySkybox Security
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
bySven Krasser
 
Using security to drive chaos engineering - April 2018
byDinis Cruz
 
Demystifying observability
byAbigail Bangser
 

What's hot

PDF
Of Search Lights and Blind Spots: Machine Learning in Cybersecurity
bySven Krasser
 
PPTX
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
byCodemotion
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
byDinis Cruz
 
PPT
Producing Quality Software
bySimon Smith
 
PPTX
Codemotion Milan 2015 Alerts Overload
bysarahjwells
 
PDF
Post-Equifax: How to Trust But Verify Your Software Supply Chain
byDeborah Schalm
 
Of Search Lights and Blind Spots: Machine Learning in Cybersecurity
bySven Krasser
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
byCodemotion
 
Scaling security in a cloud environment v0.5 (Sep 2017)
byDinis Cruz
 
Producing Quality Software
bySimon Smith
 
Codemotion Milan 2015 Alerts Overload
bysarahjwells
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
byDeborah Schalm
 

Similar to O'Reilly Security New York - Predicting Exploitability Final

PPTX
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
PDF
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
PDF
Using Data Science for Cybersecurity
byVMware Tanzu
 
PDF
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
PPTX
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
PDF
Predicting exploitability-forecasts-for-vulnerability-management
byPriyanka Aash
 
PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
PDF
RSA 2017 - Predicting Exploitability - With Predictions
byMichael Roytman
 
PDF
Predicting Exploitability
byMichael Roytman
 
PDF
Fix What Matters
byEd Bellis
 
PDF
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
PDF
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
byArea41
 
PDF
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
byMarc Ruef
 
PDF
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
PDF
Fix What Matters: A Data Driven Approach to Vulnerability Management
byMichael Roytman
 
PPTX
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
byEndgameInc
 
PPT
Bank World 2008 Kamens 04 29 08
bykamensm02
 
PDF
Vulnerability & Exploit Trends: A Deep Look Inside the Data
byKenna
 
PDF
Fix What Matters: BSidesDetroit 2014
byMichael Roytman
 
PDF
Measure What You FIx: Asset Risk Management Done Right
byMichael Roytman
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
Using Data Science for Cybersecurity
byVMware Tanzu
 
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
Predicting exploitability-forecasts-for-vulnerability-management
byPriyanka Aash
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
RSA 2017 - Predicting Exploitability - With Predictions
byMichael Roytman
 
Predicting Exploitability
byMichael Roytman
 
Fix What Matters
byEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
byArea41
 
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
byMarc Ruef
 
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
byMichael Roytman
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
byEndgameInc
 
Bank World 2008 Kamens 04 29 08
bykamensm02
 
Vulnerability & Exploit Trends: A Deep Look Inside the Data
byKenna
 
Fix What Matters: BSidesDetroit 2014
byMichael Roytman
 
Measure What You FIx: Asset Risk Management Done Right
byMichael Roytman
 

More from Michael Roytman

PDF
Chicago Security Meetup 08/2016
byMichael Roytman
 
PDF
BsidesSF 2014 Fix What Matters
byMichael Roytman
 
PDF
Data Science ATL Meetup - Risk I/O Security Data Science
byMichael Roytman
 
PDF
Less is More: Behind the Data at Risk I/O
byMichael Roytman
 
PDF
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
byMichael Roytman
 
PDF
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
byMichael Roytman
 
PDF
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
byMichael Roytman
 
PDF
Attacker Behavior Boston Security Conference 2015
byMichael Roytman
 
PPTX
CyberTechEurope.pptx
byMichael Roytman
 
PDF
Risk IO Webisode 1: The Breach Landscape
byMichael Roytman
 
Chicago Security Meetup 08/2016
byMichael Roytman
 
BsidesSF 2014 Fix What Matters
byMichael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
byMichael Roytman
 
Less is More: Behind the Data at Risk I/O
byMichael Roytman
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
byMichael Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
byMichael Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
byMichael Roytman
 
Attacker Behavior Boston Security Conference 2015
byMichael Roytman
 
CyberTechEurope.pptx
byMichael Roytman
 
Risk IO Webisode 1: The Breach Landscape
byMichael Roytman
 

Recently uploaded

PDF
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
PPTX
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PDF
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
PDF
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
PDF
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
PPT
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 

O'Reilly Security New York - Predicting Exploitability Final

  • 1.
  • 2.
    “Prediction is verydifficult, especially about the future.” -Niels Bohr
  • 3.
    3 Types of“Data-Driven” Retrospective Analysis & Reporting Here-and-now Real-time processing & dashboards Predictions To enable smart applications
  • 4.
    Too many vulnerabilities. Howdo we derive risk from vulnerability in a data-driven manner? Problem
  • 5.
  • 6.
    1. RETROSPECTIVE 2. REAL-TIME 3.PREDICTIVE Exploitability
  • 7.
    Analyst Input Vulnerability Management ProgramsAugmenting Data Retrospective - Model: CVSS Temporal Score Estimation Vulnerability Researchers
  • 8.
    1. RETROSPECTIVE 2. REAL-TIME 3.PREDICTIVE Exploitability
  • 9.
    Real-Time - TheData Vulnerability Scans (Qualys, Rapid7, Nessus, etc): • 7,000,000 Assets (desktops, servers, urls, ips, macaddresses) • 1,400,000,000 Vulnerabilities (unique asset/CVE pairs) Exploit Intelligence - Successful Exploitations • ReversingLabs’ backend metadata •Hashes for each CVE •Number of found pieces of malware corresponding to each hash • Alienvault Backdoor •“attempted exploits” correlated with open vulnerabilities
  • 10.
  • 12.
    0 5 1015 20 25 30 35 40 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value of remediating a vulnerability with property X:
  • 13.
    Q: “Of mycurrent vulnerabilities, which ones should I remediate?” A: Old ones with stable, weaponized exploits Data of Future Past
  • 14.
    Q: “A newvulnerability was just released. Do we scramble?” A: Future of Data Past
  • 15.
    1. RETROSPECTIVE 2. REAL-TIME 3.PREDICTIVE Exploitability
  • 17.
    Classifier = Willa vulnerability have an exploit written and published? [YES OR NO]
  • 18.
  • 19.
    N = 81303AllCVE. Described By: 1. National Vulnerability Database 2. Common Platform Enumeration 3. Occurrences in Kenna Scan Data Labelled as Exploited/Not Exploited: 1. Exploit DB 2. Metasploit 3. D2 Elliot 4. Canvas 5. Blackhat Exploit Kits Predictive - The Data
  • 20.
    70% Training, 30%Evaluation Split N = 81303 L2 regularizer 1 gb 100 passes over the data Receiver operating characteristics for comparisons All Models
  • 21.
    Distribution is notuniform. 77% of dataset is not exploited 1. Accuracy of 77% would be bad Precision matters more than Recall 1. No one would use this model absent actual exploit available data. 2. False Negatives matter less than false positives - wasted effort Predictive - The Expectations We are not modeling when something will be exploited, just IF 1. Could be tomorrow or in 6 months. Re-run the model every day
  • 22.
    Model 1: Baseline -CVSSBase -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date
  • 23.
  • 24.
    Moar Simple? Sample BadChart Sample Good Chart
  • 25.
    Model 2: Patches -CVSSBase -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists
  • 26.
    Model 3: AffectedSoftware -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products
  • 27.
    Model 4: Words! -CVSSBase -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5
  • 28.
    Model 5: VulnerabilityPrevalence -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5 -Vulnerability Prevalence -Number of References
  • 29.
    Model 6: OverfittingFixes -2015 onward -Exclude: “in the wild” “as seen” “exploited”
  • 30.
  • 31.
    -Track Predictions vs. RealExploits -Integrate 20+ BlackHat Exploit Kits - FP reduction? -Find better vulnerability descriptions - mine advisories for content? FN reduction? -Predict Breaches, not Exploits -Attempt Models by Vendor Future Work
  • 32.
    Too many vulnerabilities. Howdo we derive risk from vulnerability in a data-driven manner? Problem
  • 33.
    1. Gather dataabout known successful attack paths 2. Issue forecasts where data is lacking in order to predict new exploits 3. Gather MORE data about known successful attack paths Solution
  • 34.
    These will haveexploits in 2017… CVE-2016-0959 Released: 6/28/2017 No Exploit in ExploitDB, Metasploit, or Canvas Flash buffer overflow, predicted that an exploit will be released
  • 36.