During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit.
Full write-up and video: https://avleonov.com/2019/05/31/phdays9-new-methods-of-vulnerability-prioritization-in-vulnerability-management-products/
2. #whoami
• Alexander Leonov
• Lead Information Security Analyst
• 10 years in Vulnerability Management
• Follow me at avleonov.com, t.me/avleonovcom
3. The best year for Vulnerability Management
• VM vendors finally (after 20 years!) recognized the problem with
vulnerability prioritization and started offering some solutions
• The problem:
• Most of vulnerabilities that Vulnerability Scanner can detect are
unexploitable and worthless for an attacker
• Even if they are labeled as “Critical”, “High”, etc.
• Even if they are labeled as “Exploit exists”
• You still have to fix them and face negative reaction from IT
(remediation efforts, down time, “The Boy Who Cried Wolf”)
5. Making Vulnerability Detection content
Vulnerability
Knowledge Base
advisories
exploits
metrics
+ Detection Plugins
+ Transports
Vulnerability Scanner
CVSS, CPE
Vendor’s
Bug
Exploit
DBs
Media
Advisory
id
remediation
strategy
CERTs
…
…
…
parsers
6. Vulnerability Knowledge Base
A Platforms (OSes)
x B Software Vendors making products for Platform
x C Products made by each Software Vendor
x D Vulnerabilities in each Product
x E Vulnerability detection methods
(authenticated and unauthenticated)
9. And finally in 2019…
Prioritization
Predictive Intelligence
10. What is the idea?
• Existing vulnerability prioritization frameworks (CVSS) are bad
• Prioritization should be based on probability that vulnerability
will be used in attack
• We will do this using feeds of vulnerability-related data and AI
• We will constantly update this new score for all vulnerabilities
• You will get 3% of the most critical vulnerabilities and fix them
• IT guys will hate you a little less ;-)
12. What is wrong with CVSS
• CVSS is about technical severity, and not
about risk
• CVSS scoring algorithm is not justified
“while the descriptions for the metrics are
clear, how their relative importance was
selected is not”
13. What is wrong with CVSS
• Failure to account for context
(both technical and human-organizational)
• Failure to account for material
consequences of vulnerability
(whether life or property is threatened)
• Operational scoring problems
(inconsistent or clumped scores, algorithm
design quibbles)
14. What is wrong with CVSS
• Too many critical vulnerabilities
• 16500+ vulnerabilities disclosed in 2018
• 61 % - CVSS 7 +
• 15 % - CVSS 9 +
• When everything is critical nothing is critical
15. What is wrong with CVSS
• Too many critical vulnerabilities
• From CVSS v.2 to CVSS v.3 it become even worse
Tenable “Predictive
Prioritization: Data science
lets you focus on the 3%
of vulnerabilities likely to
be exploited”
16. Why not to use CVSS with Exploit DBs?
• + Only 7 % of vulnerabilities has publically available exploit
• – Not all of them can be actually used
• – It doesn’t give the information which vulnerabilities are likely to be
exploited in the near-term future
17. Lack of visibility (understandable)
4.2
Somewhere in VM vendor’s cloud
CVE-2019-0708?
18. What do VM Vendors offer?
• We analyze 150 different aspects of vulnerability, some of them
kept in secret:
• CVSS (Base, Exploitability, Impact scores)
• NVD (Descriptions, CWE, dates, vendors)
• Threat Intelligence, such as "Recorded Future" (attacks and
exploit dates, popularity in social media and darkweb)
• Exploit Databases (entries and dates)
• Count probability that vulnerability will be exploited in future
• Update predictive prioritization data daily for all CVEs
19. What do VM Vendors offer?
Tenable “Predictive Prioritization: Data science lets you focus on the 3% of vulnerabilities likely to be exploited”
20. What do VM Vendors offer?
• Key drivers:
• CVSSv3 impact score
• threat recency
• threat intensity
• exploit code maturity
• age of the vulnerability
• product coverage
• threat sources
21. Can we do the same by ourselves?
Need more data feeds…
22. The Cost of an Error
• Vendor says that vulnerability won’t be used in attack
What if YES?
23. We need to go deeper
• Use Asset Management data for prioritization
• Predict attack scenarios