During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit.  Full write-up and video: https://avleonov.com/2019/05/31/phdays9-new-methods-of-vulnerability-prioritization-in-vulnerability-management-products/

1. Alexander Leonov
New ways of Vulnerability Prioritization in
Vulnerability Management products

2. #whoami
• Alexander Leonov
• Lead Information Security Analyst
• 10 years in Vulnerability Management
• Follow me at avleonov.com, t.me/avleonovcom

3. The best year for Vulnerability Management
• VM vendors finally (after 20 years!) recognized the problem with
vulnerability prioritization and started offering some solutions
• The problem:
• Most of vulnerabilities that Vulnerability Scanner can detect are
unexploitable and worthless for an attacker
• Even if they are labeled as “Critical”, “High”, etc.
• Even if they are labeled as “Exploit exists”
• You still have to fix them and face negative reaction from IT
(remediation efforts, down time, “The Boy Who Cried Wolf”)

4. Vulnerability Management vendor
Vulnerability Research
Content Making for
Vulnerability
Detection
109 000
plugins
170 zero days

5. Making Vulnerability Detection content
Vulnerability
Knowledge Base
advisories
exploits
metrics
+ Detection Plugins
+ Transports
Vulnerability Scanner
CVSS, CPE
Vendor’s
Bug
Exploit
DBs
Media
Advisory
id
remediation
strategy
CERTs
…
…
…
parsers

6. Vulnerability Knowledge Base
A Platforms (OSes)
x B Software Vendors making products for Platform
x C Products made by each Software Vendor
x D Vulnerabilities in each Product
x E Vulnerability detection methods
(authenticated and unauthenticated)

7. Patch-based Vulnerability checks

8. Scanner detects, prioritization is up to you!

9. And finally in 2019…
Prioritization
Predictive Intelligence

10. What is the idea?
• Existing vulnerability prioritization frameworks (CVSS) are bad
• Prioritization should be based on probability that vulnerability
will be used in attack
• We will do this using feeds of vulnerability-related data and AI
• We will constantly update this new score for all vulnerabilities
• You will get 3% of the most critical vulnerabilities and fix them
• IT guys will hate you a little less ;-)

11. What is wrong with CVSS
• CVSS is subjective

12. What is wrong with CVSS
• CVSS is about technical severity, and not
about risk
• CVSS scoring algorithm is not justified
“while the descriptions for the metrics are
clear, how their relative importance was
selected is not”

13. What is wrong with CVSS
• Failure to account for context
(both technical and human-organizational)
• Failure to account for material
consequences of vulnerability
(whether life or property is threatened)
• Operational scoring problems
(inconsistent or clumped scores, algorithm
design quibbles)

14. What is wrong with CVSS
• Too many critical vulnerabilities
• 16500+ vulnerabilities disclosed in 2018
• 61 % - CVSS 7 +
• 15 % - CVSS 9 +
• When everything is critical nothing is critical

15. What is wrong with CVSS
• Too many critical vulnerabilities
• From CVSS v.2 to CVSS v.3 it become even worse
Tenable “Predictive
Prioritization: Data science
lets you focus on the 3%
of vulnerabilities likely to
be exploited”

16. Why not to use CVSS with Exploit DBs?
• + Only 7 % of vulnerabilities has publically available exploit
• – Not all of them can be actually used
• – It doesn’t give the information which vulnerabilities are likely to be
exploited in the near-term future

17. Lack of visibility (understandable)
4.2
Somewhere in VM vendor’s cloud
CVE-2019-0708?

18. What do VM Vendors offer?
• We analyze 150 different aspects of vulnerability, some of them
kept in secret:
• CVSS (Base, Exploitability, Impact scores)
• NVD (Descriptions, CWE, dates, vendors)
• Threat Intelligence, such as "Recorded Future" (attacks and
exploit dates, popularity in social media and darkweb)
• Exploit Databases (entries and dates)
• Count probability that vulnerability will be exploited in future
• Update predictive prioritization data daily for all CVEs

19. What do VM Vendors offer?
Tenable “Predictive Prioritization: Data science lets you focus on the 3% of vulnerabilities likely to be exploited”

20. What do VM Vendors offer?
• Key drivers:
• CVSSv3 impact score
• threat recency
• threat intensity
• exploit code maturity
• age of the vulnerability
• product coverage
• threat sources

21. Can we do the same by ourselves?
Need more data feeds…

22. The Cost of an Error
• Vendor says that vulnerability won’t be used in attack
What if YES?

23. We need to go deeper
• Use Asset Management data for prioritization
• Predict attack scenarios

24. 24
Thanks!
Alexander Leonov avleonov.com