SlideShare uma empresa Scribd logo

Effective Prioritization Through Exploit Prediction

Jonathan Cran
Jonathan Cran

The document discusses using machine learning to predict which vulnerabilities are most likely to receive exploits in the future. It describes collecting data on vulnerabilities from CVE databases and observations of exploits and breaches. This data is then used to build a supervised classification model to predict the likelihood of future exploits. The model aims to help prioritize remediation of vulnerabilities that pose the greatest risks. Key challenges addressed include the increasing volume of vulnerabilities and shortening windows between disclosure and exploits.

Tecnologia
1 de 56
Baixar para ler offline
Michael Roytman Jonathan Cran @mroytman @jcran Black Hat 2018 Effective Prioritization Through Exploit Prediction Fixing more of what matters, and less of what doesn’t
2
3 Complete Remediation is Infeasible Complexity Abound Multiple patch releases from major vendors, including microcode updates Incompatible Antivirus or Endpoint protection Massive Array of Devices Affected Affects Printers, Thermostats, Door Locks, Cameras, Phones, etc Intel’s Nehalem and Westmere (released in 2008 and 2010) affected Not Just Patches Code “should be recompiled with the /Qspectre switch enabled”
4 The Modern Stack is COMPLEX Intel / ARM / AMD CPU Hypervisor Java Management Agent Docker Operating System .NET Operating System (Container) Node 3rd party libs Your App Patch Me! Idea Credit: @samnewman Python Ruby PHP App Server / Web Server / etc
Vulnerability Volume Increasing
Exploit Release Dates - Tied to CVE Publish
The Good News
How to find and fix before an event?
9 “Remember the Recall” Infosec is largely a search problem: 1. We are data rich and signal poor. 2. Multi-stage testing cost-effectively increases both precision and recall. 3. Analyst time is the capacity constraint for most security problems We must aim to create signal for our analysts.
10 CVSS (alone) Isn’t it
11 Events Are What Matters 2018: 36 new CVEs with events
12 Targets Not Created Equal
13 What Matters for Scoring Is anyone actively targeted? Could we detect success? How much effort is required? What is the attacker payoff? Does a valid attack path exist? score = $CVSS_SCORE score += A if recent_breaches_exist? SCORE += B if exploits_exist? SCORE += C if popular_target? SCORE += D if exploit_will_exist?
How do we know if we are working on the right stuff?
15 Attack + Defense Detect & Respond Predict & Prevent
16 Measuring Remediation Strategies Coverage: Of the vulns we fixed, did we pick all (100%) of the correct ones? Efficiency: Of the ones we ended up fixing, did fix any that didn’t matter?
17 Coverage & Efficiency, Explained OURS NEIGHBORS ROBOT MOWED Coverage =~ 80% Efficiency =~ 60% EFFICIENCY: Out of all the grass mowed, how much of the grass should have been cut COVERAGE: How much of the grass we wanted to cut was actually cut? wasted effort (inefficiency ) not covered
18 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Coverage How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green in the red area green + blue) =~ 9.28% Of all the vulnerabilities we prioritized, how many ended up with a kown exploit or event
19 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Total Prioritized CVEs All CVEs Vulnerabilities prioritized with known exploits or events CVEs prioritized with no known exploits or events Coverage (green / red) How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green / green + blue) Of all the vulnerabilities we prioritized, how many ended up with a known exploit or event
20 Coverage / Efficiency Tradeoff ● There exists a natural tradeoff between coverage and efficiency. ● We are operating with incomplete information at any given moment. ● Why would you want <100% efficiency? ○ Abundance of caution (if you can afford it!) ● Why would you want <100% coverage? ○ New campaign can spin up or an older one can spin down. The world is not static. Continuous review and adjustment provides the best result.
How to handle quickly escalating threats?
22 Current Attacker Velocity Average Days from Publish to Exploit (639 / 8%): 19.68 Days Average Days from Publish to Event (36 / 0.5%): 27.36 Days Shortest Window: Adobe Reader (zero days) Longest Window: IE Edge (months)
23 Recent Popular Targets (2018) Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 Drupal (Drupalgeddon) - CVE-2018-7600 Adobe Flash - CVE-2018-4878
Increasing Risk Factoring in Velocity Created Discovery Disclosure Public Exploit Code Released Exploitation Detected In the Wild Detection Generate d
Exploit Release Dates - Tied to CVE Publish
The Case for Prediction
Enter The Exploit Prediction Model
28 Future of Data Past Q: “A new vulnerability was just released. Do we scramble? A:
29 “Prediction is very difficult, especially about the future” -Niels Bohr
Data Sources: CVE Enrichment Projects
Data Sources: Exploit Code & Observations
32 What IS Machine Learning? • Methods for automatically learning and recognizing complex patterns from data • A set of tools for understanding data by buildings models from data • measure success on coverage and efficiency
33 Type of Algorithms Do you have labeled data? Supervised Unsupervised What do you want to predict? Classification Regression Category NoYes Quantity
34 We are current really good at: • “Of my current 300 million vulnerabilities, which ones should I remediate first?” • “Old ones with stable, weaponized exploits, known breaches, high risk meter scores”
35 Supervised Classification: VS.
36 Asking the right questions: • Classification: output is qualitative • prediction: “Will this vulnerability have an exploit written for it?” (== cause more risk later)
37 Input variables Numeric cvss_base cvss_temporal kenna_score breach_count cpe count cpe_vendor_count cpe_product_count cve age days_to_first_exploit first_exploit_age days_to_first_breach first_breach_age vulnerability_count open_vulnerability_count closed_vulnerability_count reference_count Binary any_exploits in metasploit in_exploitdb in_elliot any_breaches popular_target recent_breaches rce description_contains_in_the_wild description_contains_buffer_overflow description_contains_man_in_the_middle exploited_in_7 exploited_in_14 exploited_in_30 exploited_in_60 exploited_in_90 breached_in_/ breached_in_14 breached_in_30 breached_in_60 breached_in_90 library_vuln fix_exists Categorical access_vector access_complexity authentication confidentiality_impact integrity_impact availability_impact wasc_id cwe_id fix_type Text cve summary exploit_authors exploit_platforms exploit types exploit_ports cpe_vendors cpe_products reference_types
38 Predictive - The Expectations Distribution is not uniform. 77% of dataset is not exploited 1. Accuracy of 77% would be bad Precision matters more than Recall 1. No one would use this model absent actual exploit available data. 2. False Negatives matter less than false positives - wasted effort. We are not modeling when something will be exploited, just IF 1. Could be tomorrow or in 6 months. Re-run the model every day.
39 Measuring performance of a predictive model The ideal1 10 Precision Recall Returns relevant documents buy misses many useful ones too Returns most relevant documents but includes lots of junk
40 Coverage Efficiency Tradeoffs
41 “Somewhat Likely”
42 “Highly Likely”
43 “Most Likely”
44 Characteristics of Predicted CVEs ● Common Phrases ○ “Arbitrary Code Execution ○ “Command Injection” ○ “Remote Attackers” ● Vulnerability Classes ○ SQL Injection (CWE-89) ○ Buffer Overflow (CWE-119) ○ Improper Imput Validation (CWE-20)
45 The Work Averse Attacker “An attacker massively deploys only one exploit per software version. The only exception we find is for Internet Explorer; the exception is characterised by a very low cost to create an additional exploit, where it is sufficient to essentially copy and paste code from the old exploit, with only few modifications, to obtain the new one.” -The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures by Luca Allodi, Fabio Massacci, Julian Williams
46 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ [no exploit exists] ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
48 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ https://twitter.com/jcran/status/1026533985630007296 ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
49 Interesting, Highly Scored CVEs ● CVE-2016-10717 - MalwareBytes - bypass whitelisting ● CVE-2016-1417 - Snort - DLL hijacking ● CVE-2018-3605 - Trend Micro Control Manager SQLi (RCE) ● CVE-2018-4944 - Adobe Reader Type Confusion ● CVE-2016-7272 - Windows Icon File Integer Overflow
50 Constraints on the Future Any new rating system must be: ● Simple (in every sense of the word) ● Explainable (cause and effect understandable) ● Defensible (science!) ● an Improvement And every data source is on the table...
The future
52 Lesson: Less is More New variables aren’t adding much overall
53 Lesson: Probability is our friend confusing ^ 78% of vulns are < 1% ● While initially confusing, probability offers a very intuitive measure ● Most vulnerabilities are predicted to have < 1% probability of exploitation 2,400+ vulnerabilities are predicted > 10% ● How can we validate probabilistic estimates?
54 Lesson: Probability is our friend confusing ^ ~450 vulnerabilities (what we say) (what we see) Dashed line is “calibrated”
55 Real World You can deal with: 44,000,000 Alerts or Fix 299 Vulnerabilities
56 Takeaways Volume, complexity and speed of both vulnerabilities and threats are modern vulnerability management challenges Coverage and efficiency allow us to measure vuln management strategies For all the new vulnerabilities you’ve seen this week… is it truly critical? Will it be attacked in the future? Future threats should be addressed, but only after immediate / existing threats

Recomendados

Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Jonathan Cran
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionJonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Andreas Sfakianakis
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 

Recomendados

Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Jonathan Cran
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionJonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Andreas Sfakianakis
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformTieu Luu
 
CSS Trivia
CSS TriviaCSS Trivia
CSS TriviaAlert Logic
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingMehrdad Jingoism
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezasSoftware Guru
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013 Комсс Файквэе
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfTheresa Mammarella
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 

Mais conteúdo relacionado

Mais procurados

Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformTieu Luu
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingMehrdad Jingoism
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezasSoftware Guru
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 

Mais procurados (20)

Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management Platform
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezas
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 

Semelhante a Effective Prioritization Through Exploit Prediction

MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiamallblitz0
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepIvanti
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 worldOutpost24 webinar - Cybersecurity readiness in the post Covid-19 world
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 worldOutpost24
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksIvanti
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

Semelhante a Effective Prioritization Through Exploit Prediction (20)

BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.ppt
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdf
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochi
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeep
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 worldOutpost24 webinar - Cybersecurity readiness in the post Covid-19 world
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of Cyberattacks
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 

Último

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Effective Prioritization Through Exploit Prediction

  • 1. Michael Roytman Jonathan Cran @mroytman @jcran Black Hat 2018 Effective Prioritization Through Exploit Prediction Fixing more of what matters, and less of what doesn’t
  • 2. 2
  • 3. 3 Complete Remediation is Infeasible Complexity Abound Multiple patch releases from major vendors, including microcode updates Incompatible Antivirus or Endpoint protection Massive Array of Devices Affected Affects Printers, Thermostats, Door Locks, Cameras, Phones, etc Intel’s Nehalem and Westmere (released in 2008 and 2010) affected Not Just Patches Code “should be recompiled with the /Qspectre switch enabled”
  • 4. 4 The Modern Stack is COMPLEX Intel / ARM / AMD CPU Hypervisor Java Management Agent Docker Operating System .NET Operating System (Container) Node 3rd party libs Your App Patch Me! Idea Credit: @samnewman Python Ruby PHP App Server / Web Server / etc
  • 6. Exploit Release Dates - Tied to CVE Publish
  • 8. How to find and fix before an event?
  • 9. 9 “Remember the Recall” Infosec is largely a search problem: 1. We are data rich and signal poor. 2. Multi-stage testing cost-effectively increases both precision and recall. 3. Analyst time is the capacity constraint for most security problems We must aim to create signal for our analysts.
  • 11. 11 Events Are What Matters 2018: 36 new CVEs with events
  • 13. 13 What Matters for Scoring Is anyone actively targeted? Could we detect success? How much effort is required? What is the attacker payoff? Does a valid attack path exist? score = $CVSS_SCORE score += A if recent_breaches_exist? SCORE += B if exploits_exist? SCORE += C if popular_target? SCORE += D if exploit_will_exist?
  • 14. How do we know if we are working on the right stuff?
  • 15. 15 Attack + Defense Detect & Respond Predict & Prevent
  • 16. 16 Measuring Remediation Strategies Coverage: Of the vulns we fixed, did we pick all (100%) of the correct ones? Efficiency: Of the ones we ended up fixing, did fix any that didn’t matter?
  • 17. 17 Coverage & Efficiency, Explained OURS NEIGHBORS ROBOT MOWED Coverage =~ 80% Efficiency =~ 60% EFFICIENCY: Out of all the grass mowed, how much of the grass should have been cut COVERAGE: How much of the grass we wanted to cut was actually cut? wasted effort (inefficiency ) not covered
  • 18. 18 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Coverage How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green in the red area green + blue) =~ 9.28% Of all the vulnerabilities we prioritized, how many ended up with a kown exploit or event
  • 19. 19 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Total Prioritized CVEs All CVEs Vulnerabilities prioritized with known exploits or events CVEs prioritized with no known exploits or events Coverage (green / red) How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green / green + blue) Of all the vulnerabilities we prioritized, how many ended up with a known exploit or event
  • 20. 20 Coverage / Efficiency Tradeoff ● There exists a natural tradeoff between coverage and efficiency. ● We are operating with incomplete information at any given moment. ● Why would you want <100% efficiency? ○ Abundance of caution (if you can afford it!) ● Why would you want <100% coverage? ○ New campaign can spin up or an older one can spin down. The world is not static. Continuous review and adjustment provides the best result.
  • 22. 22 Current Attacker Velocity Average Days from Publish to Exploit (639 / 8%): 19.68 Days Average Days from Publish to Event (36 / 0.5%): 27.36 Days Shortest Window: Adobe Reader (zero days) Longest Window: IE Edge (months)
  • 23. 23 Recent Popular Targets (2018) Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 Drupal (Drupalgeddon) - CVE-2018-7600 Adobe Flash - CVE-2018-4878
  • 24. Increasing Risk Factoring in Velocity Created Discovery Disclosure Public Exploit Code Released Exploitation Detected In the Wild Detection Generate d
  • 25. Exploit Release Dates - Tied to CVE Publish
  • 26. The Case for Prediction
  • 28. 28 Future of Data Past Q: “A new vulnerability was just released. Do we scramble? A:
  • 29. 29 “Prediction is very difficult, especially about the future” -Niels Bohr
  • 30. Data Sources: CVE Enrichment Projects
  • 31. Data Sources: Exploit Code & Observations
  • 32. 32 What IS Machine Learning? • Methods for automatically learning and recognizing complex patterns from data • A set of tools for understanding data by buildings models from data • measure success on coverage and efficiency
  • 33. 33 Type of Algorithms Do you have labeled data? Supervised Unsupervised What do you want to predict? Classification Regression Category NoYes Quantity
  • 34. 34 We are current really good at: • “Of my current 300 million vulnerabilities, which ones should I remediate first?” • “Old ones with stable, weaponized exploits, known breaches, high risk meter scores”
  • 36. 36 Asking the right questions: • Classification: output is qualitative • prediction: “Will this vulnerability have an exploit written for it?” (== cause more risk later)
  • 37. 37 Input variables Numeric cvss_base cvss_temporal kenna_score breach_count cpe count cpe_vendor_count cpe_product_count cve age days_to_first_exploit first_exploit_age days_to_first_breach first_breach_age vulnerability_count open_vulnerability_count closed_vulnerability_count reference_count Binary any_exploits in metasploit in_exploitdb in_elliot any_breaches popular_target recent_breaches rce description_contains_in_the_wild description_contains_buffer_overflow description_contains_man_in_the_middle exploited_in_7 exploited_in_14 exploited_in_30 exploited_in_60 exploited_in_90 breached_in_/ breached_in_14 breached_in_30 breached_in_60 breached_in_90 library_vuln fix_exists Categorical access_vector access_complexity authentication confidentiality_impact integrity_impact availability_impact wasc_id cwe_id fix_type Text cve summary exploit_authors exploit_platforms exploit types exploit_ports cpe_vendors cpe_products reference_types
  • 38. 38 Predictive - The Expectations Distribution is not uniform. 77% of dataset is not exploited 1. Accuracy of 77% would be bad Precision matters more than Recall 1. No one would use this model absent actual exploit available data. 2. False Negatives matter less than false positives - wasted effort. We are not modeling when something will be exploited, just IF 1. Could be tomorrow or in 6 months. Re-run the model every day.
  • 39. 39 Measuring performance of a predictive model The ideal1 10 Precision Recall Returns relevant documents buy misses many useful ones too Returns most relevant documents but includes lots of junk
  • 44. 44 Characteristics of Predicted CVEs ● Common Phrases ○ “Arbitrary Code Execution ○ “Command Injection” ○ “Remote Attackers” ● Vulnerability Classes ○ SQL Injection (CWE-89) ○ Buffer Overflow (CWE-119) ○ Improper Imput Validation (CWE-20)
  • 45. 45 The Work Averse Attacker “An attacker massively deploys only one exploit per software version. The only exception we find is for Internet Explorer; the exception is characterised by a very low cost to create an additional exploit, where it is sufficient to essentially copy and paste code from the old exploit, with only few modifications, to obtain the new one.” -The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures by Luca Allodi, Fabio Massacci, Julian Williams
  • 46. 46 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ [no exploit exists] ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
  • 47.
  • 48. 48 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ https://twitter.com/jcran/status/1026533985630007296 ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
  • 49. 49 Interesting, Highly Scored CVEs ● CVE-2016-10717 - MalwareBytes - bypass whitelisting ● CVE-2016-1417 - Snort - DLL hijacking ● CVE-2018-3605 - Trend Micro Control Manager SQLi (RCE) ● CVE-2018-4944 - Adobe Reader Type Confusion ● CVE-2016-7272 - Windows Icon File Integer Overflow
  • 50. 50 Constraints on the Future Any new rating system must be: ● Simple (in every sense of the word) ● Explainable (cause and effect understandable) ● Defensible (science!) ● an Improvement And every data source is on the table...
  • 52. 52 Lesson: Less is More New variables aren’t adding much overall
  • 53. 53 Lesson: Probability is our friend confusing ^ 78% of vulns are < 1% ● While initially confusing, probability offers a very intuitive measure ● Most vulnerabilities are predicted to have < 1% probability of exploitation 2,400+ vulnerabilities are predicted > 10% ● How can we validate probabilistic estimates?
  • 54. 54 Lesson: Probability is our friend confusing ^ ~450 vulnerabilities (what we say) (what we see) Dashed line is “calibrated”
  • 55. 55 Real World You can deal with: 44,000,000 Alerts or Fix 299 Vulnerabilities
  • 56. 56 Takeaways Volume, complexity and speed of both vulnerabilities and threats are modern vulnerability management challenges Coverage and efficiency allow us to measure vuln management strategies For all the new vulnerabilities you’ve seen this week… is it truly critical? Will it be attacked in the future? Future threats should be addressed, but only after immediate / existing threats