rsa 2017 - predicting exploitability - with predictions
TRANSCRIPT
PREDICTING EXPLOITABILITY
@MROYTMAN
“Prediction is very difficult, especially about the future.”
-Neils Bohr
3 Types of “Data-Driven”
Too many vulnerabilities.How do we derive risk from vulnerability in a data-driven manner?
PROBLEM
EXPLOITABILITY
1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE
EXPLOITABILITY
1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE
Analyst Input
Vulnerability Management Programs Augmenting Data
RetrospectiveTemporal Score Estimation
Vulnerability Researchers
EXPLOITABILITY
1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE
ATTACKERS
ARE FAST
0 5 10 15 20 25 30 35 40
CVSS*10
EDB
MSP
EDB+MSP
Breach*Probability*(%)
Positive Predictive Value of remediating a vulnerability with property X:
DATA OF FUTURE PASTQ: “Of my current vulnerabilities, which ones should I remediate?”
A: Old ones with stable, weaponized exploits
FUTURE OF DATA PASTQ: “A new vulnerability was just released. Do we scramble?”
A:
EXPLOITABILITY
1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE
Machine Learning?
Enter: AWS ML
70% Training, 30% Evaluation Split N = 81303
All Models:
L2 regularizer
1 gb
100 passes over the data
Receiver operating characteristics for comparisons
Model 1: Baseline
-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date
LMGTFY:
Moar Simple?
Model 2: Patches-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists
Model 3: Affected Software-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products
Model 4: Words!-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5
Model 5: Vulnerability Prevalence-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5-Vulnerability Prevalence-Number of References
Moar Simple?
Moar Simple?
Exploitability
-Track Predictions vs. Real Exploits
-Integrate 20+ BlackHat Exploit Kits - FP reduction?
-Find better vulnerability descriptions - mine advisories for content? FN reduction?
Future Work
-Predict Breaches, not Exploits
-Attempt Models by Vendor
-There are probably two exploitation processes here.
PREDICTIONS1. CVE-2017-0003
2. CVE-2017-2963
3. CVE-2016-7256
These will have exploits in 2017:
Sharepoint Enterprise Server, Word 2016
Adobe Acrobat Reader
Windows Server 2008, 2012, 2016, Windows 7, 8, 10
Scan Data Is Overwhelming
Finding Vulnerabilities – Needlessly Difficult
Impossible to Know What to Prioritize
Not Integrated with Threat Intelligence
Communication Is Painful—No Single Pane of Glass Suits All Stakeholders
CISO Sec Ops IT Ops
How Kenna WorksExploit Intel
10+ Threat FeedsEnterprise
21+ Connectors
Thanks!
@MROYTMAN