rsa 2017 - predicting exploitability - with predictions
Post on 11-Apr-2017
93 Views
Preview:
TRANSCRIPT
Analyst Input
Vulnerability Management Programs Augmenting Data
RetrospectiveTemporal Score Estimation
Vulnerability Researchers
0 5 10 15 20 25 30 35 40
CVSS*10
EDB
MSP
EDB+MSP
Breach*Probability*(%)
Positive Predictive Value of remediating a vulnerability with property X:
DATA OF FUTURE PASTQ: “Of my current vulnerabilities, which ones should I remediate?”
A: Old ones with stable, weaponized exploits
70% Training, 30% Evaluation Split N = 81303
All Models:
L2 regularizer
1 gb
100 passes over the data
Receiver operating characteristics for comparisons
Model 1: Baseline
-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date
Model 2: Patches-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists
Model 3: Affected Software-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products
Model 4: Words!-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5
Model 5: Vulnerability Prevalence-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5-Vulnerability Prevalence-Number of References
-Track Predictions vs. Real Exploits
-Integrate 20+ BlackHat Exploit Kits - FP reduction?
-Find better vulnerability descriptions - mine advisories for content? FN reduction?
Future Work
-Predict Breaches, not Exploits
-Attempt Models by Vendor
-There are probably two exploitation processes here.
PREDICTIONS1. CVE-2017-0003
2. CVE-2017-2963
3. CVE-2016-7256
These will have exploits in 2017:
Sharepoint Enterprise Server, Word 2016
Adobe Acrobat Reader
Windows Server 2008, 2012, 2016, Windows 7, 8, 10
Scan Data Is Overwhelming
Finding Vulnerabilities – Needlessly Difficult
Impossible to Know What to Prioritize
Not Integrated with Threat Intelligence
Communication Is Painful—No Single Pane of Glass Suits All Stakeholders
top related