SlideShare ist ein Scribd-Unternehmen logo

Effective Prioritization Through Exploit Prediction

Jonathan Cran
Jonathan Cran

The document discusses using machine learning to predict which vulnerabilities are most likely to receive exploits in the future. It describes collecting data on vulnerabilities from CVE databases and observations of exploits and breaches. This data is then used to build a supervised classification model to predict the likelihood of future exploits. The model aims to help prioritize remediation of vulnerabilities that pose the greatest risks. Key challenges addressed include the increasing volume of vulnerabilities and shortening windows between disclosure and exploits.

Technologie
1 von 56
Downloaden Sie, um offline zu lesen
Michael Roytman Jonathan Cran @mroytman @jcran Black Hat 2018 Effective Prioritization Through Exploit Prediction Fixing more of what matters, and less of what doesn’t
2
3 Complete Remediation is Infeasible Complexity Abound Multiple patch releases from major vendors, including microcode updates Incompatible Antivirus or Endpoint protection Massive Array of Devices Affected Affects Printers, Thermostats, Door Locks, Cameras, Phones, etc Intel’s Nehalem and Westmere (released in 2008 and 2010) affected Not Just Patches Code “should be recompiled with the /Qspectre switch enabled”
4 The Modern Stack is COMPLEX Intel / ARM / AMD CPU Hypervisor Java Management Agent Docker Operating System .NET Operating System (Container) Node 3rd party libs Your App Patch Me! Idea Credit: @samnewman Python Ruby PHP App Server / Web Server / etc
Vulnerability Volume Increasing
Exploit Release Dates - Tied to CVE Publish
The Good News
How to find and fix before an event?
9 “Remember the Recall” Infosec is largely a search problem: 1. We are data rich and signal poor. 2. Multi-stage testing cost-effectively increases both precision and recall. 3. Analyst time is the capacity constraint for most security problems We must aim to create signal for our analysts.
10 CVSS (alone) Isn’t it
11 Events Are What Matters 2018: 36 new CVEs with events
12 Targets Not Created Equal
13 What Matters for Scoring Is anyone actively targeted? Could we detect success? How much effort is required? What is the attacker payoff? Does a valid attack path exist? score = $CVSS_SCORE score += A if recent_breaches_exist? SCORE += B if exploits_exist? SCORE += C if popular_target? SCORE += D if exploit_will_exist?
How do we know if we are working on the right stuff?
15 Attack + Defense Detect & Respond Predict & Prevent
16 Measuring Remediation Strategies Coverage: Of the vulns we fixed, did we pick all (100%) of the correct ones? Efficiency: Of the ones we ended up fixing, did fix any that didn’t matter?
17 Coverage & Efficiency, Explained OURS NEIGHBORS ROBOT MOWED Coverage =~ 80% Efficiency =~ 60% EFFICIENCY: Out of all the grass mowed, how much of the grass should have been cut COVERAGE: How much of the grass we wanted to cut was actually cut? wasted effort (inefficiency ) not covered
18 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Coverage How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green in the red area green + blue) =~ 9.28% Of all the vulnerabilities we prioritized, how many ended up with a kown exploit or event
19 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Total Prioritized CVEs All CVEs Vulnerabilities prioritized with known exploits or events CVEs prioritized with no known exploits or events Coverage (green / red) How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green / green + blue) Of all the vulnerabilities we prioritized, how many ended up with a known exploit or event
20 Coverage / Efficiency Tradeoff ● There exists a natural tradeoff between coverage and efficiency. ● We are operating with incomplete information at any given moment. ● Why would you want <100% efficiency? ○ Abundance of caution (if you can afford it!) ● Why would you want <100% coverage? ○ New campaign can spin up or an older one can spin down. The world is not static. Continuous review and adjustment provides the best result.
How to handle quickly escalating threats?
22 Current Attacker Velocity Average Days from Publish to Exploit (639 / 8%): 19.68 Days Average Days from Publish to Event (36 / 0.5%): 27.36 Days Shortest Window: Adobe Reader (zero days) Longest Window: IE Edge (months)
23 Recent Popular Targets (2018) Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 Drupal (Drupalgeddon) - CVE-2018-7600 Adobe Flash - CVE-2018-4878
Increasing Risk Factoring in Velocity Created Discovery Disclosure Public Exploit Code Released Exploitation Detected In the Wild Detection Generate d
Exploit Release Dates - Tied to CVE Publish
The Case for Prediction
Enter The Exploit Prediction Model
28 Future of Data Past Q: “A new vulnerability was just released. Do we scramble? A:
29 “Prediction is very difficult, especially about the future” -Niels Bohr
Data Sources: CVE Enrichment Projects
Data Sources: Exploit Code & Observations
32 What IS Machine Learning? • Methods for automatically learning and recognizing complex patterns from data • A set of tools for understanding data by buildings models from data • measure success on coverage and efficiency
33 Type of Algorithms Do you have labeled data? Supervised Unsupervised What do you want to predict? Classification Regression Category NoYes Quantity
34 We are current really good at: • “Of my current 300 million vulnerabilities, which ones should I remediate first?” • “Old ones with stable, weaponized exploits, known breaches, high risk meter scores”
35 Supervised Classification: VS.
36 Asking the right questions: • Classification: output is qualitative • prediction: “Will this vulnerability have an exploit written for it?” (== cause more risk later)
37 Input variables Numeric cvss_base cvss_temporal kenna_score breach_count cpe count cpe_vendor_count cpe_product_count cve age days_to_first_exploit first_exploit_age days_to_first_breach first_breach_age vulnerability_count open_vulnerability_count closed_vulnerability_count reference_count Binary any_exploits in metasploit in_exploitdb in_elliot any_breaches popular_target recent_breaches rce description_contains_in_the_wild description_contains_buffer_overflow description_contains_man_in_the_middle exploited_in_7 exploited_in_14 exploited_in_30 exploited_in_60 exploited_in_90 breached_in_/ breached_in_14 breached_in_30 breached_in_60 breached_in_90 library_vuln fix_exists Categorical access_vector access_complexity authentication confidentiality_impact integrity_impact availability_impact wasc_id cwe_id fix_type Text cve summary exploit_authors exploit_platforms exploit types exploit_ports cpe_vendors cpe_products reference_types
38 Predictive - The Expectations Distribution is not uniform. 77% of dataset is not exploited 1. Accuracy of 77% would be bad Precision matters more than Recall 1. No one would use this model absent actual exploit available data. 2. False Negatives matter less than false positives - wasted effort. We are not modeling when something will be exploited, just IF 1. Could be tomorrow or in 6 months. Re-run the model every day.
39 Measuring performance of a predictive model The ideal1 10 Precision Recall Returns relevant documents buy misses many useful ones too Returns most relevant documents but includes lots of junk
40 Coverage Efficiency Tradeoffs
41 “Somewhat Likely”
42 “Highly Likely”
43 “Most Likely”
44 Characteristics of Predicted CVEs ● Common Phrases ○ “Arbitrary Code Execution ○ “Command Injection” ○ “Remote Attackers” ● Vulnerability Classes ○ SQL Injection (CWE-89) ○ Buffer Overflow (CWE-119) ○ Improper Imput Validation (CWE-20)
45 The Work Averse Attacker “An attacker massively deploys only one exploit per software version. The only exception we find is for Internet Explorer; the exception is characterised by a very low cost to create an additional exploit, where it is sufficient to essentially copy and paste code from the old exploit, with only few modifications, to obtain the new one.” -The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures by Luca Allodi, Fabio Massacci, Julian Williams
46 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ [no exploit exists] ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
48 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ https://twitter.com/jcran/status/1026533985630007296 ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
49 Interesting, Highly Scored CVEs ● CVE-2016-10717 - MalwareBytes - bypass whitelisting ● CVE-2016-1417 - Snort - DLL hijacking ● CVE-2018-3605 - Trend Micro Control Manager SQLi (RCE) ● CVE-2018-4944 - Adobe Reader Type Confusion ● CVE-2016-7272 - Windows Icon File Integer Overflow
50 Constraints on the Future Any new rating system must be: ● Simple (in every sense of the word) ● Explainable (cause and effect understandable) ● Defensible (science!) ● an Improvement And every data source is on the table...
The future
52 Lesson: Less is More New variables aren’t adding much overall
53 Lesson: Probability is our friend confusing ^ 78% of vulns are < 1% ● While initially confusing, probability offers a very intuitive measure ● Most vulnerabilities are predicted to have < 1% probability of exploitation 2,400+ vulnerabilities are predicted > 10% ● How can we validate probabilistic estimates?
54 Lesson: Probability is our friend confusing ^ ~450 vulnerabilities (what we say) (what we see) Dashed line is “calibrated”
55 Real World You can deal with: 44,000,000 Alerts or Fix 299 Vulnerabilities
56 Takeaways Volume, complexity and speed of both vulnerabilities and threats are modern vulnerability management challenges Coverage and efficiency allow us to measure vuln management strategies For all the new vulnerabilities you’ve seen this week… is it truly critical? Will it be attacked in the future? Future threats should be addressed, but only after immediate / existing threats

Empfohlen

Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...)
Jonathan Cran
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and Prediction
Jonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
Jonathan Cran
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Stefano Maccaglia
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Andreas Sfakianakis
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 

Empfohlen

Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...)
Jonathan Cran
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and Prediction
Jonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
Jonathan Cran
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Stefano Maccaglia
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Andreas Sfakianakis
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
Priyanka Aash
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
Kaspersky
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Invincea, Inc.
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
Priyanka Aash
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
Cyphort
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management Platform
Tieu Luu
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
Alert Logic
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
Mehrdad Jingoism
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezas
Software Guru
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
Комсс Файквэе
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
Cyphort
 
BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
Theresa Mammarella
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.ppt
webhostingguy
 

Weitere ähnliche Inhalte

Was ist angesagt?

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
Mehrdad Jingoism
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezas
Software Guru
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 

Was ist angesagt? (20)

Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management Platform
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezas
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 

Ähnlich wie Effective Prioritization Through Exploit Prediction

MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.ppt
webhostingguy
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
Rod Soto
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
Exodus Intelligence
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
Exodus Intelligence
 

Ähnlich wie Effective Prioritization Through Exploit Prediction (20)

BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.ppt
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdf
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochi
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeep
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 worldOutpost24 webinar - Cybersecurity readiness in the post Covid-19 world
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of Cyberattacks
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

Effective Prioritization Through Exploit Prediction

  • 1. Michael Roytman Jonathan Cran @mroytman @jcran Black Hat 2018 Effective Prioritization Through Exploit Prediction Fixing more of what matters, and less of what doesn’t
  • 2. 2
  • 3. 3 Complete Remediation is Infeasible Complexity Abound Multiple patch releases from major vendors, including microcode updates Incompatible Antivirus or Endpoint protection Massive Array of Devices Affected Affects Printers, Thermostats, Door Locks, Cameras, Phones, etc Intel’s Nehalem and Westmere (released in 2008 and 2010) affected Not Just Patches Code “should be recompiled with the /Qspectre switch enabled”
  • 4. 4 The Modern Stack is COMPLEX Intel / ARM / AMD CPU Hypervisor Java Management Agent Docker Operating System .NET Operating System (Container) Node 3rd party libs Your App Patch Me! Idea Credit: @samnewman Python Ruby PHP App Server / Web Server / etc
  • 6. Exploit Release Dates - Tied to CVE Publish
  • 8. How to find and fix before an event?
  • 9. 9 “Remember the Recall” Infosec is largely a search problem: 1. We are data rich and signal poor. 2. Multi-stage testing cost-effectively increases both precision and recall. 3. Analyst time is the capacity constraint for most security problems We must aim to create signal for our analysts.
  • 11. 11 Events Are What Matters 2018: 36 new CVEs with events
  • 13. 13 What Matters for Scoring Is anyone actively targeted? Could we detect success? How much effort is required? What is the attacker payoff? Does a valid attack path exist? score = $CVSS_SCORE score += A if recent_breaches_exist? SCORE += B if exploits_exist? SCORE += C if popular_target? SCORE += D if exploit_will_exist?
  • 14. How do we know if we are working on the right stuff?
  • 15. 15 Attack + Defense Detect & Respond Predict & Prevent
  • 16. 16 Measuring Remediation Strategies Coverage: Of the vulns we fixed, did we pick all (100%) of the correct ones? Efficiency: Of the ones we ended up fixing, did fix any that didn’t matter?
  • 17. 17 Coverage & Efficiency, Explained OURS NEIGHBORS ROBOT MOWED Coverage =~ 80% Efficiency =~ 60% EFFICIENCY: Out of all the grass mowed, how much of the grass should have been cut COVERAGE: How much of the grass we wanted to cut was actually cut? wasted effort (inefficiency ) not covered
  • 18. 18 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Coverage How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green in the red area green + blue) =~ 9.28% Of all the vulnerabilities we prioritized, how many ended up with a kown exploit or event
  • 19. 19 Coverage & Efficiency In Practice CVES with known exploits or events CVEs with no known exploit or event Total Prioritized CVEs All CVEs Vulnerabilities prioritized with known exploits or events CVEs prioritized with no known exploits or events Coverage (green / red) How many vulnerabilities did we prioritize of those that ended up with a known exploit or event Efficiency (green / green + blue) Of all the vulnerabilities we prioritized, how many ended up with a known exploit or event
  • 20. 20 Coverage / Efficiency Tradeoff ● There exists a natural tradeoff between coverage and efficiency. ● We are operating with incomplete information at any given moment. ● Why would you want <100% efficiency? ○ Abundance of caution (if you can afford it!) ● Why would you want <100% coverage? ○ New campaign can spin up or an older one can spin down. The world is not static. Continuous review and adjustment provides the best result.
  • 22. 22 Current Attacker Velocity Average Days from Publish to Exploit (639 / 8%): 19.68 Days Average Days from Publish to Event (36 / 0.5%): 27.36 Days Shortest Window: Adobe Reader (zero days) Longest Window: IE Edge (months)
  • 23. 23 Recent Popular Targets (2018) Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 Drupal (Drupalgeddon) - CVE-2018-7600 Adobe Flash - CVE-2018-4878
  • 24. Increasing Risk Factoring in Velocity Created Discovery Disclosure Public Exploit Code Released Exploitation Detected In the Wild Detection Generate d
  • 25. Exploit Release Dates - Tied to CVE Publish
  • 26. The Case for Prediction
  • 28. 28 Future of Data Past Q: “A new vulnerability was just released. Do we scramble? A:
  • 29. 29 “Prediction is very difficult, especially about the future” -Niels Bohr
  • 30. Data Sources: CVE Enrichment Projects
  • 31. Data Sources: Exploit Code & Observations
  • 32. 32 What IS Machine Learning? • Methods for automatically learning and recognizing complex patterns from data • A set of tools for understanding data by buildings models from data • measure success on coverage and efficiency
  • 33. 33 Type of Algorithms Do you have labeled data? Supervised Unsupervised What do you want to predict? Classification Regression Category NoYes Quantity
  • 34. 34 We are current really good at: • “Of my current 300 million vulnerabilities, which ones should I remediate first?” • “Old ones with stable, weaponized exploits, known breaches, high risk meter scores”
  • 36. 36 Asking the right questions: • Classification: output is qualitative • prediction: “Will this vulnerability have an exploit written for it?” (== cause more risk later)
  • 37. 37 Input variables Numeric cvss_base cvss_temporal kenna_score breach_count cpe count cpe_vendor_count cpe_product_count cve age days_to_first_exploit first_exploit_age days_to_first_breach first_breach_age vulnerability_count open_vulnerability_count closed_vulnerability_count reference_count Binary any_exploits in metasploit in_exploitdb in_elliot any_breaches popular_target recent_breaches rce description_contains_in_the_wild description_contains_buffer_overflow description_contains_man_in_the_middle exploited_in_7 exploited_in_14 exploited_in_30 exploited_in_60 exploited_in_90 breached_in_/ breached_in_14 breached_in_30 breached_in_60 breached_in_90 library_vuln fix_exists Categorical access_vector access_complexity authentication confidentiality_impact integrity_impact availability_impact wasc_id cwe_id fix_type Text cve summary exploit_authors exploit_platforms exploit types exploit_ports cpe_vendors cpe_products reference_types
  • 38. 38 Predictive - The Expectations Distribution is not uniform. 77% of dataset is not exploited 1. Accuracy of 77% would be bad Precision matters more than Recall 1. No one would use this model absent actual exploit available data. 2. False Negatives matter less than false positives - wasted effort. We are not modeling when something will be exploited, just IF 1. Could be tomorrow or in 6 months. Re-run the model every day.
  • 39. 39 Measuring performance of a predictive model The ideal1 10 Precision Recall Returns relevant documents buy misses many useful ones too Returns most relevant documents but includes lots of junk
  • 44. 44 Characteristics of Predicted CVEs ● Common Phrases ○ “Arbitrary Code Execution ○ “Command Injection” ○ “Remote Attackers” ● Vulnerability Classes ○ SQL Injection (CWE-89) ○ Buffer Overflow (CWE-119) ○ Improper Imput Validation (CWE-20)
  • 45. 45 The Work Averse Attacker “An attacker massively deploys only one exploit per software version. The only exception we find is for Internet Explorer; the exception is characterised by a very low cost to create an additional exploit, where it is sufficient to essentially copy and paste code from the old exploit, with only few modifications, to obtain the new one.” -The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures by Luca Allodi, Fabio Massacci, Julian Williams
  • 46. 46 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ [no exploit exists] ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
  • 47.
  • 48. 48 ● CVE-2016-10372 - cpe:/o:eir:d1000_modem_firmware: ○ https://www.rapid7.com/db/modules/exploit/linux/http/tr064_ntpserver_cmdinject ● CVE-2017-18046 - cpe:/o:dasannetworks:h640x_firmware:2.77p1-1124 ○ https://blogs.securiteam.com/index.php/archives/3552 ● CVE-2017-8116 - cpe:/o:teltonika:rut900_firmware:00.03.265 ○ https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-re mote-code-execution/ ● CVE-2017-16228 - cpe:/a:dulwich_project:dulwich:0.18.4 ○ https://twitter.com/jcran/status/1026533985630007296 ● CVE-2017-17946 - cpe:/a:novosoft:handy_password:4.9.3 ○ [no exploit exists] Machine Learning Has Side Benefits
  • 49. 49 Interesting, Highly Scored CVEs ● CVE-2016-10717 - MalwareBytes - bypass whitelisting ● CVE-2016-1417 - Snort - DLL hijacking ● CVE-2018-3605 - Trend Micro Control Manager SQLi (RCE) ● CVE-2018-4944 - Adobe Reader Type Confusion ● CVE-2016-7272 - Windows Icon File Integer Overflow
  • 50. 50 Constraints on the Future Any new rating system must be: ● Simple (in every sense of the word) ● Explainable (cause and effect understandable) ● Defensible (science!) ● an Improvement And every data source is on the table...
  • 52. 52 Lesson: Less is More New variables aren’t adding much overall
  • 53. 53 Lesson: Probability is our friend confusing ^ 78% of vulns are < 1% ● While initially confusing, probability offers a very intuitive measure ● Most vulnerabilities are predicted to have < 1% probability of exploitation 2,400+ vulnerabilities are predicted > 10% ● How can we validate probabilistic estimates?
  • 54. 54 Lesson: Probability is our friend confusing ^ ~450 vulnerabilities (what we say) (what we see) Dashed line is “calibrated”
  • 55. 55 Real World You can deal with: 44,000,000 Alerts or Fix 299 Vulnerabilities
  • 56. 56 Takeaways Volume, complexity and speed of both vulnerabilities and threats are modern vulnerability management challenges Coverage and efficiency allow us to measure vuln management strategies For all the new vulnerabilities you’ve seen this week… is it truly critical? Will it be attacked in the future? Future threats should be addressed, but only after immediate / existing threats