Upload File

Download - Predicting Exploitability

Transcript
Page 1: Predicting Exploitability

PREDICTING EXPLOITABILITY

@MROYTMAN

Page 2: Predicting Exploitability

“Prediction is very difficult, especially about the future.”

-Neils Bohr

Page 3: Predicting Exploitability

3 Types of “Data-Driven”

Page 4: Predicting Exploitability

Too many vulnerabilities.How do we derive risk from vulnerability in a data-driven manner?

PROBLEM

Page 5: Predicting Exploitability

EXPLOITABILITY

1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

Page 6: Predicting Exploitability

EXPLOITABILITY

1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

Page 7: Predicting Exploitability

Analyst Input

Vulnerability Management Programs Augmenting Data

RetrospectiveTemporal Score Estimation

Vulnerability Researchers

Page 8: Predicting Exploitability

EXPLOITABILITY

1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

Page 9: Predicting Exploitability

ATTACKERS

ARE FAST

Page 10: Predicting Exploitability

0 5 10 15 20 25 30 35 40

CVSS*10

EDB

MSP

EDB+MSP

Breach*Probability*(%)

Positive Predictive Value of remediating a vulnerability with property X:

Page 11: Predicting Exploitability
Page 12: Predicting Exploitability

DATA OF FUTURE PASTQ: “Of my current vulnerabilities, which ones should I remediate?”

A: Old ones with stable, weaponized exploits

Page 13: Predicting Exploitability

FUTURE OF DATA PASTQ: “A new vulnerability was just released. Do we scramble?”

A:

Page 14: Predicting Exploitability

EXPLOITABILITY

1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

Page 15: Predicting Exploitability

Machine Learning?

Page 16: Predicting Exploitability
Page 17: Predicting Exploitability

Enter: AWS ML

Page 18: Predicting Exploitability

70% Training, 30% Evaluation Split N = 81303

All Models:

L2 regularizer

1 gb

100 passes over the data

Receiver operating characteristics for comparisons

Page 19: Predicting Exploitability

Model 1: Baseline

-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date

Page 20: Predicting Exploitability

LMGTFY:

Page 21: Predicting Exploitability

Moar Simple?

Page 22: Predicting Exploitability

Model 2: Patches-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists

Page 23: Predicting Exploitability

Model 3: Affected Software-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products

Page 24: Predicting Exploitability

Model 4: Words!-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5

Page 25: Predicting Exploitability

Model 5: Vulnerability Prevalence-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5-Vulnerability Prevalence-Number of References

Page 26: Predicting Exploitability

Moar Simple?

Page 27: Predicting Exploitability

Moar Simple?

Page 28: Predicting Exploitability

Exploitability

Page 29: Predicting Exploitability

-Track Predictions vs. Real Exploits

-Integrate 20+ BlackHat Exploit Kits - FP reduction?

-Find better vulnerability descriptions - mine advisories for content? FN reduction?

Future Work

-Predict Breaches, not Exploits

-Attempt Models by Vendor

-There are probably two exploitation processes here.

Page 30: Predicting Exploitability
Page 31: Predicting Exploitability

Thanks!

@MROYTMAN


Top Related

Predicting Phrasing and Accent - Columbia Universityjulia/courses/CS4706/prediction.pdf · • Predicting phrasing • Predicting accent • Future research: emotion, personalization,
Predicting Phrasing and Accent - Columbia Universityjulia/courses/CS4706/prediction.pdf · • Predicting phrasing • Predicting accent • Future research: emotion, personalization,
Severity and Exploitability Index
Severity and Exploitability Index
Windows Phone 7 Internals and Exploitability - Black Hat | Home
Windows Phone 7 Internals and Exploitability - Black Hat | Home
Predicting Volatility
Predicting Volatility
Predicting Outcome
Predicting Outcome
Uncertainty Estimation and Evaluation of Shallow Aquifers ... › doc › 1323700 › 1323700.pdf · Uncertainty Estimation and Evaluation of Shallow Aquifers’ Exploitability: The
Uncertainty Estimation and Evaluation of Shallow Aquifers ... › doc › 1323700 › 1323700.pdf · Uncertainty Estimation and Evaluation of Shallow Aquifers’ Exploitability: The
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With Predictions
University of South Florida Cyber Security: Authentication ...€¦ · Models for Predicting the Exploitability Statistical models for assessing the risk of a cyber-security risk
University of South Florida Cyber Security: Authentication ...€¦ · Models for Predicting the Exploitability Statistical models for assessing the risk of a cyber-security risk