predicting exploitability

Download Predicting Exploitability

Post on 22-Jan-2017

622 views

Category:

Internet

0 download

Embed Size (px)

TRANSCRIPT

  • PREDICTING EXPLOITABILITY

    @MROYTMAN

  • Prediction is very difficult, especially about the future.

    -Neils Bohr

  • 3 Types of Data-Driven

  • Too many vulnerabilities.How do we derive risk from vulnerability in a data-driven manner?

    PROBLEM

  • EXPLOITABILITY

    1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

  • EXPLOITABILITY

    1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

  • Analyst Input

    Vulnerability Management Programs Augmenting Data

    RetrospectiveTemporal Score Estimation

    Vulnerability Researchers

  • EXPLOITABILITY

    1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

  • ATTACKERS

    ARE FAST

  • 0 5 10 15 20 25 30 35 40

    CVSS*10

    EDB

    MSP

    EDB+MSP

    Breach*Probability*(%)

    Positive Predictive Value of remediating a vulnerability with property X:

  • DATA OF FUTURE PASTQ: Of my current vulnerabilities, which ones should I remediate?

    A: Old ones with stable, weaponized exploits

  • FUTURE OF DATA PASTQ: A new vulnerability was just released. Do we scramble?

    A:

  • EXPLOITABILITY

    1. RETROSPECTIVE2. REAL-TIME3. PREDICTIVE

  • Machine Learning?

  • Enter: AWS ML

  • 70% Training, 30% Evaluation Split N = 81303

    All Models:

    L2 regularizer

    1 gb

    100 passes over the data

    Receiver operating characteristics for comparisons

  • Model 1: Baseline

    -CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date

  • LMGTFY:

  • Moar Simple?

  • Model 2: Patches-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists

  • Model 3: Affected Software-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products

  • Model 4: Words!-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5

  • Model 5: Vulnerability Prevalence-CVSS Base-CVSS Temporal-Remote Code Execution-Availability-Integrity-Confidentiality-Authentication-Access Complexity-Access Vector-Publication Date-Patch Exists-Vendors-Products-Description, Ngrams 1-5-Vulnerability Prevalence-Number of References

  • Moar Simple?

  • Moar Simple?

  • Exploitability

  • -Track Predictions vs. Real Exploits

    -Integrate 20+ BlackHat Exploit Kits - FP reduction?

    -Find better vulnerability descriptions - mine advisories for content? FN reduction?

    Future Work

    -Predict Breaches, not Exploits

    -Attempt Models by Vendor

    -There are probably two exploitation processes here.

  • Thanks!

    @MROYTMAN