Predicting the future: Will this vulnerability be exploited in the wild?

10.Mar.2020
Simon Roe, Product Manager Outpost24
Remember If only 10% of all vulnerabilities have exploits released, and of those, not all go onto being exploited in the wild, risk based vulnerability prioritization provides a risk indicator of those vulnerabilities that are likely to be exploited in the future. The value it brings to security teams is huge – they will not only save time and effort in patching vulnerabilities that aren’t real, they will also reduce the time to patch for truly high risk vulnerabilities and prevent their business from potential attacks.
farsight prediction

Outpost24 FARSIGHT (powered by Cyr3con)

The faculty of looking far ahead’ - the name fitted exactly what we provide our customers with the ability to do. With the launch of Outpost24 Farsight, we move one step closer to a true Risk based vulnerability management solution, empowering our customers to prioritize vulnerabilities that pose a true risk to their business, with trusted insights. 

We are pleased to announce we have entered an agreement with Cyr3con, a US based start-up that uses machine learning to predict the likelihood of a vulnerability being exploited in the wild, to incorporate their threat intelligence feeds into our own Network security assessment solutions. 

 

Accuracy is key

For Enterprises relying on predictive exploit technology, the model’s accuracy is key to providing those early risk warnings on patching. The < Cyr3con Pr1ority model > has been trained (and will continually be trained) over the last three years to reach a 5% false positive rate. This means that in some instances you might focus on a vulnerability because the initial activity around it might suggest its likelihood is increasing, though in reality the excitement and noise surrounding it may die down quickly once analysis of the vulnerability is done within the threat actor community causing the likelihood to decrease.

It’s also important to remember, normal everyday media attention doesn’t impact the vulnerabilities likelihood of exploit. As a result, Enterprises who rely on Farsight are basing their risk strategy on how the Threat actor community responds to a vulnerability release irrespective of any media or vendor noise surrounding its disclosure.

 

It’s all a number game

Farsight risk-based scoring ranges between 1.00 and 38.50 with 1.00 posing no known high risks, compared with any CVE of about 95% of NIST vulnerabilities that go unexploited. However as the algorithm continuously updates and is based on real-time hacker behavior in the wild, users should be aware that this score may increase at any time.

For example, a Farsight score of 25.50 out of 38.50, should be interpreted as 25.5 times more likely to be exploited than a non-rated CVE and poses a medium threat to your business whereas a score of 38.50 is significant. Farsight goes beyond CVSS scoring and uses machine learning data to predict which vulnerabilities malicious actors are or will be interested in over the next 12 months and indicates the high risks which should be prioritized for patching. Farsight likelihood scoring is a dynamic and constantly retrained predictive model to reflect the rapidly changing threat environment for proactive vulnerability management. 

The key determining factors for the likelihood include: chatter in the threat actor community, the presence of exploit code snippets, Proof of concept exploits, hacker framework exploits and real world attacks as well the general makeup of the vulnerability and its CVSS score.

Lets take a look at an example or two to give you an illustration of how FARSIGHT informs our customers.

  • CVE- 2019-0708 – Blue Keep

    Bluekeep was announced May 16th 2019. By close of day the likelihood of exploit was 1.46 – whilst a small increase in likelihood, had an organization been monitoring for upward trending vulnerabilities this would have begun to show itself. The next Major increase was a jump straight to 36.50 on June 3rd in response to analysis highlighting proof of concept exploit being available. The first exploit in the wild was detected on October 23rd, some four and a half months AFTER the risk rating was flagged at its highest - ample time for organizations to patch ahead of an in the wild attack. Has anything happened since? Lessons learnt?

  • CVE- 2020-0601 – Curveball

    When this was announced, it was the first ever disclosure by the NSA, and Microsoft themselves claimed it had a high likelihood of exploitation. Media and many security experts and ethical hackers began to quickly build proof of concept exploits. Let’s see how the risk changed despite the media attention it had received
    • Initial Release: 14th Jan 2020 – Likelihood 1.0
    • 16th Jan 2020 – 12.11 dropped to 11.08
    • 17th Jan 2020 – 17.37 but dropped to 16.57
    • 18th Jan 2020 – ended 23.66
    • 19th Jan 2020 – 23.78
    • 20th Jan 2020 – 25.33
    • 21st Jan 2020 – 24.06
    • 22nd Jan 2020 – 22.18
    • 30th Jan 2020 - 26.55

    This shows the model at work. Designed to ignore the noise of vendor and media spotlight on vulnerabilities but focus entirely on how the threat actor community (amongst other factors) reacts to a release. In this case the highest risk the model suggested was seen on the 28th (26.77) before dropped and holding at 26.55.

    And at the time of writing this blog, the risk is still holding at 26 time more likely than the average vulnerability of being exploited in the wild. So, you should patch, of course, because it has a high risk, but here we can highlight that despite the press announcements and other sources of media attention the model was not predicting an immediate risk but in fact the risk fluctuated over time before settling down.

  • CVE- 2017-5638 - Apache struts

    • First Release: March 2017
    • First Score: April 2017 - 30.50
    • Reached highest score August 13th – 38.50

    An example of a vulnerability from the very infancy of the Machine learning model when it was still less than 12 months old. However, within 1 month of announcement there was enough information for the model to predict a high likelihood of exploitation. And by

    August 2017 the model predicted the highest risk. Equifax made the announcement of their breach in September 2017 claiming it had happened between May and August of that year. Using the predictive exploit likelihood as a measure of when to remediate, its highly possible that organizations had a month’s head start on the exploitation of the vulnerability. It predicted the high likelihood of an exploit a month before the Equifax breach started.

 

How does this help me?

Working in partnership with Cyr3con we have built Outpost24 Farsight to help you predict where you need to focus/ prioritize your remediation efforts BEFORE a vulnerability could be weaponized. Unlike many Vulnerability management vendors who integrate threat intelligence which only provides you with an elevated risk once the wild attack has begun (The fire alarm going off when the building’s already on fire) – it’s a good start but arguably too late. With FARSIGHT the power is in your hands to make a better informed decision depending on your organization’s risk appetite and resource for remediation. Consider the likelihood, if you think 15 or 20 times more likely to be exploited is where your true risk appetite sits, then focus remedial efforts there first and work downwards. Or push it to 30 or drop it to 5 times, there is no right or wrong answer beyond don’t wait for 38 or higher before you patch because it’s likely it has already been successfully exploited in the wild – by then it’s no longer a prediction game but a firefighting game.

 

Empowering security teams with Farsight:

As Gartner explained in 2018, “The urgency to take a risk-based approach has never been greater as organizations become more digital. As the lines between the digital and physical worlds blur, and as more business processes and business outcomes are based on technology dependency, risk has emerged as a critical concern to be addressed”.

Outpost24 FARSIGHT uses a risk based approach and methodology to make the prediction element integrated with network vulnerabilities, whichever risk appetite your business supports. A risk-engaged driven team will support greater transparency, openness with management and better triage of risk acceptance and informed business decision making. FARSIGHT will empower your team by delivering risk-based metrics to allow you to:

  • Focus on risks that are more likely to occur and based on trusted data intelligence
  • Manage risks that have the greatest impact based on risk score
  • Identify and address risk trends disrupting the business
  • Work on things that provide long term benefit
  • Allows you to make better informed risk-based prioritization processes that’s aligned to your organization

 

 

Try Farsight today – request a demo
 
 
 
Source: Gartner CIOs must Implement a Risk-Based Approach to Improve Business Outcomes, Aug 2018

Looking for anything in particular?

Type your search word here