Predicting exploitability for a vulnerability as first step towards weaponization
Every piece of code is a potential source of vulnerabilities. This could be operating systems, containers, databases, web servers and the list just goes on. It also includes hardware devices like L2 / L3 network devices, healthcare devices, IOT devices and more. To further compound things, the rate at which vulnerabilities are discovered is growing every year. The chart below reflects the trend observed…
Note that not all vulnerabilities make it to NVD and do not have a CVE number assigned. Our observation at ThreatWatch (TW) is that this is especially true for Free Open Source Software (FOSS). The above charts callouts the vulnerabilities which do not have presence in NVD and don’t have a CVE number assigned. Interesting to note that these “No CVE assigned” vulnerabilities have an upward trend over the years as well.
It is important to note that though the number of vulnerabilities discovered are fairly high and growing, not every vulnerability is weaponized. For a vulnerability to be weaponized, it should either have a known exploit or high probability of being exploitable. For the former i.e. known exploit for a vulnerability, things are easier. However how can one deduce what is the probability of a vulnerability being exploitable in the absence of any known exploits. This is crucial since how quickly the vulnerability can be weaponized into say a malware is directly related to its exploitability, read more in our earlier blog. We at ThreatWatch (TW) have been researching this to build a ML / AI model to determine this i.e. probability of a vulnerability being exploitable.
Ask any ML expert and the key thing is to curate the right data set to train & test the model. We leveraged our “Vulnerability Database” to identify relevant data to be used for training the ML model. Next part was to identify the right attributes of a vulnerability which affect exploitability aka features in ML parlance. Some obvious attributes which translate to features for the ML model are as below:
- Common Vulnerability Scoring System (CVSS) base metrics from CVSS vector
- Access Vector – How can the vulnerability be exploited – Remote, Adjacent network or Locally only?
- Access Complexity – How easy is the vulnerability to exploit? Does it require any special conditions to be satisfied or is it relatively straightforward?
- Authentication – Does the user need to be authenticated (single or multiple times) or not authenticated at all?
- Common Weakness Enumeration (CWE ) or vulnerability type – Certain types of attack vectors lend themselves better from exploitability angle.
- And more…
These features need to be correlated while making a decision on exploitability. For example a vulnerability that can be attacked remotely over the network is more valuable than a vulnerability which requires the attacker to be on the local network. Similarly an attacker would like to exploit a vulnerability which does not require any authentication for the attack. Similarly a vulnerability which has no special conditions is a better candidate. Now loop in the other features in the mix for a perfect recipe.
Our ML model is a Neural Network which can predict exploitable vulnerabilities with an accuracy upward of 95%. This will make it easier to look for “ the needle in the haystack”. Couple this with:
- TW ML based vulnerability scoring for better prioritization. This is important since TW is able to discover vulnerabilities much sooner and these typically lack CVSS details. The predicted CVSS details aid in prioritization for organization (read more here)
- TW Actionable Insights which automatically classifies vulnerability impacts into “Do Now” versus “Do Later” buckets (read more here)
This provides a complete and perfect solution for ThreatWatch users.
Interested in knowing more about how your organization can benefit from this and improve your security posture, write to us at firstname.lastname@example.org, Or better simply take us for a spin by leveraging our Free Tier directly for a first-hand experience.