Bsides SP 2022 - EPSS - Final.pptx
Download as PPTX, PDF0 likes552 views
The document discusses the Exploit Prediction Scoring System (EPSS) as a data-driven approach to evaluate the likelihood of software vulnerabilities being exploited. It contrasts EPSS with the Common Vulnerability Scoring System (CVSS), emphasizing challenges in vulnerability management and the importance of contextual prioritization. The authors advocate for focusing on significant vulnerabilities rather than solely relying on quantitative scores.
More Related Content
Similar to Bsides SP 2022 - EPSS - Final.pptx (20)
More from Clavis Segurança da Informação (20)
Bsides SP 2022 - EPSS - Final.pptx
- 1. Exploit Prediction Scoring System (EPSS) Leonardo Pinheiro Head of Product Rodrigo Montoro Head of Threat & Detection Research @spookerlabs
- 2. About us Clavis Segurança da Informação ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting Rodrigo Montoro ● Head of Product at Clavis Security ● Living in Campinas ● Electrical Engineering at Unicamp with AI Specialization at Texas Tech University ● International work experience / exchange ● Software engineer by nature, Business developer by passion ● Gym Addicted Leonardo Pinheiro
- 3. Motivation
- 4. AGENDA Common Vulnerabilities and Exposures (CVE) & Common Vulnerability Scoring System v3 (CVSS) Vulnerability Management & Challenges Exploit Prediction Scoring System (EPSS) 1 1 Real world use and analysis 1 Conclusions
- 5. 5 Clavis Segurança da Informação Common Vulnerability and Exposures (CVE) & Common Vulnerability Scoring System (CVSS)
- 6. What is a vulnerability ? Clavis Segurança da Informação Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. A code or tool used to take advantage of a vulnerability is called an exploit. source: https://csrc.nist.gov/glossary/term/vulnerability
- 7. Common Vulnerability Exposure (CVE) Clavis Segurança da Informação source: https://www.ondeso.com/wp-content/uploads/2020/09/cve-summary-freebie-ondeso.pdf
- 8. Some statistics about vulnerabilities (CVE) Clavis Segurança da Informação Source: https://www.cvedetails.com/browse-by-date.php
- 9. Top 25 vendors Clavis Segurança da Informação Source:https://www.cvedetails.com/top-50-vendors.php
- 10. Common Vulnerability Scoring System (CVSS) Clavis Segurança da Informação The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental. source: https://nvd.nist.gov/vuln-metrics/cvss https://www.first.org/cvss/calculator/3.0
- 11. How is calculate CVSS v3 ? Clavis Segurança da Informação
- 12. Base calculation sample Clavis Segurança da Informação
- 13. Some statistics Clavis Segurança da Informação source: https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=1999-01-01&enddate=2022-11-11 Baixa Médio Alto Critico Nem tudo é crítico
- 14. Top 25 vendors 2022 Clavis Segurança da Informação Source:https://www.cvedetails.com/top-50-vendors.php
- 15. 15 Clavis Segurança da Informação Vulnerability Management & Challenges
- 16. What is vulnerability management ? Clavis Segurança da Informação source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/ Most companies prioritize vulnerabilities based on volume rather than business risk One of the biggest challenges in Continuous Vulnerability Management is not only mapping existing vulnerabilities within the park, but also where to start solving the problem
- 17. Challenge - How to prioritize ? Clavis Segurança da Informação
- 18. Not always CVSS higher means bigger problems Clavis Segurança da Informação Impact Probability
- 19. 19 Clavis Segurança da Informação Exploit Prediction Scoring System (EPSS)
- 20. Motivation around EPSS Clavis Segurança da Informação Past research has shown that firms are able to fix between 5% and 20% of known vulnerabilities per month. Secondly, only a small subset (2%-7% of published vulnerabilities are ever seen to be exploited in the wild)
- 21. What is EPSS ? Clavis Segurança da Informação The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days).
- 22. EPSS | Data Architecture Clavis Segurança da Informação MITRE’s CVE List “Tags” Days published Published Exploit Security Scanners CVSS v3 Vector Vendor Real Attacks XG Boost | Poisson Regression EPSS
- 23. EPSS | Log4Shell Example Clavis Segurança da Informação
- 24. EPSS Model performance Clavis Segurança da Informação Coverage => number of exploited vulnerabilities prioritized (TP) divided by the total number of exploited vulnerabilities (TP + FN) Efficiency => number of exploited vulnerabilities prioritized (TP) divided by the total number of prioritized vulnerabilities (TP+FP).
- 25. Evolution (CVSSv3, EPSSv1 & EPSSv2) Clavis Segurança da Informação
- 26. EPSS Data Driven (part of) sources Clavis Segurança da Informação
- 27. CVSS versus EPSS Clavis Segurança da Informação
- 28. EPSS x CVSS Clavis Segurança da Informação CVE 2019-11580 Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. CVE 2017-0061 A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
- 29. 29 Clavis Segurança da Informação Real world data analysis
- 30. Analysis … Clavis Segurança da Informação Variação da volumetria baseado na criticidade Of the 40,037 critical vulnerabilities, 2,000 have an EPSS > 0.9
- 31. Analysis | CVSS X EPSS Clavis Segurança da Informação Prioritize Deprioritize
- 32. Analysis | Priorização Clavis Segurança da Informação Vulnerability CVSS Microsoft Internet Explorer Unsupported Version Detection 10 SSL Version 2 and 3 Protocol Detection 9,8 Microsoft XML Parser (MSXML) and XML Core Services Unsupported 10 Google Chrome < 107.0.5304.110 Multiple Vulnerabilities 9,6 FortiClient Windows Unquoted Service Path vulnerability(FG-IR-19-281) 10 Vulnerability CVSS EPSS Apache < 2.4.49 Multiple Vulnerabilities 10 0.97 Apache Tomcat AJP Connector Request Injection (Ghostcat) 9.8 0.96 Windows Server 2012 June 2017 Security Updates 9.8 0.96 Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725) 9.8 0.96 KB4499175: Windows 7 and Windows Server 2008 R2 May 2019 Security Update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (BlueKeep) 9.8 0.96 Prioritization based on CVSS and volumetry Prioritization based on EPSS and CVSS
- 33. 33 Clavis Segurança da Informação Conclusions
- 34. Conclusions Clavis Segurança da Informação ● Prioritization is hard, make your life easier ● You won't get everything fix ● Fix what really matters ● Add other contexts to prioritization ● Don't rely ONLY on EPSS
Editor's Notes
- #6: Vulnerabilities (CVE) & Common Vulnerability Scoring System v3 (CVSS)
- #7: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #8: https://www.ondeso.com/wp-content/uploads/2020/09/cve-summary-freebie-ondeso.pdf
- #9: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #10: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #11: https://nvd.nist.gov/vuln-metrics/cvss
- #12: https://www.first.org/cvss/v3.0/specification-document#1-2-Scoring
- #13: https://www.first.org/cvss/v3.0/specification-document#1-2-Scoring
- #14: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #15: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #17: source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/
- #18: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #19: https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
- #25: https://www.first.org/epss/model
- #26: https://www.cyentia.com/epss-version-2-is-out/
- #27: https://www.first.org/epss/model