Program Overview

Predicting vulnerability exploitation likelihood is crucial for effective risk analysis and patching prioritization. We present an open-source system for predicting vulnerability exploitation likelihood, building on EPSS. Our approach offers improved interpretability and user control, allowing practitioners to train custom models for specific contexts. Key focus areas include:

Feature utility: We challenge the trend of using complex and uninterpretable models with unwieldy number of features. Our system enables users to train models using customized feature subsets, while also providing an evaluation of each features utility. This empowers users to make informed decisions when tailoring models to their specific needs. Data completeness: We address the issue of missing data using language models (e.g., CVSSv3 vectors or CWE information) and potential human errors in feature values by exploring methods to predict and incorporate missing information, assessing its impact on model performance. Model interpretability: We investigate the balance between model interpretability and performance by comparing various architectures and examining how prediction formatting affects outcomes Temporal relevance: addresses the problem of static models being quickly out-of-date in a rapidly evolving space. This ties into our exploration of lightweight models with refined feature sets, enabling practitioners to update their models more frequently and easily.

We will demonstrate the system's performance and practical applications, aiming to provide a more flexible and transparent approach to vulnerability exploitation prediction.

Speaker: Fredrik Sætran. Bio Coming Soon.

Speaker: Mark Anderson. Bio Coming Soon.

In the rapidly evolving cybersecurity landscape, timely access to comprehensive vulnerability statistics is paramount for organizations and individuals. The CVE.ICU project was conceived to significantly improve access to such critical vulnerability data. This talk will delve into the architecture and development of CVE.ICU.

At the heart of CVE.ICU lies the integration with the National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data. We will explore how CVE.ICU harnesses the rich, structured data from NVD to create a user-friendly interface that simplifies the complexity inherent in vulnerability statistics.

A unique aspect of the CVE.ICU project is the utilization of Jupyter Notebook and JupyterBook technologies. Another key to the project's success is the implementation of automated daily builds using GitHub Actions, a feature that ensures the CVE.ICU platform is constantly refreshed with the latest data.

By attending this talk, participants will gain insights into the development and operation of CVE.ICU, and how it stands as a testament to the transformative power of open-source tools and automation in enhancing the accessibility of cyber vulnerability insights.

Speaker: Jerry Gamblin. Bio Coming Soon.

Despite being very valuable, many organizations struggle to adapt external scorings of CVEs (e.g. CVSS, EPSS) to their particular context. While attempting to undertake this, organizations typically spend extensive resources on investigating the same CVE’s. We believe in the potential of combining efforts to collectively learn about CVE impact, and we believe in NCSC-NL's ability to play a central role in this. With a trusted collaboration of organizations we are testing a community-driven machine learning model that scores and prioritizes CVE’s.

In this talk, we would like to discuss the technical components that made our approach possible, the model that was built, and first results and learnings of aggregated community input.

Speaker: Armin Čoralić. Bio Coming Soon.

Speaker: Renout Schoen. Bio Coming Soon.

Vulnerability prioritisation metrics and frameworks typically operate on a per-vulnerability basis but there are inter-vulnerability dynamics which can be leveraged to predict remediation effort. This talk outlines three metrics based on data science that can help support futher prioritisation.

Some metrics (e.g. CVSSv4) include remediation effort but this is per-individual vulnerability. In practice, there are relationships between vulnerabilities which have implications for the efficiency of remediation efforts. This talk discusses additional metrics to predict bang-for-remediation and is a complement to existing prioritisation approaches.

This talk addresses 3 real-world common challenges: (1) backlogs, (2) context-switching and (3) stakeholder relationships and proposes metrics to avoid. This is not an exhaustive list of under-addressed areas but it is a set of representative scenarios where data analytics can support. The concepts are expanded below, each has been assigned a name to make them easier to remember and distinguish.

(1) Batch patch: there may be a significant backlog of vulnerabilities and patching efficiency can be achieved by prioritising those which are easy to patch (covered by existing metrics) and those which patch multiple vulnerabilities at once, this part of the talk discusses the strengths and weaknesses of other prioritisation methods (e.g. CVSS, EPSS, SSVC, VEST, known-exploited) to dovetail with batch-patch predictions.

(2) Remediation flow: For those vulnerabilities requiring more creative remediation solutions, it attempts leverages the velocity of ""flow-states"" and ""deep-work"" to cluster similar vulnerabilities in order that they can be dealt with using recently-acquired skills, knowledge and social networks.

(3) Stakeholder inroads: vulnerability management entails the management of stakeholder relationships with individuals and teams who have diverse and sometimes competing priorities. The remediation effort in practice may significantly depend on the relationship with a (group of) stakeholder(s). Successful vulnerability remediation in one technology-owner's domain may open an opportunity for remediation in a new domain with another stakeholder. This metrics forecasts the stakeholder groups that can be engaged using related remediation activities and seeks to translate this into a ranking metric for prioritisation.

We hope this talk will be of interest to the Vuln4Cast community and would welcome the opportunity to critically discuss these proposed prediction metrics with others.

Speaker: Matilda Rhode. Bio coming soon.

Users responsible for prioritizing remediation efforts have several tools and frameworks available to them: CVSS, EPSS, SSVC, and more. While these all take different approaches, they have one thing in common: they assess the characteristics of a vulnerability in some way, and produce a score or recommendation, so that users can prioritize accordingly. These tools can all be useful, and have their place in vulnerability management, but because they typically focus on the vulnerability, rather than the user, their outputs can lack context, be misunderstood or misused, and may have important caveats.

In this talk, I’ll explore a proof-of-concept framework I've developed to address these problems, with a working title of PRACTICE (Prioritizing Remediation by Aggregating Customized and Tailored Information - a Conceptual Example). Before I get to PRACTICE, I’ll provide some context by briefly walking through CVSS, EPSS, SSVC, the KEV Catalog, CVEMap, and other tools and frameworks in the context of prioritization – discussing the results they produce, their drawbacks, and what they tell (and don't tell) users.

I’ll then move on to the main part of the talk: PRACTICE itself. PRACTICE is an experimental, transparent methodology for remediation prioritization, which takes a novel approach to the problem by putting the user and their unique environment - rather than vulnerabilities and their characteristics - at the center of the issue. It allows highly granular, customized input (via external configuration files, which can also be customized) about a user’s specific environment, priorities, and circumstances relating to a given vulnerability - including attack vectors; security controls and their coverage and configuration; impact; remediation effort and the potential for disruption; and more. All the inputs in each of these categories can be weighted individually, so that users get an informed understanding of how a vulnerability affects them uniquely – therefore enabling them to prioritize on a completely tailored basis.

As for the output, there are no calculations, no scores, and no recommendations. Instead, PRACTICE produces a visual, colour-coded, at-a-glance summary of a user’s answers, providing a simple graphical decision-making aid for how a vulnerability might affect their organization, based on their security posture and priorities in relation to that specific vulnerability. Unlike most other tools and frameworks, the whole idea is that, by design, two organizations might see completely different outputs for the same vulnerability, and can therefore prioritize accordingly.

After walking through the philosophy and design of PRACTICE, I’ll show some demos of prioritizing the remediation of some real vulnerabilities, from the perspectives of some hypothetical organizations with different security postures and priorities; discuss future research efforts and the PRACTICE to-do list; talk about how the PRACTICE approach could work at-scale; and encourage attendees to get involved with contributing to the development of PRACTICE as I continue to think about and build on this proof-of-concept.

Matt Wixey is a senior threat researcher at Sophos, where he conducts and reports on security and threat intelligence research. He previously led cybersecurity R&D capabilities at a professional services firm and a law enforcement agency, digging into emerging attack vectors, vulnerabilities, and new technologies. Matt has presented original research at multiple conferences, including Black Hat USA, Black Hat Europe, DEF CON, ISF Annual Congress, 44Con, and BruCon.

Systems exposed to the Internet are under threat to known-vulnerability exploitation. While informative, vulnerability forecasting does not reflect the associated Internet-traffic. Various solutions aim to quantify and classify Internet traffic towards enabling greater insight into the threats faced. However, the impact of Internet-wide scanning within this topic has received limited attention. This presentation presents a research methodology seeking to quantify the impact of Internet-wide scanning on Internet-exposed systems.

Speaker: Jamie O'Hare: Bio Coming Soon.

This talk will present the recently published EPSS research report (July 30th, 2024) and discuss the future of EPSS. The research explores the prevalence, spread and speed of exploitation activity with several surprises and subsequent insight. It also presents some metrics for vulnerabilities and measures the historical performance of EPSS. Also, this summer we are updating the backend for EPSS and I may touch on some of the data challenges we are experiencing. Finally, I will end with a view and discussion of the future of EPSS.

Jay Jacobs is the Chief Data Scientist at Cyentia Institute, the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST.