CG - Vulnerability Intelligence for All: Say Goodbye to Data Gatekeeping

hello everybody um so the next talk the title is vulnerability intelligence for all say goodbye to data keeping without further Ado please welcome our speaker Jerry Gamblin over to you thank you thank you no need to clap see all right like she said we're going to talk about vulnerability intelligence for all let's say goodbye to datae keeping uh data gatekeeping so a quick agenda here we're just going to do a quick introduction uh we're then going to run through the need for vulnerability intelligence I'm going to talk about some of the best open- source vulnerability intelligence and then we're going to go to some consolidating vulnerability intelligence I only have 20 minutes but the good thing is right when you get out of here you get to go get lunch so nobody's going to get mad if I finish a little bit early today so just to be basically clear here all organizations have a need for vulnerability intelligence very few organizations have a need for threat intelligence everybody you go to will say oh you got to buy a threat intelligence feed you're a small organization a couple hundred people please spend $80,000 on a threat intelligence feed most organizations don't need that let's break that down what's the difference between a threat intelligence feed and a vulnerability intelligence feed threat intelligence feed gives you all the five y's right the who what when where why and how most organizations don't need to care about The Who and the why and that's what you're paying for with a threat in t feed if if you're working if you're a college a midsize College in the midwest a bank in the midwest something that's not getting attacked every day by an AP do you really care who or why somebody is deploying a a cve scan or you know are you going to be able to do anything about it if you know that this is who so the answer to that to most people is no and when you get to the point to understand I don't need a threatened tell feed I don't need to read about you know what the latest Hackers from the Russian Federation are doing or North Korea or China or whoever the boogeyman is this year and I just need to work on protecting my network you can really save your organization a bunch of money but let's get in and talk about the need for vulnerability intelligence because this is even a bigger deal I spent the last basically 15 years of my career working on vulnerability vulnerability management for companies and I work with a great company called Cena and we know that no matter what size your company is from 500 people to a Fortune 500 company you can patch about 10% of the vulnerabilities on your network a month so you're always you're always behind you're always not able to catch up so what we want to do is help people pick the right 10% um I'll put these slides up on on GitHub at the end and you can grab them they all have the links the other thing is is that the cve growth is looking like this uh one of my mini side project is cv. IU if you ever just want to see how many cves there are you can go check that out but as of this morning there are 29,100 169 cves that's 24 cves a day since 1999 when the cve list was created that seems like a lot but if you just look at this year we're at 80 cve unique cves per day when I first started way back there when there were about 20 cves a day I could sit up my desk and go through bug track and figure out which ones I need to look at and which ones are important to me I can't do that anymore and very few companies have the Staffing to be able to say hey monitor all the cves figure out which ones are important to me and which ones we need to patch so the truth of the matter is at the end of the day less than 7% of cves ever become exploited so we know that that is grows this number is shrinking but every day people people put out cve that are only exploitable you know in proof of concept and that's about 20% of them and then about 60% of all cves are just academic cves is what we call them yeah the vulnerability is there the code is vulnerable but they weren't able to produce an exploit to even put on the cve they said hey we're filing this we think this could happen you know in in the right in the right circumstances you could patch that so here's what everybody needs to think about when you start building out your cve vulnerability intelligence program I like to build this out it's just a little chart it's the the cve in the middle and you go how what when and where around the side and you need that for every cve that's on your network that you expect to be exploited uh here is one that I did for cve 2023 it was one of the Google Chrome ones it just obviously says what's being unpacked Ed Google Chrome it's been exploited in the wild since the middle of April it's a network-based vulnerability so I need to to get on it and it's a type confusion right so you get all that information and that's when you know you need to act if you build those for all the cves you have then you can start prioritizing what on your network needs to be patched first we're going to jump right into open source vulnerability intelligence uh this is where you can go and get some of the best open- source data on the internet and it's free and every organization should be using it and I will tell a little Dark Seeker here if you're not using this open source data and you're paying somebody to be a threat Intel feed they're taking this open source data and feeding it to you and charging you money for it right most of the times it's like here's 90% open source stuff we'll throw 10 or 15% of our our own proprietary data in there but but this is where every every body's getting the data so first we'll start with the high quality data uh cisa know exploited vulnerabilities catalog if you work in the federal government you know about this one uh as of this morning it contains 983 cves um The Binding operational directive was 2201 if you're interested in in Reading what they actually have to do the the guts of this is is that when a cve is added to this list the federal government has 6 months from the date it's added to get a remediated off their Network that's a long lease for them and there are very few cves on there um what I like to tell people to do is that this is a good starting point if you don't have a vulnerability intelligence program let's start with the Kev list and make sure that you have all of those removed from your network first and then we can build out a more substantial list the next one here is going to is going to surprise people a little bit it's Metasploit um it contains over 2,000 cves people ask why do you look at Metasploit and I say Metasploit is the best pin testing framework it has close to 1,500 known exploits that that you're paying your pen testers to use against you you know the code is valid so we're going to take those cves that we know that are in metas and we're going to make sure you have those patched right we're using the Red's team's toolkit against themselves before someone's able to charge you $10,000 to tell you to to patch the stuff in metas sploit right so you might as well just cut out the middleman and get right to Metasploit and Patch those um so the next one here is a something that I'm very familiar with and very passionate about it's called epss it's the exploit prediction scoring system it's through first.org which also runs CVSs for um what it does is it measures the likelihood of every cve being exploited in the next 30 days um it's industry supported and backed and if anybody in here is super interested in vulnerability intelligence we have a special interest group that meets uh twice a month the email at the bottom we'd love to have more people uh we have an open Slack too we we love to have people join and to be part of this discussion the people who give their data freely to to epss are Cisco Shadow server grey noise F5 Alien Vault and foret so if you know those companies and you talk to them please say thank you for providing this data to to the epss project to help make the internet secure so let's talk about the okay quality vulnerability intelligence sources these are ones you're going need to look at and and kind understand have a little bit deeper of knowledge of what's going on before you add them to your patch list so on the left here is exploit DB how many of you guys were alive in the and working in this industry in the age of exploit DB is where you went to get to get code right like like that was me um but then about you know in 2020 2019 they kind of fell off a cliff and people stopped putting their code on exploit DB and they started putting their code on GitHub what so we so we just changed where we go to look for for PO Code and just for a baseline I put the metas sploit in there because I love talking about metas sploit because you know that that's a solid Baseline and if there's if there's an exploit it's going to end up in Metasploit at some point if it's network based so GitHub is super high volume it's lower quality though and if anybody here is interested in building an llm project I would I would ask you to look at doing this is look at scraping GitHub for poc's and running it through an llm to tell you what that POC does uh because a lot of times in GitHub you'll have something that's labeled a POC and it's really just a script that's just checking to see if it's vulnerable right like it's just pulling it's just pulling a banner and saying yeah you're you're running a patchy 2.43 You Know You're vulnerable and that's not that's not the exploits we're looking for that's just something to tell you and if there are 50 repos with that in there most people don't have the time to go through and pick that out so so that's something that that we're working on I know a B I know some companies are looking at that but if you're super interested in large language models GitHub is a great place to scrape and and to feed that data um exploit DB is lower quality older cves it's still data still there um if you're just looking for older cves that's kind of the place to go Twitter was great um it had cve trs.org which I loved that was an amazing project chatter and realtime vulnerability Intel everybody knows what what had happened there right that that's no longer there and we're no longer able to to use that data so um we're looking for more realtime intelligence too so let's talk about consolidating vulnerability intelligence the goal of consolidating vulnerability intelligence and cve data is pretty simple if you look at the big circle that's all the published cves that's what every security team thinks that they need to patch every day the true thing they need to patch is that 7% Circle that sits in the middle if you have if you want to have perfect accuracy and not waste Cycles on your security team you need to be patching the stuff that's actually exploitable and after you get all the stuff that's actually exploitable then you can move out to the probable right but we want people working on the stuff that's actually exploitable first and then move to the probable so Monday I flew out here and I have ADHD if it's not completely obvious so the rest of this talk was supposed to be about how to consolidate this data and build a patch list for you you guys to to run and to to use on your network um I couldn't do that so I actually just built it for everybody um so I launched patch this. apppp this is actually the first time I'm talking about it publicly it's a combined list of cisa metlo and first.org that runs on a GitHub action and it's updated every hour and it pushes to a CSV for companies of any size to grab that data and to check it against what's in their vulnerability management uh tools to make sure that they're patching everything that we know is vulnerable or is super likely to become vulnerable in the next 30 days um if you look at the the website it completely looks like I built it on a plane n vs code because I built it on a plane in vs code so it has nothing I am going to to to get somebody who actually knows how to build web page to to build it but it's out there I would really really like if you would share that if you would push it out on your networks we're trying to to get more people to add to it right now I've just added data that I know is super high quality we're going to go back and start tweaking a little bit and adding some more data because at the end of the day I want everybody to be secure and not everybody has threat intelligence money but everybody should be able to have vulnerability intelligence feeds that are curated and put together this way so that they can go and and help protect their school districts their libraries even even their for-profit organizations um with that I will take some questions and then we can go eat lunch so so thank you very much for for taking time today thank che check thank you for the presentation I appreciate it and so I was wondering about the Kev catalog and do you put any priority on that the no exploited um vulnerabilities catalog from cisa do you do you look at it let's let's say first or like like you were saying the little percentage to where exploited known exploited vulnerabilities do you use that catalog yeah yeah cev is part of it's part of the the new combined list on patch list. app I'd like cesa cev I I will say that that if you want to get in the weeds uh the cesa cev does have a few local exploits where you have to be at the keyboard or you have to be or even at ship level to make the exploit work um while if you're the federal government you might worry about somebody breaking into your network and soldering a j tag onto your Snapdragon processors uh the local bank you know the local high school probably doesn't have to worry about a threat actor going that far but it's a good start right and if you can patch it you can patch it so thank you and also with the with the feed thank you cuz I just found out for our PCI we had to pass apart that we were getting a feed somehow and so we had to pass that so thank you for that no problem hello hello do you have plans to include a Canvas OR cor impact exploits uh yeah we can look at those um I just want to make sure that everything we add to the list is is is actually exploitable so I want to go through and check it like I said I just built this literally on a plane over the last couple days so I just added the stuff I know was was highly was highly think so core impact is good and and I have to check the license too and that's the other thing like some of the open source tools they have licenses but the licenses for their feed aren't very clear so I do have some emails out saying hey is it okay if I add the cves that are in your library here because I don't want to get in trouble I don't have lawyers fighting corporations money yeah absolutely because canas and cor impact has a private exploits yeah yeah y just want to make sure that that everything that I share is is truly public any more questions uh I guess question on if you use gitlabs like SAS tool that static application system yeah do you think that's reliable like a good starting point I don't know if it grabs from scissor or anything else yeah I I'm not sure I I haven't messed with gitlabs I know GitHub does the same thing like everybody is trying to get into this vulnerability intelligence layer and just say hey here's what you need to patch here's what's in your repo that's an amazingly Good Start um the problem is is that we know that if if you can only patch 10% of the stuff on your network you need to know which 10% of the stuff actually needs to be acted upon it doesn't do good it it locks people up really if I go to a Dev and say Hey you have 45 libraries on your you know in your application that are out of date and have vulnerabilities and they need to be updated they're going to look at me like a deer in a headlight and say we can never do 45 so we're going to do zero instead what what I would prefer to do is to say hey team there are two high priority libraries in your in the application we need you to get these in the next two sprints right and then give them another two and another two instead of just giving them the list and that's what a vulnerability intelligence list is supposed to be able to do for you is say hey if you're only going to work on one to five things here are the things that you have to work on today that's going to remove the most risk from your environment um so I guess my key takeaway from your talk is that um you know the proof of exploit is the most important thing to consider and not proof of concept yeah cuz proof of concept is I don't know I I have a 14-year-old son who takes Taekwondo and he comes home every you know twice a year and says hey hold your hand just like that and let me show you something really cool yeah and if I hold my hand just like that he can flip me or or make my shoulder hurt or whatever I'm like okay what are you going to do when you get in a fight are you going to say okay I need you to hold your hand like that right like it just doesn't work so yeah proof of concept is cool when when you can say hey if I have root on this Linux machine I can run this script and crash it well okay you already have root so it works but it's not an exploit I want to see proof of exploit where somebody can go from nothing or low privileged user and make it work cuz cuz that's the biggest step and and that's what gets people is because if you look it's not stuff with just poc's out there that are that are being exploited it's stuff that gets the poe and I guess a follow-up question is also about like vulnerability scoring would you still prioritize proof of exploit over like CVSs and stuff like that yeah for sure you have to realize that CVSs is a static score it's ran through a calculator and it stays the same its whole its whole life so it never goes back and rescored so yeah um CVSs 4 has an exploitability uh base in it but it's because of the way CVSs works all cves are going to be scored as F an exploit exists the only thing you can do with that that exploit flag is lower the score of a CVSs which makes it little less useful awesome thank you thank you uh just want to thank you for your contribution on that that's it's really awesome oh no no problem if and I am looking for people to help so if you can put a GitHub issue or if you use it just just let me know trying to build it out as best I can so so thank you guys very very much um I wanted to bring up the uh scoring system that s sza put up for the um stakeholders specific vulnerability categorization and I I haven't dived completely into but I think it has something to do with the criticality have assets or the workflow or whatnot have you considered that yeah um this is per this is all personal I'm here on my person time so it doesn't any any scoring method that makes an organization or users sit down and fill out criticality or asset performance to get a score is going to fail in 99% of of organizations i' I've been in security long enough to know that people have a hard time having a complete inventory of stuff on their Network let alone telling you what the criticality of of a machine is versus another machine on their Network right yeah I agree I guess it's time for one more question yes same as others thank you so much for looking into this um and for your contribution the question is for exploitability what is the recommended way of looking at it because as you mentioned you know you can determine that an unprivileged app can get root right but other than that like what uh metrics you would look in the PLC to know if it's exploitable or not so after exploitability I look for network connectivity right like if it's a network-based exploitable that's super high because 99% of all exploits happen on network-based so mostly you can go and get rid of everythin