Open Source Vulnerability Intelligence: A Key To Proactive Defense - Jerry Gamblin

um good afternoon we're going to talk about vulnerability intelligence for all the need to stop gatekeeping in our industry well maybe I'm not because the remote doesn't work that far away so this is going to be super simple we're going to talk about the need for vulnerability intelligence the best place to get it and consolidating vulnerability intelligence they said I have about 30 minutes so I'm going to do that and then we're going to move on and try to catch up some time for today okay you take one thing from this take this all organizations need vulnerability intelligence not all organizations need threat intelligence does anybody here know the difference between vulnerability intelligence and threat

intelligence threat intelligence is what you need if you run a spy agency or you run an organization with the CEO who likes to shoot off on the mouth on Twitter or you're a journalist or whatever you need everything you need the who what when why and where if you're just a regular small organization like this High School we're in or a bank all you need to know about vulnerabilities is the what when where and how but so often organizations get tricked into buying large threat intelligence product out of their out their it security budgets and spend tens of thousands of dollars on the why and the how and most of the time when your organization is breached it's not a

targeted breach in the fact that somebody is coming to hack your organization individually they're like oh I really like XYZ Limited in the UK I'm going to go after them most of the times it's hey I sell this new vulnerability on the internet I'm going to spray this at 40,000 people and see who's going to click on it or how I can get in um a great example of this is this week or last week if you have an iOS phone you were told to update two times because citizen lab found a vulnerability that they could prove hacked how many phones does anybody know how many phones that that citizen lab zero day was used

on one they they have one Egyptian reporter who's iPhone was hacked by a zero day and every newspaper in the world basically had a oh you have to patch your iOS iPhone now right go for it you got to do it the same time Google Chrome does anybody here use Google Chrome yeah Google Chrome had a zero day that was on everybody's system that was being used by by spray and prey Fishers and hackers and websites right so at the end of the day if you're just reading threat intelligence keeping up on bleeping computer or whatever you're going to think that iOS vulnerability was just as important to your network to patch as that Chrome vulnerability when

in fact that Chrome vulnerability is many many more times likely to affect your network and be how somebody gets into your network than the iOS vulnerability so that's why I'm giving this talk and the need for this intelligence so in my previous role I had a startup called Keno security two years ago we were acquired by Cisco Systems I'm finishing up some time there and I'm going to then retire but what we know from from my work at Kenna when I was there that about H 5% of all cves that are published end up being exploited that means 95% of cves that come out offer between zero and 10% risk to your environment you don't need to

worry about them they're never going to have vulnerabilties as or exploit codes come out you can basically just put them to bed and worry about them when you can so the thing about vulnerability intelligence is it helps you get into that red circle because at the end of the day if you're not completely caught up on all your patching and all your network management what you want to do is can I make that red circle any smaller on my network

so I work with a really great group of uh data scientists and academics in the United States called the Santia Institute and we did this report two years ago and we know that no matter what size your organization is from a small business with 50 employees to one of the largest companies in the world you can patch about 12 to 15% of of all the vulnerabilities on your network a month you're never going to catch up and that's because we get into security debt and I think somebody else talked about that earlier is you get one cve and you can't patch it so you just leave it and then you leave it and then it's six

months old and it's 12 months old and nobody knows if you update this version of java what it's going to break so you just never update it and then you get to the point where you'll never catch up and this is on top of everything else has come along to help us right window automatically updates now Chrome automatically updates now so we have a lot of technical debts sitting on our networks that are just old software that people are afraid to patch how many of you guys have this software on your network that you're not allowed to patch because it's going to break something and you don't know what it's going to break so yeah we're just

never going to look at

that so so and this this isn't getting any better here's a cve growth trend for the last few years um this's on a website I've run called cv. IU it updates every day uh we are just under we are two cves under 213,000 cves all the time that's 25 cves per day um what spread out since 1999 doesn't sound it very bad does anybody have a guess on how many cves per day we're having in 2023 we're averaging about 75 cves per day being published in 2023 how many of you guys have time to to take care of 20 of 75 cves every single day yeah awesome are you skipping school just don't sleep I

see so what is cve intelligence so this is what a cve intelligence database start to look like right you want to know every cve you want to know what it does how it does it where it's operated at and when so this is this cve I was talking about earlier this web PL cve from from chrome it's in Firefox now and it's in Edge but we know it's Chrome we know it's Leb whbp we know it's a buffer overflow and we know it's network based that's super important right and we know it's been exploited in the wild since 9 2323 the thing is we thing we want is we want this for every cve so you start building out a network

graph database and it ends up looking like this this is a picture of our Network graph right for all our cve data inside Cisco because it's 213,000 nodes long so you have to have something like this in your network in order to be able to patch but don't get scared all right that's not going to work so let's talk about open- Source vulnerability intelligence and let's save some of those it budgets that you guys have that you want to

save so we're going to talk about high quality sources that you can get for free off the internet today um they include the cesa known exploited vulnerability list the this is a US Government thing it was started out saying that if you're a federal agency that's public that's not our Department of Defense or our CIA NSA Etc you have to patch these cbes within 90 days so these are all free it's on the internet you can download it there are 983 cves it's continually updated it's going to be fairly higher than that by the end of the year uh we also use metas sploit all the red teamers will know about this metlo is the framework for popping boxes that

have old software on them but as a blue teamer we use this same list and say hey if this is what they're using to get into our networks this is what we need to defend against it's super simple all these are verified it's all written in Ruby so you can go and check and make sure that the the code is there uh project Discovery nuclei is an up incomer in the same spot as um metas is it's something that we're using now too so I so if you can grab those that's great they have about 2,000 cves also and the next thing is the exploit prediction scoring system uh this is something that's near and dear to my

heart when we were um when we were at Kenna and we were being acquired by Cisco we gave the first org which runs the CVSs project and a couple other projects part of our patent to be able to release a number between 0 and 100 for every cve that's out the likelihood of it being exploited in the next 30 days um it's a really industry suppored tool I think we're in close to 60 or 70 different tools now but this is another free thing that if your company is looking for vulnerability threat intelligence that you should be using because it's free and it's updated every day um we get data from them from Cisco foret Alien Vault Cena and F5 right so

all the big Network providers are basically giving us IDs and IPS data for from their sensors every day so we can decide what cves are likely to get exploited uh if you're interested in this kind of stuff please catch me after the talk we have a security interest group that we have running and it's open to anybody and we'd love to have more people join and either tell us how they would use the data or how they are using the data um it's a very open community and we'd love to have more people a part of it so let's just talk about the stuff that's okay quality that you can get for free but you might not trust

100% um exploit DB uh if you worked in the industry before 2015 this is where you went to get your exploits right it was the ing list for hackers if there was code this is where you put the code and it was great we then got to GitHub and it was the same the same way GitHub is a great place to find exploit code if you're ever on the internet and you're like hey I'm hearing a lot about this cve I wonder if there's an exploit for it go to github.com in the search bar type in the cve number and if there's a public exploit for it it'll be there I like to tell people they said why would hackers

do that and I'm like because hackers like people to talk about them they're not as mysterious and in the shadow as people want to think they they want the internet credit and you know fake Internet Fame points just like everybody else so very rarely does a vulnerability get exploited that you can't find the code that they're using on the internet that same

day uh we talked about the exploit database already um it's older cves and it's where to go Twitter used or X used to be very very great at this uh and then somebody turned off all the API access so now we can't get any cve data from X so this is where it gets interesting when you consolidate the vulnerability intelligence as I talked about earlier the goal is to just Pat the stuff in the red on your network so I was going to give this talk at bsides Las Vegas at the beginning of the summer and I was going to tell people how to build this vulnerability intelligence list for the use on their Network and I was on a plane and I have

ADHD and it was a six-h hour flight so I just decided to build the list and give it to the community so I started an open-source project called patch this. apppp it's super simple it's uh it's a CSV file really it has about 2300 cves in it right now and if you pull down that list you know that these cves are being actively exploited on the internet today because we bring in the data from cisa from metas and from from first.org that tells us these are being exploited we consolidate it we put it in a in a CSV file and I post it to the internet every every 6 hours so if you are like

hey what should I patch today this is the place you go and you grab it and you know what's being actively exploited from there you can then you can then run it down to hey what do I have on my network what have I already patched but this is the same thing companies are charging tens of thousands of dollars for and it took me eight hours and some GitHub actions to build and to give back to the community so that's really what I wanted to do uh this talk wasn't very in depth but I hope you guys can use this software and um I'm open to ideas I I will redesign the website the web page

is is something I wrote on a plane so it looks like I learned HTML in 2002 at a university in Missouri and I learned HTML in 2002 at a university in Missouri so congratulations uh but if you have any issues or if you have questions please let me know what I could add to it or what you need to see or how I can make it more useful for your organization this is something I plan on working on uh in my retirement as way to give back to the community so I'm open to any ideas and thoughts you guys may have and with that I will take questions comments and and

[Applause] jokes yes sir for

oh I'm I'm probably going to invest in in new uh startup security startup so if you guys have any security startups you're wanting to start or no any VCS in in the area please let me know I'd love to to chat with them but I I don't I don't know after

that

um I'm going to feel really old saying this but LinkedIn has really picked up on on the community aspect uh because we look uh Twitter was a big source of data for both uh epss and action for our our tools that we sell and it just fell off and we're looking now at at LinkedIn as the second best source of vulnerability Intelligence on the internet the the problem with LinkedIn like Twitter and like everything else is that that they're trying to stop the AI bot uh so they're charging for their API too you know if you want to blame anybody for for the death of the API the free API open AI is is who you should Point your

finger at because they they spent the last year and a half just scraping everything they could off the internet and it's really kind of changed the way uh smaller organizations and people can can collect data off the internet because nobody wants their data to be used to train an llm without getting compensated for it yes ma'am

yeah

uh I I don't know I spent more time last week talking to customers about that than I wanted to um I'll give you the rundown now Google released a new cve for it 51 963 I think and then two days later it was rejected by Google so yeah yeah so they so they released another cve to cover all those use cases that you were talking about and then they rejected that cve so now we're all in limbo trying to figure out a if it's true that that the lib web b p uh vulnerability does affect all of those applications and you know B what's going to be the what are they going to do to

fix it so so I'm in the same boat as you I don't have a crystal ball but I'm I'm kind of interested in and seeing how this plays out

yes

yeah um that's an interesting question uh it really should be in the description on how how it's supposed to be exploited but often times it's not um we when we see that we actually go back to the CNA the CV numbering Authority and ask them to clarify the description uh if you can't do that or if you're just an end user the best way to do it is you need to have a rist register where you where you put in there hey we looked at this it has to be configured in X way to be exploited and we're not configured that way so we're so we're downgrading this this vulnerability from high to to medium or

low and we'll get to patching it during our normal patch schedule

yes so sorry what was the end of the question I'm sorry i p yeah yeah yeah I I have but I'm just as bad as Jackal as HTML and HTML was was just as easier but yeah I could I could switch to something that's templated that that would be a better better idea yes

yep

okay yeah y so it has to be added to either Metasploit and if it's added to Metasploit it has to have has to have actual code in there um we do trust cisa Kev with no further verification so if they add it to their list um it's normally high enough verification that there is a vulnerability out there that that it just gets added straight uh and then we use the epss list at above 95% right so there's still a lot on there but we're just trying to make this list as small as we can without overdoing it so so it's really finely tuned and what I tell people is this isn't the end of the list if you get to this point and

you got all of these patched you're doing the bare minimum and then I can help you build a list that that's more complete but this is just where you start if if you can't get anything

done uh that really depends yeah it really depends on what vulnerability scanner you're running um some vulnerability scanners allow you to import a CSV file of high priorities and it'll flag it for you but a lot of times sadly it'll just have to be Excel work right where you say here are the cves I have to run these against nessus or rapid 7 or qualis or or whatever you have and do that matching up manually I haven't got to that point yet and maybe I will get to that point where I'll sit down and try to build a tool that'll help do that matching but as of now it's it's just a flat feed

um maybe they they should I'll I'll talk I'll talk to some of them because they're part of the epss and they know about the project but we'll see I think that I think that vulnerability scanners are a little hesitant to let people bring in third party data because they sell add-ons to their data now so they don't want you to buy somebody else's data and put it in there and if they're like oh you put the free data in there and they'll be like oh you got to put my you know my threat intelligence in there that I charge 100 bucks a month for or whatever it's just a slippery

slope how do we do with CBS that get their score

raised yeah yep um that that's more and more common uh there's a company called V DB that has gamified cves uh and they give you points and they have a Leaderboard on if you file cdes you get points and it's gamified and know this is going on the internet but they produce medium to lowquality cves all the time and and we get this problem all the time um the truth is everybody wants the cve database to be perfect but but I talk to people and I tell them hey my big data set has 213,000 records in it and maybe 5% of them are crap and they laugh at me because they're like I deal with a

billion net flow logs a day or you know or my CIS log system gets 4 million hits a day so we're still working with a very very tiny tiny data set overall but yeah we're at a point now where you have to have a risk management way to say hey this cve is is just crap and we're just not going to work on it they not going to patch it and if you find one of those and it's just outrageous and you have five extra minutes um both the nvd and miter have emails and you as just a user can say hey this doesn't make sense this isn't real and nine times out of 10

they'll they'll reject the cve or Market as disputed just with Community input so if you see one and it's just and you're like oh this is the dumbest CV I've ever seen I would suggest you reach out to nvd or to nist and and have it marked as disputed all right yes um no no I've played around with it I'm trying to figure out how to be politically correct here uh yeah cbss version 4 so the deal with CVSs is they always assume the worst has happened right so they put in an exploit Factor vector and a couple other vectors the problem is those vectors are always set to True from the beginning so if you

have a cve and it's and it's one of the dumb cves that we were just talking about the CVSs for score is going to have it marked from day one as that it has working exploit code on the internet and that it's being being exploited right so all you can do is you have to take that cve and re rescore the CVSs 4.0 in your own network and lower the score so lowering the score on 97% of all cves is going to be a headache for most people and they're just going to leave it I fought hard I have email after email where I told them that that that you're doing it backwards but they're

really really stuck on they want cve to be the worst or CVSs 4.0 to represent the worst case scenario so everything in CVSs 4.0 is set to true and you have to go back and walk the score down yourself on your network so so that that's my issue with CVS CVSs version 4.0 the team that worked on it put in a lot of times and a lot of thoughts we just have different thoughts on what makes something exploitable and how you should grade something something on release and and we're never going to get to the same place so so I'm not I I CVSs 4 is an advantage over CVSs 3.1 though that that's my positive spin on the on the

question thank you guys very much thank you yeah