BSides SP 2025 - De Dados a Decisões - O Papel da CTI na Mitigação de Riscos de Vulnerabilidades

- Good afternoon, everyone. How are you?

Well, first of all, I'll introduce myself. My name is Alvaro. I work with CTI at Logico IT. I am a specialist in threat prevention. I am trained in information systems. I have a post in cybersecurity. Some certifications, including Security Plus and SCALCIO's CTI. Today's theme is "Data to Decisions: The role of CTI in Mitigation of Vulnerability Risks". The idea here is to show how we can make vulnerability management more assertive with CTI data.

First of all, I would like to give you an overview. In 2023, we registered 4,692 global attacks. Obviously, this number is much higher. We know that not always those who are attacked raise their hand to say that they are attacked. So, we estimate that there was an increase of 13% and for each For each attack like this, it costs about 2 million dollars. It's a lot of money. Who works with vulnerability management? Have you ever received on WhatsApp a super vulnerability that a new CVE, a new RCE, a zero day, that you have to stop everything to fix? Well, we're getting this all the time, right? But... What is common in all of this? We realize that we are always receiving this via notification

and everything is priority. The new Zero Day is priority, a new RCE is priority, and then suddenly your CISO, your manager comes into contact with you and says: "Dude, a new CVE has just been released, and run the vulnerability scan, run the Nmap, run Qualys, run Tenable, run whatever is there, and we have to check if there is this vulnerability. If there is, let's fix it now. We mobilize the infrastructure team for everything. Guys, let's open a GMUD to fix this, which is priority. But is it really priority? Are we looking at it the way we have to look at this vulnerability? WhatsApp is becoming the new CIEM, right? Who noticed that? WhatsApp is becoming the new CIEM. We

receive everything through WhatsApp notifications, the way your boss sends you, he says: "Dude, there's this new vulnerability, there's this new CVE, it has to be corrected now." He just reviews it. An example of all this, it's because the print is a little dark here, but this CVE came out April 1st. And then I got a group and I started to see the bubble of all this. And then the guys started to test it and said: "Dude, it's a prank, it's a lie day." And it reached all Linux platforms. And then everyone started to move and started to run, and it started to create a bubble. And it wasn't, it was a vulnerability. I'll tell you a story. I

was recently with potential clients, in a meeting, and the guy said: "Dude, every day I have 50 new vulnerabilities. My team is correcting 50 a month. Vulnerability management for me is filling the ice." And then you hear this frequently: "Vulnerability management is filling the ice." "Vulnerability management is filling the ice." And I answered him: "Man, vulnerability management only seems to dry ice when we don't prioritize it correctly. With the right focus, it stops extinguishing fires and starts to avoid fires, explosions." This is, for those who don't know, a CVS, it's a way to identify vulnerability. This is known worldwide, from 50 to 100 new CVS per day, it's a lot of CVS. More than 13,000 CVS are estimated per year. It's a lot of vulnerability.

But how are we going to prioritize all this? How are we going to prioritize more assertively, without putting so much effort, so much work, and be more assertive so that these vulnerabilities are actually corrected? Well, we have some frameworks that are used. CVSS, who knows CVSS? Who uses CVSS to prioritize vulnerability? EPSS, CAV and SSVC. I'll talk a little bit about each one here. Well, CVSS is a standard used, it is now maintained by FIRST, it is a score from 0 to 10, which verifies how much this vulnerability is critical to the environment. However, CVSS has its limitations. It is a static score, so I can't predict the probability that this vulnerability will actually be explored. And CVSS is not the prioritization method.

For those who use CVSS alone, there is no prioritization metric. Then we have the EPSS. The EPSS is a well-used framework. It is also maintained by First. And it is a system based on probability. So it will give the probability of the last 30 days of this vulnerability being attacked, being explored. The score is from 0 to 100, the higher the probability. The EPSS is great. And its limitation is exactly that it is predictive. it, in the same way that it is a gain, it ends up being a limitation because we can't predict a vulnerability that is new, a zero-day, for example. So, there is this limitation in the EPSS. And here is a CV that made a damn noise, which was Curly's

CV. Who came out to correct this vulnerability? Do you remember this vulnerability or not? It was a vulnerability of Curly, it came out with a CVSS of 9.8, totally critical. It had to run to be corrected as quickly as possible based on the CVSS. But this vulnerability was indeed critical if it was associated to a protocol called SOCS, which is a communication protocol. If it didn't exist, it had an EPSS of 0.00396. That is, it was a vulnerability that was very little explored. Then we have a catalog of CISA. The CISA catalog is the CAVE. Within this catalog are the vulnerabilities that have active exploration, the vulnerabilities that are going through some Hensor campaign. Well

used, if well applied, but it is reactive. We can't... It's a list of vulnerabilities that is already being explored, so it ends up having some limitations. Then we have the SSVC, it is a methodology based on decision tree, The SSVC is very effective, however, you have to know the environment as a whole. And within an environment that today a CMDB, maybe a inventory list, is a white fly, it ends up being very complicated to use. And to do all this I need to know who are my crown jewels, who are the machines that, monetarily speaking, is worth money to the company. If this machine stops, how much will the company lose, monetarily speaking? The board up front wants

to know about money, it doesn't know what CVSS is. How can we calculate how much, if this machine stops, if an e-commerce, if a data bank related to an e-commerce stops for an hour, how much will it lose? Well, we have to answer these questions and classify this precisely for us to have a more effective level of prioritization. Well, I don't know why this photo is here, Baby Maia, my daughter, I think she helped me, sorry. So let's go to the maturity part of vulnerability management. Real maturity is in saying what doesn't need to be corrected now, at this moment. So we consider the organization that is of low maturity when it is only based on CVSS plus publication date.

It's that guy who, in fact, he dyes ice. A average, average maturity is the guy who will already look at it, will look at the level of vulnerability explorability and will look at the list of the CAV. and the guy who looks at CVSS, EPSS, CAV, he takes the internal context, who are the crown jewels, and adds the intelligence data. Does all CVS represent a risk to my environment? Let's take a look at this. They are classified there in NVD, there are more than 293 thousand vulnerabilities in NVD, this number surpasses that. If we take these 293 thousand, more than 25 thousand are with CVSS greater than 9. High explorability. If you are prioritizing for

this here, you will start ... There are 25 thousand vulnerabilities to be looked at. If we look For the level of explorability, which is the EPSS, we have more than 13,000 above 0.2, which is what First recommends, we are already being looked at. And within the CAVE list we have about 1,335. Many vulnerabilities that are being explored are not on the CAVE list. And if we bring the context, put CVSS, the level of explorability, CAVs, CTIs, but the internal context. How do we stay? What do we do? Well, the idea of adding the CTI is to check who are the groups that are widely attacking, which TTPs are being used, and associate these TTPs with the CVS that these groups are using.

This is a phrase I put from Carnegie Mellon University, which I think has a great definition for vulnerability management, along with CTI, which is: "Cyber intelligence is acquisition, processing, analysis, dissemination of information that identifies, tracks and prevents threats, risks and opportunities in the cyber domain to improve decision-making." Here is an example of TTPs. which are used by Lockbit groups, HenselHub, Akira, Play and Hunters. For example, the TTP of 562002 is related to the Windows inventory, it was being used by the Black Lotus campaign. If I have a client in the retail field, for example, and this guy has this CVE and we identify that it is being explored, obviously I start to prioritize this guy here. Another TTP is the 10.53005,

Windows task planner, the driver vulnerabilities related to CVE. The other, vulnerability command interpreter, this one we can execute, is Script View PowerShell, it's a remote code execution. And finally, this control to install the root certificate, which, in addition to allowing remote execution, can be used to install unauthorized certificates. So, by doing all this mapping of all these TPPs, we can actually predict the vulnerability that will be attacked in several sectors. Here I have a cool side, which is... In 2024 we entered the top 10. Top 10 of the countries most attacked by Hensoul. Compared to 2023 we had an increase of 65%. A lot. And then the groups that attack Brazil the most. Who are they? First place,

Hensoul Hub. It has 541 worldwide attacks, 25 of these attacks are in Brazil. Here, on the side, we mapped the CVS that the group uses the most, the target sectors, starting with professional service, consumption, information technology, health, manufacturing, and the countries it prefers to attack, which are the United States, the United Kingdom, Brazil in third, Italy in fourth, Australia in fifth. Here we made a prioritization matrix, where, in a common environment, some CVEs that, in fact, would not be prioritized and that are widely attacked by the group. For example, this CVE, which is the final 3519, is a RCE related to Citrix. It is not on the CAVE list. Its CVE-CES level is 8.7, in a way, it

is high, and its explorability level is 80. But it would not be treated as a critical vulnerability. This other CVS is the same thing, the level of explorability goes down a little, 70%, 7.9% of the CVSS and it is also not on the CAV list. That is, it is a vulnerability that is widely explored by the Hensel Hub, but the guy there who is dealing only with CVSS would perhaps not prioritize it.

Next group, Akira. Akira had 257 attacks in 2024, 10 of these attacks are in Brazil. It is worth emphasizing here that this number is actually low, but I'll say again that this is the little friend who raised his hand and said he was attacked. We know that there were several guys who didn't raise their hand and the majority who didn't say they were attacked, precisely because they pay and so on. There's a topic for another subject. The main CVS used by the group, the five main ones, the main services, the main targets, United States, United Kingdom, Canada, Germany and Australia. And here again, we go to the prioritization and check that some of these CVS are not listed in

the CAVE, and, in a way, with a low level of explorability. And here we have a Lock-Beat, with 553 attacks worldwide, 8 of these attacks are in Brazil. The most used CVS by the group, the main target sectors, the main countries, the United States again leading there. And here, some CVS again that we would not prioritize, because we are prioritizing in an erroneous way there. And here I bring you a panorama of how these vulnerabilities should actually be prioritized. Here we added two other prioritization columns, we put the relevant CTI and the critical asset, that is, who are my crown jewels, who are my important assets for the environment, And if TI is relevant, it is if this

guy, if this CVE is being widely explored by a group in a certain sector. So those vulnerabilities that I treated there, they were all high and low, if I'm not mistaken. Three of them are considered as criticism, because it's a score that we classified, each item of this has a weight. one as an ultra and one as an average. Let me go back here. From that, we create a score scale, okay? where more than 85% is considered critical, so we stop a remediation sprint there, precisely to correct this vulnerability. High, we can make a planning, open a GMUD to correct this vulnerability. Average, it is a vulnerability that we can apply a patch, we can make a patch routine to

be corrected. And low, is a vulnerability that, in a way, we can leave it there and wait. Here is a funnel that we use with everything we do in the area. We do all the IOCs and TTPs mapping, as they manifest themselves in legitimate tools within the systems. We extract these IOCs, hashes, IPs, domains, URLs, It makes this collection of TTPs, correlates these TTPs with CVS, threat reports, open feeds, and makes the correlation with known campaigns. In other words, a threat actor who is targeting the retail sector, we make all this campaign, make all this relationship precisely to correct these vulnerabilities for each individual, for each organization, and then the prioritization of each CVE.

Here are some campaigns, some sources of research that we use for all this. Mauerpedia, which helps us in the Mauer Groups profiles. ThreatFox, which are the indicators of malicious commitment and domain. MISP, which is an old known one. MISP is very important, including the people of CERT have a very cool project with MISP. It's worth taking a look. and the Wunders, which we take as a base to integrate CVS, exploits and bulletins. A short time ago we received a news from the area that the CVE can end. The American government cut the resources Dumitri, and in fact the CVS, the researchers are raising their hands there saying that this can end. For you to understand, today all tools related to cybersecurity

depend on a single body, the CVS. There is no other, we put all eggs on the same tray. There's no way to escape that. So it's a topic that we have to think about how we're going to do it. Maybe put pressure on the cybersecurity community, because it's very important for us to keep CVE standing. And finally, I have a solution for all of this. If we don't have CVE, we won't have vulnerability. Thank you, guys. Questions? You can talk. Hi hi.

Greetings, professors, greetings to everyone. I'd like to thank the class. I really liked the teaching. But what caught my attention is that the countries that were pointed out as the most attacked, I noticed that they are Western countries, Europe, the United States, Brazil. and although I know the difficulty of identifying who these attackers are, but the lack of information, for example, from Eastern countries is because we can't get this access or because, well, maybe we assume that these attacks come from countries that are in Asia or in the Eastern European. Well, I can't answer with guarantee, but it is assumed that these attacks come Any other questions? Well, guys, thank you.