Vulnerability Prioritization

[cunha]

Let's use this discussion thread to discuss articles about vulnerability prioritization. For each article, let's use the following template:

• Title: Title goes here
• Source: A link to the source of the article: conference, company, journal, blog, or anything else
• Year: Year of publication
• Main idea: Short summary of the main ideas in the article
• Integration: How can we integrate the ideas in our project?

[cunha]

@Sacramento-20 postar artigos antigos
@Pephma Top-25
@probablygab CVSS 4.0

[cunha]

@Francisco-aragao next

[probablygab]

Title: Announcing CVSS v4.0
Source: CVSS 4.0 Presentation at the 35th Annual FIRST Conference
Year: 2023

Main idea:
The presentation mainly discusses the limitations of CVSS 3.1 and how CVSS 4.0 aims to improve upon it. The nomenclature has been expanded to stress the idea that CVSS is not just the Base Score (CVSS-B), CVSS-B only measures the "Technical Severity" of a vulnerability and is not recommended to use it alone to determine remediation priority. As such, the new CVSS-BTE takes into account (i) the Base Score, (ii) the Threat associated with the vulnerability and (iii) Environmental Controls. In other words, it provides the context of the vulnerability.
To achieve this, a new metric, Attack Requirements, was added to reflect the exploit engineering complexity required to circumvent the defensive measures and the prerequisite conditions so that the attack is possible. The User Interaction metric was updated for a finer granularity when considering the interaction needed from a user when an attack occurs. A new metric, Safety, evaluates whether a human can be injured as a result of a successful attack, like medical devices for example. Lastly, the Supplemental Metrics were added to reflect the vulnerability response, e.g.: if an attack can be automated, if a system is recoverable or requires a large effort to recover from an attack and so on.
In short, the presentation emphasizes the need for higher granularity and real time threat and supplemental impact details, which CVSS 3.1 was not able to fully achieve. The new CVSS 4.0 standard not only aims to achieve those needs but also to be applicable in more systems.

Integration:
The CVSS 4.0 standard has just been released and we might not be able to extract sufficient data from public sources to create a proper CVSS 4.0 score. However, since our primary goal is to create a vulnerability priorization dataframe and we need to work with operators of systems to get feedback data, we can use this as an opportunity to get supplemental data for the vulnerability in question. This additional data can then be used to get a more refined CVSS 4.0 score. For example, an operator might report that a medical device, if compromised, may lead to patients being injured or even dying. Therefore, under the section Supplemental Metrics: Safety, we can mark Present (P).
In short, the new scoring system captures more context from the vulnerability and we may be able to use the operator's feedback to get the context required for a better score calculation.

[Pephma]

2022 CWE Top 25 Most Dangerous Software Weaknesses.

Source: Supplemental Details - 2022 CWE Top 25
Year: 2022

Main idea

The page provides details about the 2022 CWE Top 25 Most Dangerous Software Weakness list, including its methodology, limitations, and opportunities for improvement. It discusses data bias and metric bias, as well as considerations for independently replicating the Top 25 list. The page also introduces approaches to assess the likelihood and impact of an attacker exploiting a vulnerability, using a set of metrics.

Vulnerabilities that are both common and severe will receive higher scores, indicating they should be addressed with higher priority.

Integration

New metrics for ranking the IPs vulnerabilites can be created by:

• Mapping CVEs to CWE.
• Calculting severity and frequency scores similar to the methodology used in the page.
• Normalizing the scores to create an overall vulneability score for each IP's CVEs.
• Prioritizing IPs based on those new metrics

[Sacramento-20]

Name:
An Efficient Security Data-Driven Approach for Implementing Risk Assessment

Year:
2020

Context:
Security assessments in companies are standardized activities that employ defined processes. Evaluating which "assets" should be prioritized becomes a more complex task due to this. Therefore, the article in question highlights some ways to assess the security of organizations based on the context in which the company is embedded.

Central Idea Discussed:
The article's approach revolves around the creation of "fear stories," which are topics of concern for the company highlighted by employees with extensive knowledge of the business. They can emphasize how a potential data breach can impact each sector and identify probable risks for the organization. To assist in creating these "fear stories," the article introduces the concept of the "security data lifecycle." This lifecycle encompasses the entire process of data, from creation to storage, and the importance of this lifecycle is to understand which layers have control over it at each stage. These layers can be logical (operating systems), physical (hardware), and human (employees). Each evaluation method will be used to enhance existing risk calculation methods; in this case, the methods used were OWASP Risk Rating and CVSS.

Results:
The experiment involved various employees, each working in a specific sector and handling data differently. The mentioned calculators were used and compared in cases where the context was taken into account and in cases where it was not. The article demonstrated quite promising results, successfully achieving satisfactory outcomes where the severity of a potential data leak was reduced compared to the calculators used, as well as increased, including the fear stories.

How We Can Apply These Ideas in Our Project:
For our specific project, the foundation lies in how we can assess vulnerabilities based on their severity for the company. Therefore, this article provides a starting point for developing a model based on client needs. The idea of using a method like fear stories becomes crucial to understand how to adapt processes, focusing analyses on specific points that could generate harm to the company.

[Sacramento-20]

Name:
WIVSS: A New Methodology for Vulnerability Assessment in Information Systems

Year:
2013

Context:
WIVSS was developed based on the open standard CVSS. This article, published in 2013, addresses a period when CVSS was in its version 2 (currently in version 4 - 2023). As a more basic version of CVSS, the improvements proposed by WIVSS, as discussed in this article, are significant when compared to the specific version of CVSS at that time.

Central Idea Discussed:
The essence of the article is to create a more precise calculator model than the existing CVSS model available at the time. This article holds significant reference value as it represents a study that aimed to modify the structure of a calculator to enhance vulnerability analyses. Its contributions primarily focus on the calculations performed by CVSS, giving greater importance to weights in the analyses. The study involved tests with approximately 9455 vulnerabilities.

Results:
Some of the results of WIVSS compared to CVSS (v2) included a broader distribution of distinct scores, a higher standard deviation, and a more balanced distribution of qualitative classification than CVSS. This demonstrates that adjustments in the calculation can be relevant for overall enhanced functionality.

How We Can Apply These Ideas in Our Project:
What motivated me to read this 2013 article in 2023 was to understand from the beginning how a calculator based on CVSS (currently the most widely used for ranking vulnerabilities) was developed. This specific topic caught my attention because we do not intend to use the "raw" version of CVSS; some enhancements will be considered to make the calculation more precise according to our requirements. Therefore, the ability to understand the functioning of CVSS and seek ways to improve our analyses is crucial. Additionally, other ranking tools will also be considered, such as the example of OWASP Risk Rating for applications in web environments.

[Sacramento-20]

Name:
Security Risk Assessment of Geospatial Weather Information System (GWIS): An OWASP-Based Approach

Year:
2010

Context:
The article in question highlights the implementation of OWASP Risk Rating to assess the security of a geospatial web mapping application.

Central Idea Discussed:
The article's discussion is more focused on how to effectively implement analyses based on its context than on teaching how to create these analyses. This type of article is important for practical evaluations of how these tools behave in different scenarios. While this case is somewhat atypical, its effectiveness for such a detailed application suggests that, on a larger scale, it can be highly effective, especially when there is a way to assess and adapt different contexts to the model. Additionally, even as a niche application, it is still susceptible to all exploitable flaws, regardless of the context.

Results:
The results were quite promising because, in addition to identifying vulnerabilities and associated risks, it was possible to allocate the necessary resources to address the issues. Furthermore, the difficulty of exploitability becomes important and was documented in the article's results. This can be beneficial for research, as, apart from identifying the risk, understanding the difficulty of exploiting a particular problem and resolving it is crucial.

How We Can Apply These Ideas in Our Project:
As we slightly deviate from the path we were focused on, which is purely CVSS, we recognize that CVSS has a significant dominance when it comes to applications. Therefore, its focus is not on web applications, and for this purpose, OWASP has a tool exclusively focused on web applications: OWASP Risk Rating. It is a tool that offers complete operator modification freedom, despite having defined metrics. It encourages the operator to seek the necessary contexts to assess vulnerabilities in their system in a customized way. Thus, tools using this approach become valuable for our research, especially for a company with experience in various known exploits. This way, we can have more methods to compare the different contexts of vulnerabilities.

[cunha]

@Sacramento-20 next

[Francisco-aragao]

Title:

PRIORITIZING VULNERABILITY RESPONSE: A STAKEHOLDER-SPECIFIC VULNERABILITY CATEGORIZATION

Source:

https://insights.sei.cmu.edu/documents/583/2019_019_001_636391.pdf

Year:

2019

Main idea:

This article tries to compare CVSS (Common Vulnerability Scoring System) with a new approach, using SSVC (Stakeholder-Specific Vulnerability Categorization) based on decision Trees. So the main point is the methodology behind the analysis to understand if this structure can be used.

CVSS uses technical severity as a fundamental concept, but the CVSS score does not inform decisions to be taken about it. Decisions are not a number, are qualitative actions that an organization can take. Even when we have an idea of how to act based on value X, it is unclear how to act about value X+1 for example. This is important to understand that a vulnerability has a unique interaction with the system, and the context in which it is inserted contributes to the analysis of its impact.

Decision trees can be used to enumerate the decisions and outcomes, helping managers to direct the focus and set the priority, with some labels that vary from "defer" - do not act in present to "immediate" - act immediately. Other points to be considered are decision points (hypothesis to be tested), for example, a test of exploits, the technical impact of exploring the vulnerability, the utility of the exploit, and risks that this security failure can cause.

In the end, there are discussed limitations and some tradeoffs to be considered in the use of SSVC, like the removal of numeric classification that can be "uncomfortable" to some people.
Another point is that are introduced new factors to be considered, like more information about the context of the vulnerability. This needs extra effort and some organizations are not prepared to adopt this new approach.

Integration:

This idea can be integrated to build a more refined analysis of the vulnerabilities, using the fact that now, more data are needed to make the classification. This can lead us to different paths of prioritization, based not just on a score, but on more specific data about the system and application. But together with this, more data has to be considered. Therefore, all the discussions are important to understand and provoke a reflection on how the CVSS works and how we can improve the results received.

[Sacramento-20]

Title

Detecção de intrusões em backbones de redes de computadores através da análise de comportamento com SNMP

Source

http://repositorio.ufsc.br/xmlui/handle/123456789/82569

Year

2002

Main idea

The main idea of the dissertation is the identification of intrusion in backbones, taking into account network management variables. The dissertation focuses on the identification of intrusions in backbones, considering network management variables through the SNMP protocol. The focus is on the analysis of manageable routing equipment located in the core and subnets of a large backbone. Given the high network traffic of these devices, network management tools are essential. However, detecting a device under attack or being used as a bridge for an attack is a complex task. The main variables to establish a baseline in the routers include: CPU consumption, queue drops, queue buffers, packet transfer rate on a specific interface, and percentage of memory usage. All this information is organized chronologically and stored in a database for future analysis. To facilitate the consultation of these data over time, a web interface was developed for the operator.

Integration

This dissertation is useful in addressing which parameters should be considered for better equipment management in a network. It is a research focused on prioritizing vulnerabilities and recommending possible attack mitigation techniques. Understanding how consolidated network protocols work can be extremely useful, depending on the context of the company being audited. There is a challenge related to a company’s structure to collect and store this type of data. Although it is not necessarily a mandatory analysis method for the project, creating modules that perform this analysis for companies with this structure can be very useful. This includes the detection of other vulnerabilities, especially when considering the combination of existing methods with what was mentioned in the dissertation.

[Francisco-aragao]

Title:

Web pages classification: An effective approach based on text mining techniques, by Seyed Moein Babapour, Meysam Roostaee

Year:

2017

Source:

https://ieeexplore.ieee.org/document/8324994

Main idea:

The article comments on different approaches involving machine learning techniques to explore the problem of web page classification. First of all, the initial steps involve preprocessing the text, like converting it to lowercase, removing numbers, and words with 1-2 characters, and removing stop words (words without individual meaning - like: and, the ...). Other processes commented on are lemmatization and stemming, which are related to the technique that reduces inflected words to their base forms.

After this, different models were used, each of them with differences in the algorithm (like Linear Regression, Naive Bayes ...), in preprocessing stages (using more or fewer techniques), and different HTML fields used to make the classification (body, URL, title ...). In the end, the results are compared using ROC Curve and AUC, a technique used to evaluate machine learning algorithms, showing that more preprocessing steps improve the true prediction rate score.

Integration:

Reading the article is possible to know more about machine learning algorithms and mainly about the importance of preprocessing steps. By utilizing the latest preprocessing techniques, it's possible to extract the most crucial information and significantly reduce the size of the text. With this, can be possible to develop and test some models to work in the webpage classification, considering the results presented.

[Francisco-aragao]

Title:

Toward Website Classification 2023, by Mohamed Zohir Koufi; Zahia Guessoum; Amor Keziou; Itheri Yahiaoui; Chloé Martineau; Wandrille Domin

Year:

2023

Source:

https://ieeexplore.ieee.org/document/10350143

Main idea:

In general, the article addresses different techniques for classifying web pages and comparing the results. The article emphasizes the pre-processing stages and their importance, involving different approaches such as keyword analysis and techniques such as Bag Of Words (machine learning model for representing words) and Term Frequency-inverse Document Frequency (method to measure the importance of a word in a collection of documents.) Furthermore, other deep learning techniques are approached for representing words and documents based on the surrounding words. Thus, algorithms such as (support vector machine), Naive Bayes, and BERT (Transformer-based model) are used to perform the classification and subsequent comparison of results with the analysis of different parts of the texts.

Integration:

The article emphasizes through the text the importance of machine learning algorithms to execute the process of web page classification. It is commented that this technique can be useful in the pre-processing steps and in the classification itself. With this in mind, this topic can be studied and implemented in this project, helping in the task of making the webpage classification, which will be useful to understand more the datasets available and create a model to make the vulnerability prioritization.

[Francisco-aragao]

Title:

Genre Categorization of Web Pages by Jebari Chaker1 and Ounelli Habib

Year:

2007

Source:

https://www.semanticscholar.org/paper/Genre-Categorization-of-Web-Pages-Chaker-Ounelli/9d83fc53355b75a32b90ee58dc82409f09fe39be

Main idea:

The document is related to a new kind of webpage classification, for example, is said that to identify a scientific paper, the page needs to have a complex language, low subjectivity, and the presence of graphics. Are commented too about the features needed to make the automatic categorization, like genre-specific words, tense of webs, HTML tags, layout and keywords, and other types of content. To consider all this kind of context in the web page, machine learning algorithms need to be used in the process, like Naive Bayes, KNN, and Decision Trees.

Integration:

The article can be used related to the techniques and features considered in web classification like preprocessing, focus on URL and some HTML tags, and also the page representation using vectors, which allows applying cosine similarity. Also, the article introduces a new concept about webpage genres, that can aggregate more features involving context, text size, quantity of images, and other fields. This technique can be a good tool to improve the web page classification task, helping to understand more about the IPs scanned, and helping the process of vulnerability prioritization.

[Francisco-aragao]

Title:

A review of web page classification by Ayodeji Osanyin, Olufunke Oladipupo, Ibukun Afolabi

Year:

2018

Source:

https://www.semanticscholar.org/paper/A-Review-on-Web-Page-Classification-Osanyin-Afolabi/c25a53e135a3522bbc685f67020bd64dba7c4103

Main idea:

The articles try to introduce the problem of webpage classification and its importance in web search engines and web filtering. With the huge number of internet content today, this process must be automated with classification algorithms. This work can be done with some techniques like Nearest Neighbors and Decisions Tree but is commented that the success of the process depends on the pre-processing made in the text and the quality of training data. It comments on the steps of classification, going through the extraction of the content, pre-processing, building vectors to represent pages, creating the model, and finally evaluating the classifier by recall and precision metrics.

Integration:

The article can be used in the context of web page classification according to the different stages in the task. In the beginning, is useful the HTML fields related to the article, like metadata, keywords and description, and URL and page content that is used in the classification system. These fields are in Shodan data, so we can start to focus on them in our analysis. Furthermore, is important to know about the importance of the preprocessing steps, like lemmatization, stemming, and removing stop words. These steps can shrink the space of words that occur in the text and focus the analysis in a minor set so is possible to perform better actions in data. The use of ML algorithms is also very useful, so we can start to think about
implementation and use of these tools applied in the context of the vendor providing individual inputs to improve vulnerability prioritization.