Vulnerability Data: Informed Decisions using AI

Author: Paul Cronin, Co-Founder of Rootshell

As a penetration tester, I often found it frustrating that the reports I submitted became outdated as vulnerabilities I reported on weren’t always exploitable at the time of writing.

I also believed that clients who never consolidated the findings of a Penetration test along with their regular vulnerability assessment data were missing the bigger picture.

A lot of the time this came down to separate teams one part of the organisation responsible for Penetration testing and another for vulnerability management and these data sets were treated separately.

We designed and built the Rootshell platform over 3 years ago to be agnostic and consolidate Penetration testing and Vulnerability results to provide the bigger picture.

Since the initial design, our team at Rootshell are constantly looking at how we can enrich data sources from both Penetration testing data and Vulnerability data.

Typically, vulnerabilities are allocated CVE (Common Vulnerabilities and Exposures) numbers, which are identifiers in a database of publicly disclosed information security issues. Each CVE number uniquely distinguishes one vulnerability from another. While references and other supporting information may be updated over time, the CVE ID itself does not change once it has been assigned to an issue.Each CVE will be allocated a CVSS (Common Vulnerability Scoring System) Base score they represent the severity of a vulnerability, but do not reflect the risk that the vulnerability poses to your environment. In other words, CVSS answers the question, “Is this dangerous?”, but not, “Is this dangerous to my company?”

There are other indicators regarding if a vulnerability will become exploitable. The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The goal is to assist network defenders to better prioritise vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threats. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data.

For some time, the Rootshell platform had the ability to enrich data based on a number of well-known exploit resources such as CISA Exploit database, Zero day Initiative & NIST NVD. This allowed us to examine a client’s set of results and report if an exploit is available.

We also had the ability for our Rootshell Redforce consultants to manually add to our database of recently identified Active exploits that might not have been present in the known database sources. This was a human effort of taking into consideration EPSS scores, reading online posts in forums and performing research to identify new emerging threat exploitation developments.

This has proved invaluable to our client base providing additional warnings of weaponization\exploitation of existing vulnerabilities that they have in their estate.

Artificial Intelligence (AI) has without doubt been the buzzword over the past year and not just in the security industry. We have known for some time that one of the best uses of this technology has been the analysis of data sets.

We realised that we could embrace AI to analyse large datasets and alert and predict the exploitation of vulnerabilities. We built Velma (Vulnerability Enhanced Learning Machine AI) to either automatically promote what issues she identifies as being actively exploited or allow our human RedForce team to confirm findings.

How Velma operates

• Deep Intelligence Sourcing: Velma relentlessly investigates a myriad of forums, websites, and social channels to curate and offer vital Threat Intelligence on active vulnerabilities, emulating the diligence of a human analyst.
• Continuous Monitoring: Velma has been perfected with an agile API and proficient web scraper, designed to detect, evaluate, and persistently monitor potential threats.
• Comprehensive Analysis: On a daily basis, Velma evaluates a multitude of resources, including media outlets, forums, chat platforms, and even the hidden layers of the web. Rootshell’s RedForce team further enriches this data pool.
• Insightful Trending: Velma assimilates this vast data, tracking mentions to determine the probability of a vulnerability being exploited. Users receive insights into when vulnerabilities enter Velma’s radar, and the consequential rise in discussions which escalates their severity status.
• This data all feeds into the Rootshell platform’s “Watchlist”, and allows us to continually monitor clients reported vulnerabilities, so if a client has a CVE vulnerability within their estate which when first reported was not exploitable and that changes and it’s now exploitable, Velma will alert them immediately.

In Action

We have seen multiple success stories of this early warning system working for our clients. A recent one which comes to mind involves CVE-2023-46604 which was reported in late October 23. The issue itself is related to Apache ActiveMQ which was reportedly vulnerable to a Remote Code Execution attack (RCE).

After a few days of the vulnerability being published Velma detected from multiple sources that an exploit had been developed and this issue should be published to our “Watchlist”.

This in turn triggered an “Active Exploit” warning to one of our clients who uses ActiveMQ and had CVE-2023-46604 reported on their servers. This client consumes both regular Penetration testing and vulnerability scanning from us.

The client then upgraded the affected version of ActiveMQ to a non-vulnerable version.

On the 21st November it was identified that Threat Actors were actively exploiting CVE-2023-46604 and that a public exploit was in circulation.

The following is a great video on You Tube detailing the exploitation of CVE-2023-46604 using Metasploit.

There have been many examples that we have now seen that Velma has alerted before exploitation including vulnerabilities from Microsoft, Fortinet, Cisco & VMware to name just a few.

Velma will continue to evolve from not just “Active Exploitation” there are many other aspects that here at Rootshell we believe we can develop to enhance and enrich vulnerability data.