Understanding More Complex Prioritization Factors

This article describes what certain, more complex prioritization factors are about, how they are computed in order to better explain how they should be interpreted as part of the CPS.

Delve uses more than 40 different factors over thousands of data points in order to prioritize vulnerabilities in a continuous way. These 40+ factors are categorized in 5 big families, each representing a concentric layer of contextual information around a given vulnerability, with each adding or substracting points to build the final Contextual Prioritization Score (CPS).

5-layer-graphic

Some of these factors can be straightforward to understand, but some require more explanations, provided below:

Vulnerability properties

Detection mechanism is considered reliable

Not all vulnerabilities are detectable in the same way during a Vulnerability Assessment scan, and therefore some detection mechanisms are more reliable than others, providing a better certainty for detection. Since this information can be known in advance, it's already part of the factors that affect the CPS (Contextual Prioritization Score) as soon as we push a new detection rule, so that you don't need to waste time making that judgement by trying to understand how the platform has found a specific vulnerability. This is not the same factor than the "Detection Context" as it represents a different layer of information.

Adjusted for XSS exploitability confidence

Not all XSS payloads in the context where they are found have the same potential exploitability level. Some payloads indicate a bit more work or interaction from the user might be needed to make this XSS viable, as such this factor represents the level of confidence the platform has towards that specific XSS payload in that context. This is taken into account for these specific vulnerabilities as part of the CPS (Contextual Prioritization Score).

SQLi exploitability is considered highly probable

Not all SQL Injections have the same resilience, for instance, some are based on timing calculations that could be thrown off because of a temporary network issue, or specific behaviors of certain DBMSes. This factor represents the level of confidence the platform has towards that specific SQLi type in the context where it was found. This is taken into account for these specific vulnerabilities as part of the CPS (Contextual Prioritization Score).

Asset Context

Asset scan frequency stands out as important

Typically Delve is setup to continuously discover & scan all your assets in an autonomous way. Some assets though will be scanned more than others, either because you specified different scheduling requirements, or because you launched manual scans on them. This represents a form of attention you're giving to certain assets vs others, and as such, it is an analytical metric we can use to affect the vulnerabilities priority through the CPS (Contextual Prioritization Score) on these specific assets.

Asset has scheduled availability requirements

Though all assets are discovered & scanned in a continuous way by default in the platform, you can always specify that some of them shouldn't be touched during certain hours, either because they are more sensitive, or play a more critical role during business hours. This is why this simple fact will influence slightly the CPS (Contextual Prioritization Score), as it confers a form of importance or special care to the underlying asset.

Asset is important, as indicated by its tags

As you categorize assets naturally in the platform based on the business line, geographical location, severity or else, some of the tags names can confer a form of heightened importance to the categorized assets. Maybe they are production assets vs your development ones, or maybe they represent critical business functions. The Delve platform does not impose a specific tagging scheme, so that you can naturally represent your reality in the tags, but certain keywords will affect the CPS (Contextual Prioritization Score) and we continuously improve this system through active analysis of tagging schemes.

Tagging scheme on this asset stands out from the rest

As you categorize assets naturally in the platform based on the business line, geographical location, severity or else, some tagging patterns will emerge on assets, especially for certain portions of your network. Certain assets though will deviate from this tagging pattern with regards to other assets in the same subnet: maybe it's a special sub-section of this network that represents services consumed by others in the network, maybe it's a PCI subnet, or some other scenario. As the tagging scheme on these assets stands out from the rest, this difference of entropy will influence slightly the CPS (Contextual Prioritization Score), as it confers a form of importance or special care to the underlying assets.

Network Context

The server significantly stands out from its network context

When pentesters look at a very large networks, one of the key activity is to identify which assets are more interesting than others from an attacker's perspective: which are the "gold nuggets".

This factor uses advanced machine learning techniques using our continuously trained models to identify the outlier assets from a large group of machines in the same network, based on the meta-characteristics of the assets (services, OS, ports, etc.). As such the CPS (Contextual Prioritization Score) will be sligthly affected for these outlier assets in the entire subnet as they represent a heightened form of interest for a potential attacker.

Want to see this in action directly? This factor is similar in mind to the Open Source tool we released on our GitHub called Batea, that allows for doing the same "gold nugget" detection straight out of nmap scans, albeit without the use of our pre-trained model.

You can read more about outlier detection in the following Blogpost.

Simulated paths of attacks on the network frequently include this asset

By looking at vulnerabilities present on assets and how they relate to each other in the same network, we can use data science techniques to simulate probable paths of attacks from asset to asset in a statistical way. Over thousands of these statistical simulations, we obtain a very good data science-backed approach to understand which assets are the most likely to be targeted during a real attack scenario: they end up statistically more than others on probable paths of attacks. This probabilistic ranking that continuously evolves over time allows for more precision during the evaluation of network-centric factors of the CPS (Contextual Prioritization Score).

Organization Context

The underlying asset seems especially important to the organization

As you naturally use the platform to consult and categorize vulnerabilities or assets and as you export reports and remediate vulnerabilities, Delve passively collects these signals from analysts and uses Machine Learning models that are able to infer what the typical priorities are for specific users in the same organization. We then use this model to infer which assets & vulnerabilities are more important for the organization globally. This allows Delve to influence the CPS (Contextual Prioritization Score) of vulnerabilities on more important assets in your instance, and it is also coupled with knowledge of the global customer landscape, with which we can drive comparative analysis and help you remediate more valuable vulnerabilities.

All of that without having to build & maintain complex tagging & categorization models that require substantial investment of effort over time.

Vulnerability exposed within the typical timeframe for effective remediation

Machine Learning is used to predict how long it should take to remediate a specific vulnerability based on a number of factors that are continuously computed. These include the characteristics of the organization itself (each client) but are also influenced by peer-data (what the best teams are doing). The remediation time prediction not only contributes to the CPS (Contextual Prioritization Score), but also provides Delve customers a remediation team benchmarking opportunity.

Detection context is considered reliable

To improve the reliability of vulnerability detections, Delve uses machine learning techniques in order to identify how frequently a detection mechanism being used generates false positives, or whether the specific vulnerability has often been identified manually as a false positive in the past (which you can do in the platform). This supervised classification of every vulnerability as either being confirmed or false positive is done using a blend of methods that blindly takes user labels and features (Random Forest Classifier) and prior expert knowledge (Bayesian Networks) in a statistically-sound ensemble machine learning model, just like a democratic process. When a vulnerability has a high chance of being a False Positive, this will slightly affect the CPS (Contextual Prioritization Score), in order to lower the ranking of this specific vulnerability.

External Context

Trusted exploits are available

Not all exploits are as efficient and as dangerous, and not all dangerous exploits have successfully been weaponized in either offensive tools or malware kits. This factor's objective is to represent that reality and slightly increase the CPS (Contextual Prioritization Score), for vulnerabilities that have known trusted exploits.

Low/High probability of exploits being published in the near future

This factor represents Delve's use of machine learning analysis of newly-discovered vulnerabilities that don’t yet have exploits that have been published. The goal is to predict whether or not there’s a good chance that an exploit will be published in the next few days for these theoretically yet unexploitable vulnerabilities, and affect the CPS (Contextual Prioritization Score) accordingly. This is one step ahead versus approaches that look at what vulnerabilities already have exploits and which are more easily weaponizable based on past activity. 

Topics related to this vulnerability are currently trending

This factor uses advanced machine learning techniques in order to continuously surveil online activity from either specialized Cyber Security Open Source Intelligence (OSINT) sources and dark Web exchange platforms as Threat Intel feeds. These machine learning algorithms continuously extracts global trends in discussions over specific topics of vulnerabilities, and correlates them with the ones that are exposed in your environment. This factor will thus slightly increase the CPS (Contextual Prioritization Score) for vulnerabilities in your environment that have the same caracteristics as the ones "trending" right now.