Modern organizations struggle with insurmountable number of vulnerabilities that are discovered and reported by their network and application vulnerability scanners. Therefore, prioritization and focus become critical, to spend their limited time on the highest risk vulnerabilities. In doing this, it is important for these organizations not only to understand the technical descriptions of the vulnerabilities, but also to gain insights into attackers' perspectives. In this work, we use machine learning and natural language processing techniques, as well as several publicly available data sets to provide an explainable mapping of vulnerabilities to attack techniques and threat actors. This work provides new security intelligence, by predicting which attack techniques are most likely to be used to exploit a given vulnerability and which threat actors are most likely to conduct the exploitation. Lack of labeled data and different vocabularies make mapping vulnerabilities to attack techniques at scale a challenging problem that cannot be addressed easily using supervised or unsupervised (similarity search) learning techniques. To solve this problem, we first map the vulnerabilities to a standard set of common weaknesses, and then common weaknesses to the attack techniques. This approach yields a Mean Reciprocal Rank (MRR) of 0.95, an accuracy comparable with those reported for state-of-the-art systems. Our solution has been deployed to IBM Security X-Force Red Vulnerability Management Services, and in production since 2021. The solution helps security practitioners to assist customers to manage and prioritize their vulnerabilities, providing them with an explainable mapping of vulnerabilities to attack techniques and threat actors
翻译:在这项工作中,我们使用机器学习和自然语言处理技术,以及若干可公开获取的数据集,对攻击技术和威胁行为者的脆弱性进行可解释的绘图;这项工作提供了新的安全情报,通过预测哪些攻击技术最有可能被用来利用特定的脆弱性,哪些威胁行为者最有可能进行剥削;缺乏标签数据和不同的词汇使绘制攻击技术的弱点图成为具有挑战性的问题,而使用监督或非监督(相似性搜索)学习技术是无法轻易解决的。为了解决这个问题,我们首先将弱点绘制成一套常见弱点的标准图,然后绘制攻击技术的常见弱点图。这一方法提供了新的安全情报,预测哪些攻击技术最有可能被用来利用特定的脆弱性,哪些威胁行为者最有可能进行剥削。缺乏标签数据和不同的词汇使得绘制攻击技术的弱点图成为规模上的一个棘手问题,而难以使用监督或非监督(相似性搜索)学习技术。为了解决这一问题,我们首先将弱点绘制出一套可解释的共同弱点图,然后将攻击技术的常见弱点绘制成0.95级(MRRR),精确度与所报告的攻击能力最有可能进行开发的弱点图,因此,我们把安全-21号用户的系统用于安全管理。