Risk Prioritization by Leveraging Latent Vulnerability Features in a Contested Environment

Cyber network defenders face an overwhelming volume of software vulnerabilities. Resource limitations preclude them mitigating all but a small number of vulnerabilities on an enterprise network, so proper prioritization of defensive actions are of paramount importance. Current methods of risk prioritization are predominantly expert-based, and many include leveraging Common Vulnerability Scoring System (CVSS) risk scores. These scores are assigned by subject matter experts according to conventional methods of qualifying risk. Vulnerability mitigation strategies are then often applied in CVSS score order. Our vulnerability assessment system, in contrast, takes a predominantly data-driven approach. In general, we associate a risk metric of vulnerabilities with existence of corresponding exploits. Our assumption is that if an entity has invested time and money to exploit a particular vulnerability, this is a critical gauge of that vulnerability's importance, and hence risk. Prior work presented a model that allows for the creation of prioritized vulnerabilities based on their association-likelihood with exploits, outperforming then-current methods. Because the initial approach only leveraged one vulnerability feature, we extended the vulnerability feature space by incorporating additional features derived from natural language processing. The importance metric is still given by a vulnerability-exploit relationship, but by processing text descriptions and other available information, our system became significantly more accurate and predictive. We next propose a mechanism that customizes vulnerability risks according to their exploitation likelihood in a contested environment given site-specific threat intelligence information, namely, attacks by an Advanced Persistent Threat (APT) group. Utilizing held-back data, we then demonstrate that latently similar vulnerabilities, which could be targeted by the same adversary, see higher risk ratings.