A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities

TL;DR

This paper presents a threat-centric vulnerability ranking model that leverages public data and knowledge graphs to prioritize vulnerabilities based on their likelihood of exploitation, significantly improving over traditional scoring methods.

Contribution

The paper introduces a novel framework using adversary criteria and knowledge graphs to enhance vulnerability prioritization for cybersecurity, tailored to organizational threat landscapes.

Findings

Achieved 71.5% - 91.3% improvement in identifying exploitable vulnerabilities.

Saved 23.3% - 25.5% in annualized patching costs.

Demonstrated effectiveness of knowledge graphs for semantic data integration.

Abstract

The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations for organizations to prioritize their vulnerability management strategy will offer significant improvements over using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We test our approach by identifying vulnerabilities in software associated with six universities and four government facilities. Ranking policy performance is measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% - 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The return on investment (ROI) of patching using our policies results in a savings of 23.3% - 25.5% in annualized costs. Our results demonstrate the efficacy of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies.