Malware Analysis: Moving Beyond the CVSS Score
- May 17, 2016
- Daniel Fredricksen
Here at NopSec, we are all about risk – our number one goal as a company is helping organizations evaluate and reduce their risk. However, the term “risk” can be highly subjective, making it difficult for organizations to determine what the riskiest vulnerabilities are. One quantitative measure NopSec employs to help an organization evaluate the risk of a vulnerability is through malware correlation: if a vulnerability has malware correlated with it, it represents elevated risk. NopSec keeps a constantly-updated database of malware information, but in order to stay one step ahead of attackers, we also want to predict the future. Today’s blog post will focus on factors that help predict whether or not a vulnerability has malware associated with it, and how to use these factors today for better remediation prioritization tomorrow.
In order to evaluate which factors correlate the most with exploitation by malware, we examined our dataset of 12,700 vulnerabilities discovered between 2010 and 2015. We then incorporated our malware data, which consisted of 358 vulnerabilities (again, from 2010-2015) that are or have been associated with active malware. This leads to an overall malware exploit rate of about 2.8%. The question we want to investigate in this post is: Which factors lead to increased risk of malware exploitation?
The CVSS exploitability score is an attempt to measure how easy it would be for a hacker to exploit a vulnerability. It is divided into three categories, each with three labels:
Based on these descriptions, the CVSS exploitability score seems like a good place to start. It makes sense that an attacker would look for the vulnerabilities that are easiest for them to exploit. There’s just one problem…
With only about 3% of vulnerabilities having active malware associated with them, that means that relying on CVSS exploitability alone will give you a lot of false positives. Even worse, the malware correlation rate is almost exactly the same for vulnerabilities with the highest exploitability scores.
So, the CVSS Exploitability scores clearly don’t help you prioritize, but that doesn’t mean the theory behind them is wrong. Our research shows that attackers tend to take the path of least resistance when attempting to compromise a system. So, what tools make an attackers’ job easier, and how can we use them to more effectively prioritize vulnerabilities?
The Exploit Database and Metasploit are two collections of the most widely used sources of public exploit code, and our analysis shows that there is a high correlation between a vulnerability being present in one (or both) of these databases and it having malware associated with it.
While exploitability is clearly an important piece of the puzzle, it still can’t entirely explain which vulnerabilities attackers choose to target. This is because attackers think in terms of Return on Investment, not just how easy a vulnerability is to exploit. As an example, let’s look at two vulnerabilities : CVE-2011-4858 and CVE-2014-1776
CVE-2011-4858 is in the Exploit Database, has a Metasploit module, and has a CVSS exploitability score of 10.0. It should be easy to exploit – and yet, it has no active malware associated with it. CVE-2014-1776, on the other hand, is not present in the Exploit Database and doesn’t have a Metasploit module. It requires a fairly complicated exploit – and yet, it is exploited by multiple malware kits. Why? In order to answer this question, we need to look at another part of CVSS: the impact sub-score.
The CVSS impact sub-score evaluates whether there would be a complete, partial, or no loss in each of three categories:
CVE-2011-4858 is a resource management error which can result in a partial loss of information availability, and no loss of confidentiality or integrity. CVE-2014-1776, on the other hand, can allow attackers to execute arbitrary code, resulting in the complete loss of confidentiality, integrity, and availability.
Nearly all vulnerabilities could result in some data loss, but there is a special group of vulnerabilities that can result in a complete loss of confidentiality, integrity, and availability. These “triple threat” vulnerabilities account for less than one third of vulnerabilities since 2010 in our database, but make up nearly 90% of vulnerabilities with active malware. In other words, when evaluating the likelihood of exploitation, it is important to look at impact in addition to ease of exploitation.
While the features discussed so far are certainly important in predicting whether or not a vulnerability has malware correlated with it, these predictors still are not enough to effectively differentiate between vulnerabilities with malware and those without malware. In order to fill in the gaps, we introduce one more feature: Twitter mentions. Recent research indicates that social media in general, and Twitter in particular, is quickly becoming the go-to way for hackers to share information about exploitable vulnerabilities. NopSec collects Twitter data for all vulnerabilities in our database, and uses this information to help organizations narrow in on the most dangerous ones.
The vast majority of vulnerabilities have 0 or 1 mentions on Twitter. This means that vulnerabilities with a high number of tweets are “special” in some way – could it mean that vulnerabilities with high Twitter mentions are more likely to be correlated with malware? The median number of tweets for vulnerabilities associated with malware is 18, indicating that there may be some correlation between a high number of tweets and malware.
Now let’s focus on only the most talked about vulnerabilities – those with more than 100 tweets. Are these vulnerabilities more likely to have malware associated with them? Yes, just over half of vulnerabilities with more than 100 tweets have active malware in our database. Adding in the other features we have discussed (public exploits and complete loss of data), we find that the malware correlation rate is even higher: 92.75%.
So, what do these statistics tell us, and how can we use them to better inform vulnerability prioritization? Because organizations have a limited amount of time and resources, remediating every single vulnerability is often not possible. Instead, organizations must prioritize the most dangerous vulnerabilities so as to maximize the impact of remediation. Our research indicates that if an organization were to choose a vulnerability at random to remediate, they would have a less than 3% chance of choosing a vulnerability with malware correlation. Focusing on vulnerabilities with the maximum CVSS Exploitability score would yield similar results. However, if an organization focused on vulnerabilities with a public exploit, a MetaSploit module, a potential complete loss of data, and greater than 100 mentions on Twitter, they would have a 93% chance of remediating a vulnerability with malware. These features help an organization use their limited resources in a more efficient way, choosing the most dangerous vulnerabilities to focus on.
NopSec’s Unified VRM incorporates all of these factors (and more!) into its Business Risk Score, automating vulnerability prioritization and helping organizations reduce their risk as efficiently as possible.