当前位置:首页 > 报告详情

漏洞预判:从评分系统内部提取风险信号.pdf

上传人: 竿*** 编号:981943 2025-11-29 25页 4.43MB

1、#BHUSA BlackHatEventsVulnerability HaruspicyVulnerability HaruspicyPicking Out Risk Signals from Scoring System EntrailsPicking Out Risk Signals from Scoring System EntrailsTod Beardsley,runZero VP of Security Research and CVE Mucker-Abouter#BHUSA BlackHatEventsSSVC:SSVC:Tarot for your Tarot for you

2、r criticalitycriticalityThe decidedly un-mathy Stakeholder-Specific Vulnerability Categorization decision treeOracular Methods for Quantifying RiskOracular Methods for Quantifying RiskHaruspicy:Haruspicy:What is it What is it anyway?anyway?A brief jaunt into deriving signals from entrails,specifical

3、ly,sheep liversCW:MeatCVSS:CVSS:Casting fractal Casting fractal shadowsshadowsThe oldest current system,the Common Vulnerability Scoring SystemEPSS:EPSS:ML-based ML-based magicksmagicksA relative newcomer,the Exploit Prediction Scoring SystemCW:AI#BHUSA BlackHatEventsImage source:https:/www.queens.o

4、x.ac.uk/news/reading-the-past-ancient-liver-divination/Haruspicy was favored by the Etruscans,and also used by Assyrians,Babylonians,and other early Mediterranean and African cultures.Haruspicy:A Brief PrimerHaruspicy:A Brief PrimerThe gods would reveal their will through omens,manifested in the ent

5、rails of sacrificial animals particularly the liver.References on thousands of favorable and unfavorable omens were maintained by practitioners.Balancing these omens gets you an answer to your specific question.Take random signals,and assert that theyre not random.The original P-Hackers!#BHUSA Black

6、HatEventsThe Common Vulnerability Scoring System has emerged as a bedrock of risk ratings and vulnerability scoring.CVSS:The Only Number Anyone Cares About CVSS:The Only Number Anyone Cares About Eight vectors are commonly used,describing various aspects of the vulnerability.You dont strictly need C

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要探讨了三种用于评估和评分软件漏洞的系统:CVSS、EPSS和SSVC。 1. **CVSS(通用漏洞评分系统)**: - 是风险评级和漏洞评分的基础。 - 使用八个向量描述漏洞的各个方面。 - CVSS评分分布似乎具有一致性,缺乏低到中等严重性的漏洞。 2. **EPSS(漏洞预测评分系统)**: - 基于机器学习和算法预测漏洞被利用的可能性。 - 预测每月有约10,000个CVE可能被利用。 - “利用活动”的定义较宽泛,包括各种安全事件。 3. **SSVC(利益相关者特定的漏洞分类)**: - 是一个决策树,用于根据环境定制漏洞分类。 - 提供了从跟踪到采取行动的起点。 - 结合CISA-ADP提供的数据,可以减少需要评估的漏洞数量。
神秘还是科学?" AI如何预测漏洞?" 如何定制化风险分类?"
客服
商务合作
小程序
服务号
折叠