Why we built the Robo Shadow CVE Vulnerability Early Warning System
The Robo Shadow EWS (Early Warning System) is a deep neural network AI prediction system running on top of the global CVE vulnerability databases (supplied by Mitre in the USA).
Initially when discovered, global vulnerabilities are released as a free text alert by Mitre but not classified into Severity or Correct Identification (CPE). The AI driven EWS takes a feed daily all of the Vulnerabilities released to Mitre (the world) and uses historical data machine learning to predict the Severity and CPE identification string.
As you will read below the bad guys will already have access to this type of tech in some way shape or form. We wanted to level the playing field and make sure everyone can have access to the same tech.
As a platform we are trying to simplify cyber security for everyone and trying to not have to use AI and Machine Learning too much. Naturally it does become part of our day to day operations given the amount of data we need to consume for our analytics.
The EWS was created by us almost by chance whilst we were trying to test certain predictive Deep Learning models over the global vulnerability data sources. To drive our cyber intelligence for the Robo Shadow platform, we have to manage and manipulate many cyber security feeds. So naturally we thought creating an early warning API and Twitter feed would be a great thing to supply the industry to reconcile against.
Effectively all of the Robo Shadow products will be have this functionality built in by default. So if you have devices logged within Robo Shadow they will have the capability to get early warning data before its released globally to all the cyber vendors and global agencies.
Who is Mitre?
Mitre are the main American government agency that collects data from all the worlds software vendors and their security bug reports in the form of an official submission. They then analyse the bug report from the vendor and publish it in an open source fashion for everyone to use.
Ultimately this is a US government not for profit agency that is seen to be fairly impartial. However its probably safe to assume that the US government would enjoy some kind of benefits from having the main western world global vulnerability database managed as a US legal entity.
Why the CVE database is so strong in Cyber Security platforms
The CVE database is the golden source “go to” cyber vulnerability repository that all of the main vendors use to submit their known security vulnerability and how to patch them. For example you will find that the CVE database is at the very heart of the following world dominating cyber platforms:
- Nessus professional – Global power house in cyber security worth $6.45 Billion at the time of publishing this Blog.
- Rapid 7 – Major vulnerability assessment platform that owns the Metasploit framework currently worth $6.43 Billion at the time of writing this blog.
- NMAP – The main open source code used all over the world licensed to many global software vendors for reconnaissance and vulnerability management.
- Open Vas – Open Source platform commonly used for cyber scanning.
- Amazon Web Services (inspector) – Main security auditing tools within the mighty AWS world.
- Microsoft (Security Centre / ATP etc.) – Main cyber offering from Microsoft 365 and Azure platform.
- Shodan – Global hacker search engine that holds many global firms vulnerabilities which is easily looked up on mass via an API.
So there are other frameworks that teams use in Cyber Security but CVE is very strong across them all as it very quickly gives not only a criticality rating of the particular flaw, but also the bio of what the issue is, how its exploited and also how the issue is patched / remediated. It’s a very quick non-invasive way of getting an attack surface indication to effectively reconcile all the installed apps and software versions across you entire physical and virtual estate.
The only real comparison databases would be the Metasploit frame work now owned by Rapid 7 (which is a whole set of known exploits run against known pieces of software). There are also other frameworks like the OWASP web scanning frame work, or Mitre’s own “Attack Framework”. Either way the CVE database seems to be the bed rock of global cyber security.
Why do we need an “Early Warning System” to run on top of the CVE databases
Basically as all of the CVE submissions go into the Mitre world and are pre-screened by Mitre, once they are initially sanity checked then they are released for up to a week in an un-categorised manner.
This means they do not have a severity rating assigned to them or a CPE string which allows them to be identified. This means that the downstream Cyber Platforms will also not have them available also until they are classified. Our AI models will use all of the historical CVE data to predict the classification and identity of what the preceding CVE vulnerability is going to be.
The average cyber protection team will not always need an early warning system. The types of teams who would really benefit from an early warning system are teams who are likely to be exploited in an automated fashion. This will be done by either advanced cyber criminals, nation states or corporate espionage.
Advanced hacking operations will have inventory lists of software running on targets they are interested in and will have their own early warning type feeds to get ahead in the race. If advanced adversaries have a week to take advantage of new vulnerabilities, they can get a lot further in penetrating a network before the holes are closed up by the ensuing patching and config changes. These are recommended when the CVE is correctly classified in the vulnerability platforms a week later.
Conversely this isn’t just a win for the bad guys. The US teams will no doubt use this time lapse to their own advantage too and as stated above have more of an input into when the vulnerabilities are actually released.
There are many stories circling around how each side of the cyber war conducts its efforts, how each uses various different tools to their advantage. Either way we wanted to produce a feed that at the very least democratises this process and allows any team to protect themselves ahead of time if they need to.
We would love to hear some comments from you, or feel free to get in touch at email@example.com if you would like to discuss further