Gold Nuggeting: A Critical Step in Vulnerability Remediation Prioritization
January 6, 2020
This blog post introduces the concept of outstanding network asset detection, or what we call Gold Nuggeting, a critical step in vulnerability remediation prioritization.
Finding interesting network devices is a fundamental part of the vulnerability prioritization process employed by Delve. While many different factors are taken into account when making predictions about the importance of a given vulnerability (see “Prioritization is for Everyone”), the evaluation of the underlying asset’s appeal to a potential adversary is a critical step. Yet, this is a non-trivial problem.
Using our expertise in AI combined with our experience in pen testing, Delve tackled this challenge with the help of unsupervised machine learning methods, the details of which can be found in our latest white paper, Automating Intuition: Applying Machine Learning to Outstanding Network Asset Detection.
First, some background from the world of penetration testing. Enterprise networks house thousands of devices (IoT devices, servers, laptops, etc.), some of which present particularly ripe targets for bad actors. Over the course of years of experience, the best pen testers can very quickly find these priority assets, the ones best suited to compromise or to collect valuable information, and from which to launch a successful attack.
When first evaluating the results of network scans, typically an Nmap report, the experienced pen tester - or intruder - will quickly get a “feel” for the type of network he is currently in. During this critical early stage of an attack, the intruder is attempting to understand the relationship between the network devices he is looking at, or the underlying structure in the data, all of which is highly context-dependent. It is only when he understands the overall context of the network that he can start “digging for gold.”
Understanding context is a very human and intuitive thing to do. The context of a network device includes many factors, for example, the relationship between other devices in the asset’s surroundings, the actual or typical use of a workstation or a server, the surface of attack of the network, the business line in which this asset is used, etc.. So, our goal is to find an automated method to filter out interesting and outstanding network assets given their context.
Unsupervised learning is a class of machine learning algorithms that specifically use the underlying structure of the data to solve a task. This is in contrast to supervised learning, where the model is trained to optimize on the prediction given a supplied label for each example, say tagged faces in photos or pictures of cats.
Anomaly detection is an archetypal unsupervised learning task. By encoding each network device with it’s interesting characteristics and properties into a numerical representation, we are able to run efficient anomaly detection models in order to sort out the outstanding assets, or Gold Nuggets, from each network, given the specific context of the asset.
Gold Nuggeting is just one part of the Contextual Prioritization process (see "Introduction to Contextual Prioritization," but the power of the idea seemed so interesting to us that we decided to share the process used internally into a free, open source, stand-alone tool called Batea. Given the simple XML output of an Nmap scan, Batea allows you to filter the Gold Nuggets in your own network, helping you prioritize vulnerability remediation efforts, for example. For a more technical dive into the workings of Batea, download our previously-mentioned white paper: Automating Intuition: Applying Machine Learning to Outstanding Network Asset Detection.
To try Batea right now using our trained model: https://delvesecurity.com/batea/
To train your own model or to contribute to the project: https://github.com/delvelabs/batea