Flashpoint launches new 'ransomware prediction model'
Flashpoint's new model assigns a 'ransomware likelihood' rating for vulnerabilities contained in the VulnDB database, which contains more than 300,000 flaws.
Flashpoint is hoping to help enterprises better prioritize the growing onslaught of vulnerabilities by adding a ransomware rating to flaws documented in its database.
In a blog post Wednesday, the cyber threat intelligence vendor launched what it referred to as a "first-of-its-kind ransomware prediction model" to help security teams manage an insurmountable number of vulnerabilities. Now, ransomware risk is added to flaw descriptions in VulnDB, a vast vulnerability database created by Flashpoint subsidiary Risk Based Security, which includes more than 300,000 entries.
While it can't necessarily predict and prevent ransomware incidents, the prediction algorithm offers a new way for enterprises to prioritize patching, which is a major problem, particularly for companies with fewer resources.
Jake Kouns, CEO of Risk Based Security, told TechTarget Editorial he's been working on the new proprietary ransomware prediction model for a year. His goal was to provide enterprises with the best data in order to make informed decisions when it comes to patching.
"No one has done this or has the data set to do it," Kouns said. "Our intention is to take 300,000 vulnerabilities and lens them down to the ones you can fix."
VulnBD has collected data for more than a decade, complete with classifications and metrics. It even includes 96,000 flaws that were not assigned a CVE or added to the National Vulnerability Database.
"The theory started this way: If we know about vulnerabilities that are used in ransomware, can we use our data that not one else has and fingerprint it so, when a new vulnerability comes out, we can see this kind of looks like these other ones threat actors have used before?" he said.
Once the vulnerabilities are profiled, Flashpoint can map out the data and look for discerning patterns, such as which vulnerabilities tend to have exploits, how exploitation can be triggered, the attack type, the impact and which tend to be used in ransomware operations.
From the threat intelligence side, Flashpoint examines what ransomware groups are doing to understand the tactics, techniques and procedures that may affect which vulnerabilities are used in attacks. Additionally, Flashpoint pulls from the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities list.
The model generates a "ransom likelihood" rating for each flaw, which is intended to be used in conjunction with other factors, such as high critical ratings and CVSS, to determine if it's worth the time and effort required to patch promptly.
"I've had some security people say to me, 'So, you're going to guarantee everything you predict is right?' Yes, because it's a probability. We're basically saying this has a high likelihood to be used in ransomware," he said.
While ransomware groups use alternative attack vectors, such as exposed Amazon Simple Storage Service buckets and misconfigurations, Kouns said Flashpoint is seeing ransomware actors employ a fundamental amount of malware used in attacks that exploit vulnerabilities. He referred to the model as "prevention-based" because, by providing organizations with the knowledge a flaw could be used in a ransomware attack, they have time to remediate.
Flashpoint also tested the model on historically damaging vulnerabilities, including Log4Shell, which was discovered in 2021 but used by ransomware groups as recently as June to take over systems running VMware Horizon.
"Would it have caught these ransomware events? The answer is yes," he said.
While Flashpoint doesn't yet have accuracy data since the model's release more than two weeks ago, Kouns said customer response so far has been positive because they are grappling with so many security problems and the model assists security teams with prioritization and communication with management teams.