Vulnerability Discovery Manager in IRIS project

The Vulnerability Discovery Manager (VDM) is the tool developed by ATOS included as part of the IoT and AI-Provision Risk and Vulnerability Assessment Module of the Automated Threat Analytics (ATA) component of the IRIS Platform. The goal of the VDM is the dynamic identification, enrichment, analysis and reporting of vulnerabilities discovered on a monitored infrastructure, which can include IoT devices and AI-provision systems.

In the context of IRIS project, the Vulnerability Discovery Manager tool has been extended in two main aspects. Firstly, in the enrichment of the information included in the vulnerability reports that are generated and provided to the platform with impact analysis for vulnerabilities affecting IoT and AI-based systems. Secondly, with the integration a new AI-based component developed using a deep learning algorithm aiming to automate and orchestrate the penetration testing activities in the same way that they would be done by a human pentester. This new subcomponent gives the possibility to organize a continuous discovery and management of vulnerabilities as well as prioritization of the mitigation actions associated to them.

On the one hand, the Vulnerability Discovery Manager takes as a starting point the vulnerability report generated by the open-source tool Greenbone Vulnerability Management (GVM), which includes a set of Network Vulnerability Tests (NVTs) associated to CVE (Common Vulnerability and Explosures) identifiers. This basic report is enriched by the VDM making use of additional information available in public external databases and through a risk assessment. In particular, if the vulnerability CVE is available in CIRCL CVE Search Database, the weakness associated to that vulnerability will be added to the report through an external reference to its CWE (Common Weakness Enumeration) identifier. In the same way, the list of attack types commonly used when this weakness is present will be added through their CAPEC (Common Attack Pattern Enumeration and Classification) identifiers. All theinformation is provided following the standard STIX2.1 to be easily shared. The characterization of the impact and exploitation methods of the vulnerabilities identified is done through the mapping of the CVEs associated to these vulnerabilities with the MITRE ATT&CK adversarial tactics and techniques. The association is done following the methodology defined by the Center for Threat Informed Defense and using the existing mapping done of CVEs with exploitation techniques and primary and secondary impacts available on their GitHub repository. The link with MITRE ATT&Ck tactics is also added to the vulnerability report generated in STIX2.1 format using the representation of Attack-Patterns objects defined by MITRE ATT&CK. To complete the report with the impact of the vulnerabilities found in the infrastructure, the Vulnerability Discovery Manager has been integrated with an external Vulnerability Risk Assessment Engine to perform a qualitative (based on Dexi models) and quantitative (based on R) risk analysis. This engine is an adaptation of the Continuous Risk Assessment Engine coming from SPIDER H2020 project to include risk models suitable for environments with IoT devices and AI-based systems, such as the presence of default IoT device passwords or buffer overflow vulnerabilities that can impact in the AI/ML classifications.

And on the other hand, through the integration of the scanning capabilities of the Vulnerability Discovery Manager with a new module developed in IRIS that includes the implementation of a Deep Reinforcement Learning (DQN) agent, composing a novel Automated AI-based Pentesting Framework. The underlying idea is to imitate the behaviour of a human pentester in the sense that automatically the tool performs discovery and (optionally) exploitation of vulnerabilities, learning during the process to identify the optimal action that should be taken in each state of the system to compromise it. Or in other words, to generate the best attack plan or sequence of actions (e.g. execution of a specific exploit associated to a specific vulnerability found in the system) that would be followed by an attacker to compromise the system. This optimal attack plan will help to  easily establish a prioritization in the identified vulnerabilities, determining  which is the one that should be mitigated first. The starting point for this analysis is the generation of a Markov Decision Process (MDP), which is mathematically formalized through a State Space, an Action Space, a Probability Transition Function and a Reward Function. All these components of the MDP are automatically generated by this new module developed in IRIS based on the report of vulnerabilities generated by the scanning module of the Vulnerability Discovery Manager. The open-source logic-based Netwok Security Analyzer MulVAL is used to generate an attack graph of the different states related to the vulnerabilities found, and the scores of the CVEs associated to those vulnerabilities are used for the evaluation of the transition probabilities among states.

More details about these new features implemented in the Vulnerability Discovery Manager and how this component is integrated with the IRIS platform can be found in the IRIS deliverables.