# Exploit Management [[Exploit Management]] is an [[Adversary Research]] capability in Cybersecurity, that provides insights on which vulnerabilities have the highest likelihood of exploitation against an organization's attack surface. Exploitation factors should include: - Adversary Interest - Attack Surface weakness discoverability - Simplicity of attack vector - Level of access required for exploitability - Weaponization and maturity of exploit ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- A[[Adversary Research]] A --- A.1[[Persona Management]] A --- A.2[[Dwell Analytics]] A --- A.3[[Exploit Management]] A --- A.4[[Target Prediction]] A --- A.5[[Adversary Intelligence]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class A.3 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition >Exploit Management is responsible for providing insights of which vulnerabilities are the highest risk to an organization based on the likelihood of exploitation. ## Goals >[!cm-goal] Goal 1 >**Published List of Relavent Vulnerabilities** - gather known vulnerability data (CVE/CWE) and filter down based on relevance to an organizations attack surface. (move to persona and make this known exploits(catalog) and predictable (s3 public log4j examples) in next section) >[!cm-goal] Goal 2 >** Publish Supply Chain Insights** - provide attack vectors that are not controlled by the organization but could be leveraged to attack the organization. This could include software dependencies, open source software, AI models, partner companies, *aaS solutions. >[!cm-goal] Goal 3 >**Published List of Exploitable Assets** - provide a list of exploitable assets and the likelihood of exploitation based on vulnerability information, abuse cases, and adversary interest to help prioritize the most critical vulnerabilities for the business. (this becomes the predictable) >[!cm-goal] Goal 4 >**Emerging Threat Notifications** - provide company wide notifications in a timely fashion of high risk vulnerabilities based on adversary insights, likelihood, and emerging threats. (move to Adv Intel) ## Scope Exploit Management should research and curate all vulnerability attack vectors and prioritize by likelihood (Ease of Discovery + Exploit Maturity + Adversary Interest). Exploits should include CVE/CWE, product specific abuse cases, and non organizational assets that could be abused to indirectly attack an organization. ## Process ```mermaid flowchart LR A1[CVE/CWE<br />Data] --> B1[1a. Identify Relavent<br />CVE/CWE] A2[Attack Surface<br />Data] --> B1 A3[Persona<br />Catalog] --> B2 A2 --> B2 A3 --> B3 B1 --> E[2. Align<br />Dwell Insights] E --> F[3. Calculate<br />Likelihood] B2[1b. Identify Product<br />Abuse Cases] --> E B3[1c. Identify External<br />Abuse Cases] --> E F --> G[4. Publish Exploitable<br />Opportunities] ``` ## Metrics >[!cm-metric] % of Vulnerabilities Weaponized >[!cm-metric] % of Assets Potentially Exploitable >[!cm-metric] % of Publicly Discoverable Assets That Are Potentially Exploitable ## Inspiration & Resources (redo some links not relevant) + https://first.org/epss + https://www.rapid7.com/fundamentals/vulnerability-management-and-scanning/ + https://www.cycognito.com/blog/vulnerability-prioritization-what-to-consider/ + https://noeticcyber.com/mastering-the-art-of-vulnerability-prioritization/ ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.