"We scan for open vulns, successful exploitation is whenever a bunch of sensors triggers on them later"pic.twitter.com/3guK2RGICK
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
"We scan for open vulns, successful exploitation is whenever a bunch of sensors triggers on them later"pic.twitter.com/3guK2RGICK
Using IDS sigs for successful exploitation is the kind of statistic that only a data scientist could love!
Kenna's top10 vulns match up to the top triggered sigs on every Snort install ever.pic.twitter.com/7z4W7LLo3p
That should have been a major hint that they weren't measuring anything at all, but somehow...pic.twitter.com/AAOneIzBws
If you missed that, Kenna thinks attackers are successfully exploiting FREAK and an RDP DoS and so you should prioritize them above new CVEs
This dataset and their analysis is misleading and harmful. Enterprises that follow that advice are worse off after reading it.
There's a total disconnect between real incident data and Kenna's synthetic dataset, here's another take on it:https://twitter.com/thegrugq/status/727002988250730496 …
Microsoft is combining crash data with on-host agent data here. They can track process execution. This data is REAL:https://twitter.com/thegrugq/status/727002988250730496 …
It still confuses me why Verizon didn't use their own incident data for tracking successful exploitation. It's concrete and reliable.
If there are issues with quantity, then get your collaborators to improve their data collection until it's statistically reliable!
Instead, Verizon worked with Kenna to make up a bunch of data then masked it in "data science" to make it look like more than garbage.
Or, exploitation is dramatically easier to detect on-host. Partner with an agent vendor: "If iexplore.exe launches cmd.exe then popped=true"
Several others have cogent analysis of the Verizon/Kenna data. See here: https://twitter.com/thegrugq/status/726986083381055488 … and here:https://twitter.com/tqbf/status/726989872913739777 …
@dguido I'm just shocked that apparently *no one* in the chain from data to press had even a basic real world understanding of exploitation!
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.