No VR Required: Simulating Attack Paths for Vulnerability Management

November 14, 2024 @ 10:55 - 11:30

  • Sessions

About Session

Technical Level: Intermediate

In 2023, 71% of CVEs published to the NVD had an attack vector of “NETWORK”– a percentage that has stayed consistent over the past several years. This doesn’t tell the full story, though, because CVSS is not designed to support a high level of organizational customizability. Other metrics, like CISA’s Known Exploitable Vulnerabilities catalog or the Exploit Prediction Scoring System (EPSS), can provide more information about risk, but they still cannot be easily adjusted per-organization. But what if you could know that a specific CVE was exploitable in your unique network? What if you could see the exact steps an attacker would need to take through your network to compromise a device? What if vulnerability and asset data could be combined to give a more complete picture of risk?

Kylie McClanahan will present the culmination of 4 years of DOE-funded research on the feasibility of network attack simulations for vulnerability remediation and prioritization. She will discuss the methodology and approach to this problem, the results of the research, and how this could be adapted into the security decision process in both small and large organizations.


Kylie McClanahan

Kylie McClanahan

CTO, Bastazo