On April 2014 I was presenting the first prototype of SMASH (Social Media Analysis for Security on HANA) that is a tool based on HANA that crawls social media in order to analyze all the information related to software vulnerabilities published in official and non official sources. The idea is quite simple: put a list of software product to monitor and you will be alerted as soon as an information related to a new vulnerability, zero-day, CVE, exploit, patch etc. related these products is published. In order to validate internally the results obtained by SMASH in terms of relevance and completeness, we compared during one month the reports provided by a very well known security company (that I will not name) related a list of software. Then we compared one by one every new vulnerability or patch reported in this document and see if this information was captured by SAMSH. The matching result was 98%. For confidentiality reason I will not disclose the content of the data nor the list of software.
Now SMASH is running in a live mode, meaning that it aggregates, analyses hundreds of thousands of messages in real-time and displays alerts and reports related to latest vulnerabilities. Beside the vulnerability tracking, SMASH offers the possibility to compute the popularity of any vulnerability over the time, to identify the real security experts per software that are publishing on social media, we can compute the average patching time per software provider, etc. SMASH becomes now a powerful tool not only used to monitor vulnerabilities but also to analyze the behavior of the security community, it decrypts meta-information related to unknown phenomena related to the vulnerability management process in the IT world. SAP HANA DB and its real time analytics capabilities become clearly a strong advantage for us to obtain high quality results resulting from a huge amount of big data analysis executed in parallel. Where traditional database frameworks would take ages, HANA offers quasi-instantaneity these results.
Detecting Zero-day vulnerabilities for Linux OS in 2014
Using SMASH we demonstrated through a study how Open Source community can be talkative with regards to new vulnerability disclosure, especially if these vulnerabilities are not yet patched. Although, if in the litteral and strict definition of the zero-day vulnerability, the vulnerability must be unknown from the software provider, I consider that disclosing an information before the official release of a patch can be categorized under the umbrella of the zero-day.
To do the study we took 62 Linux-Kernel CVEs from January to July 2014 (Study made end of July 2014). Starting from the vulnerabilities descriptions we executed the SMASH search on twitter in order to detect related 0-day publications on twitter. Once we detect a matching with a publication on twitter we verify the official Linux publications with regards to the vulnerabilities and the patches in order to verify the relevance of the 0-day. If nothing appears before the twitter publications, we count it as a new 0-day detected.
75,8% of the CVE vulnerabilities where disclosed before the official disclosure as 0-day information. Most of the tweets refer to Linux-Kernel bug trackers or Linux developer forums. The average advance time is approximately 19 days. The average CVSSS score is 5.88 and 34% of the 0-day vulnerabilities rated between 6 and 10.The 0-day disclosure is much more critical than the early CVE disclosure, due to the fact that most of the time the software vendor is not aware of the vulnerability, and the exploitation can be easily done by malicious persons. Having, the 0-day information before the exploit publication is valuable information supporting system administrators in the protection of their systems against early vulnerability exploits.
The detailed study was published at the Seven IFIP International Conference on New Technologies, Mobility and Security (NTMS 2015) under the title: “Mining Social Networks for Software Vulnerabilities Monitoring”
New features are currently developped and new studies are conducted in order to improve SMASH .. stay tuned you will be informed soon about the evolution ofr the tool.