Today I will talk about the Positive Hack Days conference, which took place on May 20 and May 21 in Moscow. I can say that this was and remains the main event for Information Security Practitioners in Russia.

First of all, I have to say a few words about the sanctions. The organizer of the event, Positive Technologies, is under the sanctions of the US Treasury Department since April 2021 among the “COMPANIES IN THE TECHNOLOGY SECTOR SUPPORTING RUSSIAN INTELLIGENCE SERVICES”. In a press release, the Treasury Department wrote that Positive Technologies hosts large-scale conventions that are used as recruiting events for russian special services. Well, I don’t know exactly what they mean. Maybe they mean PHDays or maybe not. But to say this about PHDays is like saying that any major international conference, Black Hat or RSA, is a recruiting event. This is ridiculous. In my humble opinion, these are some dirty political games. It is sad that reputable information security companies and security researchers are suffering from this.

Now let’s talk about my speech at PHDays 10. This year I had the opportunity to talk for an hour about my pet project – Vulristics. This project can help you prioritize known vulnerabilities. Anything that has a CVE id. There is a full video of my speech. I have uploaded this to my YouTube channel.

Russian version.

And a version that was dubbed into English.

So, if you’re interested, I recommend watching the full video. Here I will simply repeat the main points.

I started with a disclaimer that using Vulnerability Prioritization instead of a Regular Patching process is not a good idea. If you are using some stuff and the vendor of this stuff tells you that you should install a security patch, just do it! Because in order to properly prioritize vulnerabilities, you must have good input data, but you won’t. Then I criticized the CVSS and vulnerability prioritization techniques that VM vendors use.

After that I started talking about Vulristics. How it can present Microsoft Patch Tuesday vulnerabilities and any CVE set in general. To demonstrate this, I took the fresh advisory from the NSA and their British counterparts. With this example, I explained the difficulties of prioritizing vulnerabilities. How any part of the data may be outdated or invalid.

Finally, I showed how Vulristics can be used to compare vulnerability knowledge bases of different scanners. I have shown vulnerabilities that OpenVAS and Nessus cannot detect and have suggested possible causes. I think the last part is the most interesting. After that we had a very intense Q&A session. I’ve put together a long to-do list.

Links to all of the Vulristics reports:

• Microsoft Patch Tuesday May 2021 (also without vendor’s comments)
• Top vulnerabilities that were used in attacks on US infrastructure according to NCSC / NSA joint report
• I compared the knowledge bases of Nessus and OpenVAS (GCF) for CVE-2021-* using VulnKBdiff and then made Vulristics reports on vulnerabilities that OpenVAS can’t detect and Nessus can’t detect

PHDays is, of course, more than just a conference. It is a meeting place that cannot be changed. I talked all day with former and current colleagues, classmates and with new and old friends from the field of Vulnerability Management. 😆 It’s amazing how many cool people are working with vulnerability databases and VM process! I would especially like to note 2 reports.

Vitaly Menshov from Atlas. He talked about the detection of errors in the NVD, especially the errors in vulnerability descriptions and CPEs. He does some pretty cool stuff. I think this topic is worthy of a detailed analysis.

Ilya Zuev from Rambler. He explained how to perform a comprehensive and accurate vulnerability scans. “Practice shows that a test server on the Internet, a website with an accessible .git folder, or an open port of Redis or Kubernetes API is enough to hack a company. Even with built-in processes for managing updates, vulnerabilities, and changes, unexpected situations can still arise.” Ilya discussed “how to avoid becoming a victim of ransomware, to identify vulnerabilities at all levels, from ports to configurations, code, containers in CI/CD processes”. This is a very detailed talk about Vulnerability Management and I recommend it.

I was very glad to see everyone! Thanks to the organizers for the event!