For the past few years we've seen an increase in the number and complexity of cyber attacks. A decade ago you could have said that only large enterprise are being targeted. However, nowadays any device connected to the internet can become the victim of a cyber attack or a way in when attackers are looking for more complex cyber attacks. This mainly happens because cybercriminals have developed novel techniques to benefit from security breaches at scale: ransomware attacks, data leakage, cryptominning, DDoS as a service are just a few examples. Many times they will just use known vulnerabilities to exploit systems that didn't fixed the issues. 

To better respond to these threats, the industry developed standards, such as CVE (Common Vulnerabilities and Exposures), a database with more than 120,000 entries of known vulnerabilities each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. 

Only in 2019 there were almost 20,000 reports making the job to asses and evaluate each finding quite difficult for maintainers. Most of the time the bugs are released weeks before they get the chance to be correctly evaluated by the maintainers of such a database, enough time for hackers to use the reported techniques to exploit vulnerable systems.

In this talk I will present some of the results we obtained at Bit Sentinel by applying Deep Neural Network and other Machine Learning techniques to predict CVSS (Common Vulnerability Scoring System) and CWE (Common Weakness Enumeration) but also ideas on how you can better prioritise vulnerability patching by predicting the exploitability likelihood when using Open Source Intelligence (OSINT).