Predicting State-Sponsored Actors Exploiting Known Vulnerabilities


In October, 2020, the NSA issued a cybersecurity advisory on Chinese state-sponsored hacking operations that leveraged, or scanned-for, 25 publicly known vulnerabilities.  While hackers – including state sponsored actors – use numerous techniques to target organizations, the exploitation of these publicly known vulnerabilities should be prioritized for immediate patching and mitigation efforts. 

As industry experts have urged security leaders to push for a strategic vision for mitigating risk to the business through the enforcement of risk-based vulnerability management practices, Security and IT Operations teams continue to struggle to get their hands on the relevant information in order to best secure the network. 

What if it was possible to predict the advanced and persistent threat posed by malicious cyber activity? Predicting vulnerabilities is not only possible, but will soon become an integral task of true risk-based vulnerability prioritization. 


Yes/No Forecast For Vulnerability Management 

While there are tools currently in the market that offer “prediction” and vulnerability prioritization capabilities, most of these tools generate complicated ratings or scores that indicate the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. 

The NorthStar Prediction Engine is unique as it delivers a yes/no categorical prediction. This provides a definitive assessment on whether a CVE will eventually be exploited in the wild. Each prediction comes with a timestamp representing when the prediction was first made based on all available data at the time. 


NorthStar vs NSA Top 25 CVEs  

Of the 25 publicly known CVEs issued in the NSA advisory, NorthStar predicted 22 of the 25. The following table takes a snapshot of how NorthStar did against the NSA advisory list: 

NorthStar Vulnerability Prediction Validation


NorthStar predicted CVE-2019-11510 386 days in advance and CVE-2020-15505 47 days in advance of either being exploited in the wild. 


Predicting Exploitability 

Is your vulnerability management program able to clearly delineate between vulnerabilities that are predicted to be exploited in the wild vs ones that are currently being actively exploited in the wild? 

Vulnerability Prediction begins with the collection of surveillance data that captures the footprint or breadcrumbs left behind online by attackers seeking to develop, deploy, and monetize exploits that are capable of leveraging an existing vulnerability. The appearance of these events and activities have proven reliable in determining the immediate risk posed by each vulnerability. 

Contextualizing the proper use of vulnerability prediction in a cyber program will lead to a dramatic reduction in the number of vulnerabilities that require immediate attention in your environment. This ensures that not only are your teams fixing the most pressing issues, they know WHY they are fixing them and can effectively communicate urgency. 


How NorthStar Prediction Engine Works 

The NorthStar Prediction Engine uses online deep learning to leverages active attacker tool imagery and all available vulnerability data to predict if an exploit will be created and used in the wild for a particular vulnerability.  

With results validated by the industry’s leading threat intelligence feed, NorthStar predicts the application of exploit to a CVE and definitively providing the opportunity for measured effort to prioritize what is on the To Do list. 

Leveraging our collection platform, NorthStar’s prediction engine accurately identified over 45% of the vulnerabilities that would be exploited in the wild at some point in the future, providing an average notice of over 300 days in advance.  

By incorporating predictive technology into your risk-based vulnerability management program, you will greatly reduce the number of CVEs to focus on and be able to prioritize and remediate the cyber risks that will have the biggest impact on the business.  



Want to know more? We’d love to show you how prediction can further enhance your existing vulnerability management program. Send your requests to