ACKEM+LEV Fusion Methodology Whitepaper
ACKEM+LEV Fusion Methodology Whitepaper
ACKEM + LEV Fusion: The Future of Exploit-Aware Threat Modeling
By SHELLHOUNDS
Version 1.0 – May 2025
Executive Summary
While many security frameworks focus on either tactics (like MITRE ATT&CK) or risk probability (like CVSS, KEV, or EPSS), Klavan's ACKEM model and NIST's recent LEV initiative offer something more powerful: an opportunity to predict, prioritize, and defend against threats that are both real and likely.
This whitepaper introduces a practical fusion of the two: ACKEM + LEV — a hybrid methodology that combines attacker workflows with quantitative exploit likelihood to drive smarter, faster security decisions.
1. What is ACKEM?
ACKEM (Attack Chain Kill Exploit Model) is Klavan's internal model for tracing modern attacker behavior across the full lifecycle—from reconnaissance to data theft. It gives defenders the context needed to map controls and detection logic to real-world tactics.
| ACKEM Phase | Description |
|---|---|
| Reconnaissance | Passive and active targeting of victims |
| Weaponization | Building payloads and tooling |
| Delivery | Sending exploits or phishing infrastructure |
| Exploitation | Leveraging CVEs, zero-days, or logic flaws |
| Installation | Establishing persistence |
| Command & Control | Managing infected hosts remotely |
| Action on Objective | Data theft, encryption, exfiltration |
2. What is LEV?
LEV (Likely Exploited Vulnerabilities) is a framework from NIST that builds on EPSS and the KEV catalog. Instead of waiting for threat intel to confirm exploitation, LEV provides a probability score for each CVE based on observed behaviors and model predictions.
This methodology was formally introduced in NIST Cybersecurity White Paper CSWP 41 "Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability" by Peter Mell and Jonathan Spring (May 19, 2025). The paper presents a mathematically sound approach to calculating the likelihood that vulnerabilities have been observed to be exploited in the past.
| Metric | Description |
|---|---|
| LEV Score (0–1.0) | Likelihood of real-world exploitation |
| Inputs | EPSS, CVE metadata, attacker behavior |
| Use Case | Patch prioritization, KEV gap-filling |
3. Why Combine Them?
Both models are strong—but incomplete on their own:
- ACKEM shows how CVEs are exploited during real attacks but lacks exploit probability.
- LEV scores how likely a CVE is to be used, but not how it fits into an attack chain.
By fusing the two, security teams gain:
- Exploit-aware threat modeling
- Detection engineering with risk weighting
- Prioritized patching based on real attacker use cases
4. Fusion Methodology: ACKEM + LEV
| ACKEM Phase | Mapped Use of CVEs | LEV Insight |
|---|---|---|
| Delivery | CVEs in file delivery chains | Predict which vulnerabilities are likely vectors |
| Exploitation | CVEs used to gain code execution | Prioritize unpatched CVEs with high LEV scores |
| Installation | CVEs enabling persistence or privilege | Identify older CVEs that silently persist |
| C2/Objective | CVEs enabling data exfil or escalation | Understand lateral CVE usage not on KEV list |
5. Example: CVE-2020-1472 (Zerologon)
| Attribute | Value |
|---|---|
| ACKEM Phase | Exploitation → Installation |
| LEV Score | 0.91 (very likely exploited) |
| KEV Status | Yes |
| EPSS Score | 0.73 |
| Takeaway | High-value CVE across multiple attack chains. Patch immediately and monitor use in post-auth events. |
6. Applications of the Fusion Model
Detection Engineering
"Trigger an alert if a LEV > 0.80 CVE is observed in the 'Exploitation' phase of a process tree."
Threat Modeling Workshops
Use ACKEM phases to model attacker workflows, then overlay LEV scores to prioritize patching and control coverage.
CISO Dashboards
- CVEs likely to be exploited (LEV)
- Where they fall in your attack surface (ACKEM)
- What controls mitigate them
7. How to Use It Today
Step 1: Build a CVE Map
- Pull your environment's CVE inventory (from scanners or SBOMs)
- Add LEV scores (NIST LEV or EPSS proxy)
- Map each to ACKEM phases
Step 2: Prioritize Defenses
- CVEs with high LEV + ACKEM Exploitation/Installation = patch now
- CVEs with low LEV but used in recent threat campaigns = monitor and review
Step 3: Build into SOC Workflows
- Tag CVEs in alerts with ACKEM+LEV context
- Enrich detection rules with LEV thresholds
- Include in threat hunts and quarterly risk reviews
Appendix A: ACKEM+LEV Prioritization Worksheet
| CVE ID | LEV Score | ACKEM Phase | EPSS Score | KEV | Mitigated? | Patch SLA |
|---|---|---|---|---|---|---|
| CVE-2020-1472 | 0.91 | Exploitation | 0.73 | Yes | No | 7 Days |
| CVE-2019-0708 | 0.84 | Initial Access | 0.18 | Yes | Partial | 14 Days |
| CVE-2023-23397 | 0.79 | Delivery | 0.62 | No | No | 7 Days |
Final Thoughts
ACKEM + LEV isn't just a fusion of models—it's a fusion of mindsets.
It's tactical and quantitative. Strategic and operational. It helps security teams act faster, with confidence, before attackers strike.
At Klavan, we use this fusion model in SHELLHOUNDS threat intel, detection rules, and client patch programs. We're sharing it now so you can too.