How to Use Threat Intelligence to Defend Against Exploits
By The Recorded Future Team on April 10, 2019
- Nearly all security incidents occur from vulnerability exploits.
- Attackers are fast — unfortunately, faster than security analysts, particularly when it comes to exploiting vulnerabilities to get into networks.
- Zero-day exploits are not actually the greatest threat to your security posture.
- Threat intelligence is a critical component of a comprehensive security program, and advanced discovery of vulnerabilities is one of the most important impacts of intelligence.
Today’s vulnerability landscape is becoming increasingly virulent. Vulnerabilities are growing, and today’s actors are better armed than ever before with highly efficient attack frameworks and a comprehensive understanding of the threat landscape.
To defend against exploits as effectively as possible, security teams must use threat intelligence to discover vulnerabilities ahead of time — it’s the closest thing to actually staying a step ahead of malicious actors.
So how can intelligence offset the dangers of vulnerabilities? In this blog, we’ll cover what today’s vulnerability landscape looks like, how attackers are better equipped than ever before, and how security organizations can integrate threat intelligence to fortify defenses.
What Is a Vulnerability?
A vulnerability refers to a flaw in design, code, software, or firmware, or how that code could interact with other code, software, hardware, or firmware.
Security experts find that most incidents occur from the exploitation of a vulnerability. While it’s true that phishing is usually the way in, phishing infection vectors typically exploit some vulnerability, as does malware. If an organization fails to understand the threat landscape by tracking these vulnerabilities, exploitable threats can make their way into systems.
Vulnerability Threat Landscape
To set the stage for today’s volatile threat landscape, consider these key statistics:
- An estimated 111 billion new lines of code were generated in 2018 — that’s 111 billion lines of potential vulnerabilities.
- The National Vulnerability Database (NVD) documented nearly 15,000 vulnerabilities in 2017. 14,714 were given a CVE destination, and almost 50 percent were remote code-executable vulnerabilities.
- The average lifespan of a vulnerability is about 6.9 years.
Understanding the Incentives of Threat Actors
How do threat actors typically operate? It’s important to note that they’re fast — faster, unfortunately, than security analysts, particularly when it comes to exploiting vulnerabilities to get into networks.
Oftentimes, the discovery of a vulnerability can be followed by an exploit being developed, and then deployed in a widespread campaign, in weeks or days — in some cases, even hours. Most exploits are developed a week to a month after a vulnerability is publicly released, and after 45 days, there’s a 90 percent chance that vulnerability will be exploited.
Today’s attackers and their capabilities are frequently portrayed as highly sophisticated. However, advancements in automation have led to more efficient attack frameworks and made it easier for less-experienced attackers to carry out a campaign. There are entire ecosystems set up for adversaries to build on and create exploit builders and kits — tools that allow attackers to create malicious documents sent out to targets automatically. Exploit builders, kits, and other tools made available on the dark web have significantly lowered the barrier for entry required to conduct attacks.
Further, attackers have never had a better understanding of the threat landscape. They’re acutely aware, in many cases, of how quickly vulnerabilities are patched, and they swap out old exploits for new ones as quickly as vulnerabilities are discovered.
Integration of Exploits: Zero Day to Widespread
To exemplify the shift in the threat landscape from an attacker perspective, consider the validity of the common belief that zero days are the primary security threat to enterprises. It’s a widespread misconception — the reality is that most zero-day vulnerabilities are never exploited.
The groups that use zero-day exploits are well-funded, with high technical capabilities. In reality, common exploits and persistent attacks executed by run-of-the-mill cybercriminals are not coming out as zero-days.
What About the Good Guys and the Defenders?
The threat landscape is growing, and security teams are responsible for responding to tens of thousands of applications across thousands of endpoints, not to mention thousands of vulnerabilities.
Unfortunately, although time is of the essence, response does take time. The gold standard for patching is 30 days when a critical vulnerability emerges and is being actively exploited — 30 days isn’t the most useful time frame. Even if a patch is released to the public expeditiously, the progress of attackers is still far in advance — this is the reality.
And in some cases, a system might never get patched, either because the vendor does not support it anymore or because it’s a legacy system.
How Can Intelligence Help?
This brings us to the role of intelligence in advancing security programs and clarifying the threat landscape.
The advanced discovery of vulnerabilities is perhaps the most important impact of intelligence. Without it, security teams aren’t typically looking for where there’s a patch available, or a proof of concept or exploit out in the wild being actively used. With intelligence, security teams are able to evaluate whether vulnerabilities are being exploited and what threat actors are interested in.
With an effective intelligence tool in place, numerous capabilities are enabled. You could find TTPs and targets’ interests, which leads to intent and capabilities. However, intelligence can also do the complete opposite. Your security team may find nothing at all, which can be just as valuable.
Considerations for Tracking and Alerting on Vulnerabilities
- Security Researchers and Intelligence Blogs: These resources are open source. If your intelligence team isn’t looking at these sources and setting up alerts, a huge piece of the picture is missing.
- Software Application Security Bulletins: You can subscribe to security bulletins to receive alerts on critical vulnerabilities.
- Social Media: Twitter has become a prime source for vulnerability discovery because it’s a quick way to get the word out before a full write-up is complete.
- Threat Intelligence Platforms: Threat intelligence platforms are a critical feature. This tool can be used extensively for vulnerability tracking and management.
Considerations for Tracking and Alerting on Exploits
- Security Researchers and Intelligence Blogs: This is a great source for new proofs of concept, exploits, and vulnerabilities being actively exploited.
- Cloud Sites: Cloud sites such as Pastebin often attract low-level cybercriminals who share exploits. However, a threat intelligence platform will alert you to those exploits and enable you to pull code and analyze what the exploit does.
- GitHub: White hats and researchers often share exploits or proofs of concept discovered on GitHub.
Vulnerabilities Do Not Equal Exploits
There is one fundamental truth: vulnerabilities do not equal exploits, as demonstrated by the aforementioned zero-day example. Thousands of vulnerabilities exist, and not all of them end up being exploited. Threat intelligence is necessary for determining which ones are being exploited and which ones are not.
Security and intelligence teams work in defensive mode, but malicious actors have the upper hand by virtue of the element of surprise. Successful attacks do not require sophistication — defense does.
To learn more about how Recorded Future can help organizations better understand and prevent threats, request a personalized demo today.