Is PR Hype Adding to Vulnerability Vagueness?
By Chris Pace on April 7, 2016
- Learn why the best marketing doesn’t equal the most severe vulnerabilities.
- Find better ways than news media and manual feeds to research new vulnerabilities.
- Understand how threat intelligence helps inform security operations when responding to vulnerabilities.
We’re becoming used to it. Another scary vulnerability, another catchy name, another flashy logo, and a slick website to go with it. At the beginning of March a team of researchers announced that they had discovered “DROWN,” a vulnerability in HTTPS and other services that rely on SSL and TLS.
The website they created is comprehensive; it outlines the nature of the vulnerability in deep technical detail and presents the best way for organizations to identify whether they’re vulnerable.
It also highlights that many websites could already be at risk if DROWN is exploited. And here’s where the PR machine kicked in — the most popular headlines screamed that millions of websites faced imminent doom from this serious and gaping flaw.
Now that’s not to say these headlines aren’t accurate. The vulnerability is real and it does put websites at risk. The actual problem here is that when a new vulnerability is marketed a certain way, there may be a perception that it’s more of a threat than those which have been identified and published in a more traditional format.
Leading security technologist Bruce Schneier doesn’t seem to be a fan of this penchant for vulnerabilities getting their own PR:
As an aside, I am getting pretty annoyed at all the marketing surrounding vulnerabilities these days. Vulnerabilities do not need a catchy name, a dedicated website — even though it’s a very good website — and a logo.Schneier on Security, March 3, 2016
Profile vs. Severity
Since 2011, the number of vulnerabilities disclosed has increased by more than 40% to around 8,000 a year. Each one presents a risk of some kind but only a fraction of that number will receive the sort of publicity as those that are marketed with websites, logos, and PR campaigns. It’s understandable that placed in the context of this landscape those who need to know about a problem stand a much better chance of finding out about a vulnerability that’s high profile, which puts pressure on technology providers to patch quickly, but there’s also now a risk that when every vulnerability has it’s own Twitter feed and publicist that none of them will be important any more.
There’s also no doubt that researchers and security vendors are using new vulnerabilities they’ve discovered as a way of increasing their own profile or the visibility of their brand, which no one can blame them for.
One of the challenges in addressing a vulnerability operationally and in relation to security is balancing two key concerns:
- How much of a security risk does this present?
- If I have to change some part of our technology, what’s the risk something might break?
The headlines don’t really help answer either of those questions. In fact, at first glance they might lead you to believe that the security risk must be greater due to the high-profile nature of the vulnerability. To address the second question, there are many who will simply wait for an upgrade as opposed to taking the risk of patching and potentially breaking their technology. This means that very often months will pass before security holes caused by vulnerabilities are effectively closed.
In the meantime it’s likely that hackers will work far more quickly. If the vulnerability presents an easy way for an exploit to be created, it could take just a matter of days for there to be a threat in the wild.
Using Threat Intelligence for Effective Response
If you’re involved in making decisions around securing your organization, you can’t just rely on the most popular news articles to inform how you approach updates and patches. Only when you’re able to gather all of the information from official sources and combine that with the technical detail and press coverage do you have the full picture.
When you’re gathering intelligence it’s often difficult to quickly identify new information about vulnerabilities and exploits as well as how they connect together. Keyword searches can only take you so far as they rely on you knowing exactly what to search for and how.
Let’s go back to our example of the DROWN vulnerability.
We can see how better presented information is ultimately more useful by looking at the Recorded Future Intel Card for DROWN which shows very little in the way of connections to malware types or specific indicators of compromise.
Let’s compare that with the Intel Card for CVE-2016-1001. Obviously CVE-2016-1001 didn’t have much of a marketing machine behind it, but it has recently been added to the ubiquitous Angler Exploit Kit. There’s significantly more intelligence here. Each Intel Card also defines the particular products that are at risk from this vulnerability, in this case Adobe Flash.
Real-time threat intelligence offers you two clear advantages when researching vulnerabilities:
- You can search for intel on one vulnerability and know that the related results are still relevant. So if you search for DROWN you’ll also see any associated CVEs, exploits, or malware as well as IP addresses or other indicators of compromise.
- You’ll get regular alerts on that vulnerability in real time, including on exploits in the wild.
This information is presented in a format you can easily consume and share with other teams when needed.
Presenting all of the information on these vulnerabilities and categorizing that intelligence ensures you stay up to date. You’ll also be in a position where you’ll be alerted on exploits as they appear and be able to use that intelligence to prioritize your patching and updating.
And perhaps most importantly, this single view of all intelligence in one place will dramatically reduce the amount of time that would need to be invested in researching vulnerabilities using search engines, threat feeds, or news sites.
If you want to read more about how threat intelligence helps to analyze relationships between vulnerabilities and exploits, take a look at some research we’ve done in this area: