Without Targeted Threat Intelligence, Vulnerability Management Teams Face an Uphill Challenge (Part 2)

April 18, 2019 • The Recorded Future Team

In the first of this three-part series, we examined the current state of vulnerability management, which evidence suggests may very well have reached the crisis stage.

In this blog, we’ll illustrate how vulnerability management programs without targeted threat intelligence make it difficult for security professionals to win the “cybersecurity race” and protect their company’s digital assets against cyberattacks. Only when armed with effective threat intelligence can security teams access dark web activity data that helps evaluate and put into context the risk level of cyber threats in relation to IT vulnerabilities.

Vulnerability Management Teams Are Facing an Uphill Challenge

Identifying and patching vulnerabilities before potential threats impact digital assets is the primary mission of vulnerability management programs. But with so many new threats and vulnerabilities uncovered each day — and mitigation resources likely stretched too thin — determining the threats and vulnerabilities that present the greatest risks to your business is a major challenge.

Many vulnerability management programs fall short in their mission because they lack targeted threat intelligence. Obtaining valid intelligence is critical due to the cybersecurity race that takes place once a vulnerability is identified. The security community goes up against an extensive network of threat actors across the globe, who collectively are up to no good 24 hours a day, seven days a week.

Here, we examine the race that takes place between security teams and cybercriminals. We will also demonstrate why it’s difficult to access the threat intelligence that these teams fundamentally need to successfully defend the digital assets on their corporate networks.

Security Community Versus Threat Actors: The Race Is On!

The cybersecurity race starts when a new vulnerability case is posted in the Common Vulnerabilities and Exposures (CVE) catalog, sponsored by the U.S. Department of Homeland Security. A CVE case is issued when researchers or vendors discover a vulnerability and request the allocation of a CVE number to connect that vulnerability to the database. They prepare an initial analysis and post the vulnerability on some channel — most often a company website, or perhaps their own security blog.

Once the vulnerability is published in the database and announced publicly, the National Institute of Standards and Technology (NIST) determines the exploitability and assigns a vulnerability score. Proof-of-concept (POC) exploit code is also developed by security researchers, academics, and industry professionals to demonstrate the potential exploitability of the vulnerability.

In most cases, the CVE data and the tests are publicly available through blogs and code repositories like GitHub. The data and tests are very helpful resources for security experts and vendors as they determine how to create vulnerability patches.

Ironically, the CVE data and tests are also helpful resources for cybercriminals, who often access the same data sets to create and share exploits among their cybercrime colleagues. This enables threat actors to determine if vulnerabilities can potentially be exploited. Their findings are then published through paste sites, forums, and dark web locations.

These communities translate descriptions of disclosures into their own native language and share POC code with other threat actors who wish to explore the potential for exploits to be weaponized. Once a method to exploit a vulnerability has been built, adversaries market the exploit builders in dark web markets, usually selling them through untraceable cryptocurrency.

When cybercriminals purchase an exploit builder, they then look for targets to hit. Your company might just be on one of their lists — either intentionally or not.

The Difficulties of Tapping Into Cybercriminal Community Activities

CVE databases are sources of intelligence that can potentially inform hackers of your weakness to vulnerabilities. And as threat actor interest in a particular CVE gains momentum, you find yourself exposed to much greater actual risk — threat actors who are trying to unlock just one vulnerability clearly have an advantage over your security professionals, who may have to patch hundreds or even thousands of vulnerabilities.

To take on this challenge, security teams sometimes try to pinpoint where cybercriminals are focusing their efforts. But teams that aren’t able to effectively tap into threat intelligence, especially threat intelligence developed from information found on the dark web, find that the channels through which threat actors communicate and operate are not easy to access. There are several barriers when trying to monitor the activity of cybercriminal communities:

  • It’s difficult to find underground forum sites since they don’t show up in Google searches.
  • Site administrators change online locations when anonymity is at risk.
  • Finding data on specific threats pertaining to a specific security environment is no small endeavor.
  • Financial payment or approval from the community is often required to enter a site.

In addition, many of these forums operate exclusively in local languages. So even if you can access them, you need the ability to rapidly translate the text in order to uncover the real context.

Threat Intelligence Identifies Indicators of True Risk

The way to win the cybersecurity race against threat actors is to implement a risk-based vulnerability management program that applies threat intelligence from a wide breadth of sources, including those found in dark web communities. This approach enables security teams to identify which disclosed vulnerabilities will ultimately become a commoditized, weaponized attack method exploited by threat actors. So instead of simply racing to patch every system based on the CVE and NIST scoring, security teams can identify the indicators of true risk.

Watch the video below to learn more about how threat intelligence helps vulnerability management teams get context and reduce risk:

Access to the right intelligence also provides context to threats in relation to digital asset vulnerabilities and the security posture protecting those assets. Security teams can see which threats pose the greatest risk and where the network infrastructure is the most vulnerable.

By arming your security team with this information, they can focus on applying patches and other defense mechanisms to protect your most vulnerable and most valuable systems before they are breached by threat actors.

In the next blog in this series, we’ll discuss how your security team can tap into targeted threat intelligence that enables your vulnerability management program to achieve its mission of protecting your digital assets. In the meantime, for more information on how to leverage effective threat intelligence to improve your vulnerability management program, request a personalized demo today.