Beyond Scanners and NVD: Other Places to Find Useful Vulnerability Intelligence
July 17, 2018 • The Recorded Future Team
- Basic vulnerability management starts with using automated vulnerability scanners and relying on public databases like the U.S. National Vulnerability Database (NVD).
- However, those two sources alone can often leave you with insufficient time and information to respond to threats. Data produced by scanners can overwhelm analysts or lull them into a false belief that they have the complete picture, especially since the NVD has been proven to lag behind other sources of information.
- Threat intelligence provides the context needed to understand which vulnerabilities should be prioritized and which can be safely ignored.
- Other more direct sources of information include places like cybersecurity blogs, social media, code repositories, dark web marketplaces, and technical feeds.
Deciding which vulnerabilities in your system to patch before they are exploited is something like defusing a bomb. You open up the casing and find yourself confronted with a nest of tangled wires, but the clock is ticking — there’s no time to find a complete schematic or evacuate the area. Cut the wrong wire, and it’s all over.
For the many security analysts who find themselves overwhelmed with a flood of daily vulnerability updates and alerts, choosing which wire to cut is almost impossible. But with such limited time, so too is any attempt to patch every vulnerability fast enough.
Approaching vulnerability management with a “patch everything, all the time” mindset is likely a wasted effort, anyway. Industry research has shown that the average time between when a vulnerability is identified and a new exploit targeting it appears has dropped to about 15 days in the last decade, meaning that you have just over two weeks to identify a new vulnerability and patch it before you need to start worrying about potentially mitigating the damage. The flip side of this is that if a vulnerability is not exploited within the first two weeks to three months after it’s been identified, it is statistically unlikely to ever be.
A basic approach to vulnerability management starts with using scanners to identify issues within your own network and staying apprised of new vulnerabilities by looking at the National Vulnerability Database (NVD). But given the time sensitivity of vulnerability management, these two sources of information are often not enough. One of the best ways to maximize your resources is to use threat intelligence, but there are many other sources of potentially valuable information — information security sites, social media, and code repositories, for example — that can keep you informed better than just the NVD.
The Pitfalls of Vulnerability Scanners and Public Databases
Vulnerability scanners perform the essential role of automating what would otherwise be an exhaustively slow manual process, and the data they produce provides an important frame of reference. But their very efficiency can also lead to more work for analysts. Vulnerability scanners often produce such a high volume of information that sorting through it, identifying false positives, and figuring out which vulnerabilities to prioritize becomes a huge headache.
The sheer size of the dataset that a scanner sometimes produces might also lull an analyst into the fallacy of believing it to be comprehensive — what vulnerabilities could it have possibly missed if it turned up this many? Because of the way vulnerability scanners work, that’s just not the case.
Most scanners identify vulnerabilities within a user’s network by comparing them against a database like the U.S. NVD. However, around three quarters of new vulnerabilities are shared online in places like the dark web, cybersecurity blogs, and social media on an average of seven full days before they are logged in the NVD. If you’re relying exclusively on vulnerability scanners to identify holes in your network’s security, that can cut your time to respond to potential threats in half.
One of the reasons that the NVD lags behind is because it relies on other organizations to voluntarily submit information on new vulnerabilities. In the standard procession of events, a new vulnerability is only added to the NVD after a vendor has become aware of a vulnerability, reserved a CVE number for it, had that vulnerability publicly disclosed (either by the vendor itself, a security researcher, or another source), and then submitted the CVE information to the CVE registry. This means that security analysts who rely solely on the NVD will likely be a few steps behind those who look for other sources, like finding out when a vulnerability is publicly disclosed by the vendor itself.
Digging Deeper With Threat Intelligence
Threat intelligence goes a long way toward remediating the problems that come with only using vulnerability scanners in conjunction with official databases like the NVD. Good threat intelligence provides context; with time being a precious resource often down to the moment when managing vulnerabilities, analysts must work smarter — not just harder. The context provided by a threat intelligence service that incorporates (and makes sense of) sources from places like dark web marketplaces and private security forums will help analysts determine which vulnerabilities pose the most genuine security threat.
Threat intelligence must include data from a wide range of different sources, or the analyst risks missing an emerging vulnerability until after it’s too late. Here are some other sources of potentially valuable information available to you in your pursuit of understanding the true risk from vulnerabilities relevant to your business:
- Information Security Sites — Blogs run by threat intelligence vendors or other security news sites will often publish relevant and up-to-date information on vulnerabilities. Last year, for example, McAfee was the first source to publicly disclose CVE-2017-0199, a critical vulnerability in Microsoft Word that went on to be one of the most exploited in 2017. McAfee’s disclosure came a few days before Microsoft released a patch and before the vulnerability was listed by sources like the U.S. NVD.
- Social Media — Many links to relevant information are shared by security analysts across social media sites like Facebook and Twitter, making those sites useful places to start doing research. Threat actors will even sometimes publicly disclose their work and plans on social media, and many threat intelligence vendors monitor these channels for that reason.
- Code Repositories and Paste Sites — Sites like GitHub will often give useful insight into the development of proof-of-concept code for vulnerabilities that security analysts have identified and are attempting to test the exploitability of. Keeping an eye on sources like these helps provide context when deciding which vulnerabilities to prioritize patching. Sites like Pastebin and Ghostbin, which are sometimes wrongly defined as dark web locations because they aren’t cataloged by search engines, are also useful repositories of code and raw text detailing vulnerabilities and their exploits.
- Dark Web — Communities and marketplaces that exist on difficult-to-access sites on the dark web often traffic in exploits and crimeware service packages, making the monitoring of these sites an often essential line of intelligence for identifying which vulnerabilities are actually being exploited.
- Forums — Public discussion boards — those not on the dark web or social media — are frequently great starting places for information, both of the more reliable kind and of hearsay.
- Technical Feeds — Like vulnerability scanners, a well-managed technical feed can provide a great way to automate data streams of potentially malicious indicators, providing useful context around the activities of malware or exploit kits.
To learn more about how threat intelligence can help you understand the vulnerabilities within your own network that pose a true threat and stay ahead of emerging vulnerabilities, download our new white paper, “Vulnerability Intelligence From the Dark Web: The Disclosure to Exploit Risk Race.”