How Security Intelligence Enables Risk-Prioritized Vulnerability Management
March 18, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the newly released second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at chapter five, “Threat Intelligence for Vulnerability Management.” To read the entire chapter, download your free copy of the handbook.
Vulnerabilities put your business at risk of attack. But with new ones emerging every day, it’s impossible to patch everything, everywhere. Vulnerability management teams need security intelligence to help them quickly weigh — and make a rapid, informed decision about — the risk of potential disruption that comes with applying a patch versus the real-world threat posed by the vulnerability itself.
In this way, vulnerability management is a lot like fighting fires. In both scenarios, teams are racing against the clock, while the environment constantly shifts and morphs. Recent sobering headlines on the wildfires across California and Australia show how quickly conditions can change, with a small, contained fire quickly engulfing huge territories and creating unprecedented damage. Tools that worked well to stop the fires from spreading just yesterday may no longer adequately address the blazes today.
Similarly, a routine vulnerability that you’ve seen many times may suddenly be exploited — creating major issues that you’ve never dealt with before. Or, your vulnerability scan may produce 10 critical vulnerabilities in one day, and your vulnerability management team must make a near-instantaneous call on which ones pose the most risk and need to be patched first. While it’s impossible to patch everything, making an error in prioritization can have devastating consequences.
Real-time intelligence provides the external context — like knowing whether a vulnerability is being actively weaponized — to help teams focus efforts and amplify impact. With visibility into specific evidence that points to a CVE being exploited, teams can take a much more strategic, risk-based approach to prioritizing, measuring, and mitigating the risk from vulnerabilities.
In this chapter, which has been edited and condensed for clarity, we examine the current challenges in addressing vulnerabilities based on actual risk. We also explore how risk-based intelligence delivers insights into threat actor behaviors to streamline the operational elements of vulnerability management.
Threat Intelligence for Vulnerability Management
Vulnerability management is not glamorous, but it is one of the very few ways you can be proactive in securing your organization. Its importance as a function cannot be overstated. The key to success in vulnerability management is to shift the thinking of your security teams from trying to patch everything to making risk-based decisions. That is critical because the vast ocean of vulnerabilities disclosed each year stretches to the breaking point the teams responsible for identifying vulnerable assets and deploying patches. And the key to making good, risk-based decisions is taking advantage of more sources of threat intelligence.
The Vulnerability Problem by the Numbers
According to research from the analyst firm Gartner, Inc., about 8,000 vulnerabilities a year were disclosed over the past decade. The number rose only slightly from year to year, and only about one in eight were actually exploited. However, during the same period, the amount of new software coming into use grew immensely, and the number of threats has increased exponentially. In other words, although the number of breaches and threats has increased over the past 10 years, only a small percentage were based on new vulnerabilities. As Gartner put it, “More threats are leveraging the same small set of vulnerabilities.”
Zero Day Does Not Mean Top Priority
Zero-day threats regularly draw an outsize amount of attention. However, the vast majority of “new” threats labeled as zero day are actually variations on a theme, exploiting the same old vulnerabilities in slightly different ways. Further, the data shows that the number of vulnerabilities actually exploited on day zero make up only about 0.4 percent of all vulnerabilities exploited during the last decade.
The implication is that the most effective approach to vulnerability management is not to focus on zero-day threats, but rather to identify and patch the vulnerabilities specific to the software your organization uses.
Time Is of the Essence
Threat actors have gotten quicker at exploiting vulnerabilities. According to Gartner, the average time it takes between the identification of a vulnerability and the appearance of an exploit in the wild has dropped from 45 days to 15 days over the last decade.
This has two implications:
- You have roughly two weeks to patch or remediate your systems against a new exploit.
- If you can’t patch in that timeframe, you should have a plan to mitigate the damage.
Research shows that if a vulnerability is not exploited within two weeks to three months after it is announced, it is statistically unlikely that it ever will be. Therefore, “old” vulnerabilities are usually not a priority for patching.
All of these statistics point to one conclusion: your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the threats most likely to be exploited against your organization.
Assess Risk Based on Exploitability
Let’s use a metaphor: if patching vulnerabilities to keep your network safe is like getting vaccines to protect yourself from disease, then you need to decide which vaccinations are priorities and which are unnecessary. You may need a flu shot every season to stay healthy, but there’s no need to stay vaccinated against yellow fever or malaria unless you will be exposed to them. That’s why you have to do your research: one of the greatest values of a threat intelligence solution is that it identifies the specific vulnerabilities that represent risk to your organization and gives you visibility into their likelihood of exploitation.
Severity Ratings Can Be Misleading
A common mistake in managing vulnerabilities is to focus on ranking threats in terms of severity. Ranking and classification systems like Common Vulnerabilities and Exposures (CVE) naming and Common Vulnerability Scoring Systems (CVSSs) don’t take into account whether threat actors are actually exploiting vulnerabilities right now in your industry or locations. Relying solely on vulnerability severity is like getting a vaccine for the bubonic plague before a flu shot because the plague killed more people at some point in history.
The Genesis of Threat Intelligence: Vulnerability Databases
Vulnerability databases consolidate information on disclosed vulnerabilities and also score their exploitability. In fact, one of the very first forms of threat intelligence was NIST’s National Vulnerability Database (NVD). It centralized information on disclosed vulnerabilities to help make it easier for organizations to see if they were likely to be affected. For more than 20 years, the NVD has collected information on more than 100,000 vulnerabilities, making it an invaluable source for information security professionals. Other nations, including China and Russia, have followed NIST’s lead by setting up vulnerability databases.
However, there are two significant limitations to most vulnerability databases:
- They focus on technical exploitability rather than active exploitation.
- They are not updated fast enough to provide warning of some quickly spreading threats.
Exploitability Versus Exploitation
Information in vulnerability databases is almost entirely focused on technical exploitability, a judgment of how likely it is that exploiting a particular vulnerability will result in greater or lesser damage to systems and networks. In the NVD, this is measured through the CVSS scoring system.
But technical exploitability and active exploitation are not the same thing. CVSS base scores provide a metric that’s reasonably accurate and easy to understand — provided you know what information the score is conveying. But unless a base score is modified by a temporal score or an environmental score, it really only tells you how bad the vulnerability is hypothetically, not whether it’s actually being exploited in the wild.
Next Week Versus Now
Another shortcoming of many vulnerability databases is lack of timeliness. For example, 75 percent of disclosed vulnerabilities appear on other online sources before they appear in the NVD, and on average, it takes those vulnerabilities a week to show up there. This is a very serious problem because it handicaps security teams in the race to patch before adversaries can exploit.
Threat Intelligence and Real Risk
The most effective way to assess the true risk of a vulnerability to your organization is to combine:
- Internal vulnerability scanning data
- External intelligence from a breadth of sources
- An understanding of why threat actors are targeting certain vulnerabilities and ignoring others
Internal Vulnerability Scanning
Almost every vulnerability management team scans their internal systems for vulnerabilities, correlates the results with information reported in vulnerability databases, and uses the results to determine what should be patched. This is a basic use of operational threat intelligence, even if we don’t usually think of it that way.
Conventional scanning is an excellent way to de-prioritize vulnerabilities that don’t appear on your systems. By itself, however, scanning is not an adequate way to accurately prioritize vulnerabilities that are found.
Risk Milestones for Vulnerabilities
One powerful way to assess the risk of a vulnerability is to look at how far it has progressed from initial identification to availability, weaponization, and commoditization in exploit kits. The level of real risk rises dramatically as it passes through the milestones shown below. Broad-based threat intelligence can reveal the progress of a vulnerability along this path.
Understanding the Adversary
Good threat intelligence should not simply provide information in the form of scores and statistics, but also a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Below we discuss sources of intelligence that can contribute to this understanding.
How to Create Meaningful Risk Scores
What factors beyond technical characteristics can be used to calculate risk scores of vulnerabilities? Recorded Future’s native risk scoring system incorporates data about criminal adoption, patterns in exploit sharing, and the number of links to malware. This information often comes from sources that are difficult to access, like forums on the dark web.
Sources of Intelligence
Data from asset scans and external vulnerability databases are only the starting points for information that can help you assess the risk of vulnerabilities. Threat intelligence should include data from a wide range of sources, or analysts risk missing emerging vulnerabilities until it’s too late.
Valuable sources of information for assessing true risk to your business include:
- Information security sites, including vendor blogs, official disclosure information on vulnerabilities, and security news sites
- Social media, where link sharing provides jumping-off points for uncovering useful intelligence
- Code repositories such as GitHub, which yield insights into the development of proof-of-concept code for vulnerabilities
- Paste sites such as Pastebin and Ghostbin (sometimes wrongly defined as dark web locations), which often house lists of exploitable vulnerabilities
- The dark web, composed of communities and marketplaces with a bar to entry where exploits are developed, shared, and sold
- Forums with no bar to entry or requirement to be using specific software, where threat actors exchange information on vulnerabilities and exploits
- Technical feeds, which deliver data streams of potentially malicious indicators that add useful context around the activities of malware and exploit kits
Vulnerability Chatter on the Dark Web
It’s not easy to eavesdrop on the channels through which threat actors communicate and operate for the following reasons:
- Underground forums are difficult to find (after all, there’s no Google for the dark web).
- Threat actors change locations whenever they feel their anonymity is at risk.
- Finding the crumb that might be relevant to your security is no small endeavor.
- There are likely to be bars to entry, either financial or kudos from the rest of the community.
- Many of these forums operate exclusively in local languages.
Threat intelligence vendors with expertise in collecting and analyzing dark web intelligence come into play here. They can provide you with contextualized information from dark web forums on vulnerabilities directly relevant to your network.
Bridging the Risk Gaps Between Security, Operations, and Business Leadership
In most organizations, the responsibility for protecting against vulnerabilities devolves to two teams:
- The vulnerability management team runs scans and prioritizes vulnerabilities by potential risk.
- The IT operations team deploys patches and remediates the affected systems.
This dynamic creates a tendency to approach vulnerability management “by the numbers.” For example, the vulnerability management team in the security organization might determine that several vulnerabilities in Apache web servers pose a very high risk to the business and should be given top priority.
However, the IT operations team may be supporting a lot more Windows systems than Apache servers. If team members are measured strictly on the number of systems patched, they have an incentive to keep their focus on lower-priority Windows vulnerabilities.
Intelligence on exploitability also prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations. Most organizations have a strong aversion to disturbing business continuity. But if you know that a patch will protect the organization against a real, imminent risk, then a short interruption is completely justified.
The risk milestones framework outlined above makes it much easier to communicate the danger of a vulnerability across your security and operations teams, up through senior managers, and even to the board. This level of visibility into the rationale behind decisions made around vulnerabilities will increase confidence in the security team across your entire organization.
Get ‘The Threat Intelligence Handbook’
This blog post doesn’t have everything from this chapter of the book — the full text also includes a use case exploring how to cross-reference multiple intelligence sources to more accurately assess real risk. You’ll also find a more detailed breakdown of the risk scores of a specific vulnerability, highlighting the difference between the official risk scores and the actual risk they present. Alongside this information in the book are detailed charts and figures.
To read the full chapter, “Threat Intelligence for Vulnerability Management,” which includes all that information, as well as more helpful tips and resources, download your free copy of “The Threat Intelligence Handbook” today.