November 14, 2018 • Zane Pokorny
Editor’s Note: Over the next several months, we’ll be sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the fourth chapter, “Threat Intelligence for Vulnerability Management.” To read the full chapter, download your free copy of the handbook.
Much of the daily work in cybersecurity lends itself to analogies with fighting fires — vulnerability management, perhaps the most so. Just like with firefighting, vulnerability management is almost always a race against the clock. They both concern problem solving within living systems, meaning that the elements of the system are not static, but interconnected and constantly changing. Fire spreads rapidly and sometimes unpredictably, a small spark turning into a wildfire spanning thousands of miles. In the same way, a routine vulnerability in a commonly used program can be exploited to sudden and devastating effect, and a solution that worked just yesterday may not adequately address the concerns of today.
Threat intelligence provides the context and situational awareness cybersecurity professionals working in vulnerability management need to prioritize their work. Getting the right context is essential when so many new vulnerabilities are uncovered daily — far more than any one team has the resources to completely patch. It allows vulnerability management teams to take a risk-based approach instead of just dealing with problems as they come.
It’s, again, a way of problem solving that firefighters have to rely on when fighting the biggest blazes. Here’s a few techniques firefighters use when battling wildfires, mapped to similar techniques used in vulnerability management:
|Firefighting Technique||Vulnerability Management Equivalent|
|Control Line: Using natural barriers or creating new ones (digging trenches or other firebreaks) to limit the area a fire can spread to||Vulnerability Scanning: Using vulnerability scanners to get an initial sense of your internal, actual risk landscape|
|Hot Spotting: Giving extra resources and attention to the hottest part of the fire||Risk Scoring: Prioritizing vulnerabilities based on the risk they present to your network|
|Cold Trailing: Inspecting the scorched ground after a fire has passed to look for still-burning embers||Root Cause: Looking back over previous threats and breaches to see how your organization responded to them and what can be improved|
This next section of the book, which has been edited and condensed for clarity, will more closely examine this risk-based approach to vulnerability management.
Vulnerability management is not glamorous, but it is one of the very few ways you can be proactive in securing your organization. Its importance as a function cannot be overstated. The key to success in vulnerability management is to shift the thinking of your security teams from trying to patch everything to making risk-based decisions. That is critical because the vast ocean of vulnerabilities disclosed each year stretches to the breaking point the teams responsible for identifying vulnerable assets and deploying patches. And the key to making good, risk-based decisions is taking advantage of more sources of threat intelligence.
According to research from the analyst firm Gartner, Inc., about 8,000 vulnerabilities a year were disclosed over the past decade. The number rose only slightly from year to year, and only about one in eight were actually exploited. However, during the same period, the amount of new software coming into use grew immensely, and the number of threats has increased exponentially. In other words, although the number of breaches and threats has increased over the past 10 years, only a small percentage were based on new vulnerabilities. As Gartner put it, “More threats are leveraging the same small set of vulnerabilities.”
Zero-day threats regularly draw an outsize amount of attention. However, the vast majority of “new” threats labeled as zero day are actually variations on a theme, exploiting the same old vulnerabilities in slightly different ways. Further, the data shows that the number of vulnerabilities actually exploited on day zero make up only about 0.4 percent of all vulnerabilities exploited during the last decade.
The implication is that the most effective approach to vulnerability management is not to focus on zero-day threats, but rather to identify and patch the vulnerabilities specific to the software your organization uses.
Threat actors have gotten quicker at exploiting vulnerabilities. According to Gartner, the average time it takes between the identification of a vulnerability and the appearance of an exploit in the wild has dropped from 45 days to 15 days over the last decade.
This has two implications:
Research shows that if a vulnerability is not exploited within two weeks to three months after it is announced, it is statistically unlikely that it ever will be. Therefore, “old” vulnerabilities are usually not a priority for patching.
All of these statistics point to one conclusion: your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the threats most likely to be exploited against your organization.
Let’s use a metaphor: if patching vulnerabilities to keep your network safe is like getting vaccines to protect yourself from disease, then you need to decide which vaccinations are priorities and which are unnecessary. You may need a flu shot every season to stay healthy, but there’s no need to stay vaccinated against yellow fever or malaria unless you will be exposed to them. That’s why you have to do your research: one of the greatest values of a threat intelligence solution is that it identifies the specific vulnerabilities that represent risk to your organization and gives you visibility into their likelihood of exploitation.
A common mistake in managing vulnerabilities is to focus on ranking threats in terms of severity. Ranking and classification systems like Common Vulnerabilities and Exposures (CVE) naming and Common Vulnerability Scoring Systems (CVSSs) don’t take into account whether threat actors are actually exploiting vulnerabilities right now in your industry or locations. Relying solely on vulnerability severity is like getting a vaccine for the bubonic plague before a flu shot because the plague killed more people at some point in history.
Vulnerability databases consolidate information on disclosed vulnerabilities and also score their exploitability. In fact, one of the very first forms of threat intelligence was NIST’s National Vulnerability Database (NVD). It centralized information on disclosed vulnerabilities to help make it easier for organizations to see if they were likely to be affected. For more than 20 years, the NVD has collected information on more than 100,000 vulnerabilities, making it an invaluable source for information security professionals. Other nations, including China and Russia, have followed NIST’s lead by setting up vulnerability databases.
However, there are two significant limitations to most vulnerability databases:
Information in vulnerability databases is almost entirely focused on technical exploitability, a judgment of how likely it is that exploiting a particular vulnerability will result in greater or lesser damage to systems and networks. In the NVD, this is measured through the CVSS scoring system.
But technical exploitability and active exploitation are not the same thing. CVSS base scores provide a metric that’s reasonably accurate and easy to understand — provided you know what information the score is conveying. But unless a base score is modified by a temporal score or an environmental score, it really only tells you how bad the vulnerability is hypothetically, not whether it’s actually being exploited in the wild.
Another shortcoming of many vulnerability databases is lack of timeliness. For example, 75 percent of disclosed vulnerabilities appear on other online sources before they appear in the NVD, and on average, it takes those vulnerabilities a week to show up there. This is a very serious problem because it handicaps security teams in the race to patch before adversaries can exploit.
The most effective way to assess the true risk of a vulnerability to your organization is to combine:
Almost every vulnerability management team scans their internal systems for vulnerabilities, correlates the results with information reported in vulnerability databases, and uses the results to determine what should be patched. This is a basic use of operational threat intelligence, even if we don’t usually think of it that way.
Conventional scanning is an excellent way to de-prioritize vulnerabilities that don’t appear on your systems. By itself, however, scanning is not an adequate way to accurately prioritize vulnerabilities that are found.
One powerful way to assess the risk of a vulnerability is to look at how far it has progressed from initial identification to availability, weaponization, and commoditization in exploit kits. The level of real risk rises dramatically as it passes through the milestones shown below. Broad-based threat intelligence can reveal the progress of a vulnerability along this path.
Good threat intelligence should not simply provide information in the form of scores and statistics, but also a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Below we discuss sources of intelligence that can contribute to this understanding.
What factors beyond technical characteristics can be used to calculate risk scores of vulnerabilities? Recorded Future’s native risk scoring system incorporates data about criminal adoption, patterns in exploit sharing, and the number of links to malware. This information often comes from sources that are difficult to access, like forums on the dark web.
Data from asset scans and external vulnerability databases are only the starting points for information that can help you assess the risk of vulnerabilities. Threat intelligence should include data from a wide range of sources, or analysts risk missing emerging vulnerabilities until it’s too late.
Valuable sources of information for assessing true risk to your business include:
It’s not easy to eavesdrop on the channels through which threat actors communicate and operate for the following reasons:
Threat intelligence vendors with expertise in collecting and analyzing dark web intelligence come into play here. They can provide you with contextualized information from dark web forums on vulnerabilities directly relevant to your network.
In most organizations, the responsibility for protecting against vulnerabilities devolves to two teams:
This dynamic creates a tendency to approach vulnerability management “by the numbers.” For example, the vulnerability management team in the security organization might determine that several vulnerabilities in Apache web servers pose a very high risk to the business and should be given top priority.
However, the IT operations team may be supporting a lot more Windows systems than Apache servers. If team members are measured strictly on the number of systems patched, they have an incentive to keep their focus on lower-priority Windows vulnerabilities.
Intelligence on exploitability also prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations. Most organizations have a strong aversion to disturbing business continuity. But if you know that a patch will protect the organization against a real, imminent risk, then a short interruption is completely justified.
The risk milestones framework outlined above makes it much easier to communicate the danger of a vulnerability across your security and operations teams, up through senior managers, and even to the board. This level of visibility into the rationale behind decisions made around vulnerabilities will increase confidence in the security team across your entire organization.
This blog post doesn’t have everything from this chapter of the book — the full text also includes a use case exploring how to cross-reference multiple intelligence sources to more accurately assess real risk. You’ll also find a more detailed breakdown of the risk scores of a specific vulnerability, highlighting the difference between the official risk scores and the actual risk they present. Alongside this information in the book are detailed charts and figures.
To read the full chapter, “Threat Intelligence for Vulnerability Management,” which includes all that information, as well as more helpful tips and resources, download your free copy of “The Threat Intelligence Handbook” today.