Vulnerability management is one of the very few ways you can be proactive in securing your organization. Its importance as a function cannot be overstated. The key to success in vulnerability management is to shift the thinking of your security teams from trying to patch everything to making risk-based decisions. That is critical because the vast ocean of vulnerabilities disclosed each year stretches to the breaking point the teams responsible for identifying vulnerable assets and deploying patches. And the key to making good risk-based decisions is taking advantage of more sources of threat intelligence.
The Vulnerability Problem by the Numbers – According to research from the analyst firm Gartner, about 8,000 vulnerabilities a year were disclosed over the past decade. The number rose only slightly from year to year, and only about one in eight were exploited. However, during the same period, the amount of new software coming into use grew immensely, and the number of threats has increased exponentially. In other words, although the number of breaches and threats has increased over the past 10 years, only a small percentage was based on new vulnerabilities. As Gartner put it, “More threats are leveraging the same small set of vulnerabilities.”
Zero-day does not mean top priority– Zero-day threats regularly draw an outsize amount of attention. However, the vast majority of “new” threats labeled as zero-day are variations on a theme, exploiting the same old vulnerabilities in slightly different ways. Further, the data shows that the number of vulnerabilities exploited on day zero makes up only about 0.4 percent of all vulnerabilities exploited during the last decade. The implication is that the most effective approach to vulnerability management is not to focus on zero-day threats, but rather to identify and patch the vulnerabilities specific to the software your organization uses.
Time is of the essence – Threat actors have gotten quicker at exploiting vulnerabilities. According to Gartner, the average time it takes between the identification of a vulnerability and the appearance of an exploit in the wild has dropped from 45 days to 15 days over the last decade.
Assess Risk Based on Exploitability – Let’s use a metaphor: if patching vulnerabilities to keeping your network safe is like getting vaccines to protect yourself from disease, then you need to decide which vaccinations are priorities and which are unnecessary. You may need a flu shot every season to stay healthy, but there’s no need to stay vaccinated against yellow fever or malaria unless you will be exposed to them. That’s why you have to do your research: one of the greatest values of a threat intelligence solution is that it identifies the specific vulnerabilities that represent a risk to your organization and gives you visibility into their likelihood of exploitation.
Severity ratings can be misleading – A common mistake in managing vulnerabilities is to focus on ranking threats in terms of severity. Ranking and classification systems like Common Vulnerabilities and Exposures (CVE) naming and Common Vulnerability Scoring Systems (CVSSs) don’t take into account whether threat actors are exploiting vulnerabilities right now in your industry or locations. Relying solely on vulnerability severity is like getting a vaccine for the bubonic plague before a flu shot because the plague killed more people at some point in history.
The Genesis of Threat Intelligence– Vulnerability Databases -Vulnerability databases consolidate information on disclosed vulnerabilities and also score their exploitability. One of the very first forms of threat intelligence was NIST’s National Vulnerability Database (NVD). It centralized information on disclosed vulnerabilities to help make it easier for organizations to see if they were likely to be affected. For more than 20 years, the NVD has collected information on more than 100,000 vulnerabilities, making it an invaluable source for information security professionals. Other nations, including China and Russia, have followed NIST’s lead by setting up vulnerability databases.
Threat Intelligence and Real Risk – The most effective way to assess the true risk of vulnerability to your organization is to combine:
Internal vulnerability scanning – Almost every vulnerability management team scans their internal systems for vulnerabilities, correlates the results with information reported in vulnerability databases, and uses the result to determine what should be patched. This is a basic use of operational threat intelligence, even if we don’t usually think of it that way. Conventional scanning is an excellent way to de-prioritize vulnerabilities that don’t appear on your systems. By itself, however, scanning is not an adequate way to accurately prioritize vulnerabilities that are found
Risk milestones for vulnerabilities – One powerful way to assess the risk of a vulnerability is to look at how far it has progressed from initial identification to availability, weaponization, and commoditization in exploit kits.
Understanding the adversary – As discussed elsewhere in this book, good threat intelligence should not simply provide information in the form of scores
- Forums with no bar to entry or requirement to
- be using specific software, where threat actors
- exchange information on vulnerabilities and exploits
- Technical feeds, which deliver data streams of potentially malicious indicators that add useful context around the activities of malware and exploit kits
Sources of Intelligence – Data from asset scans and external vulnerability databases are only the starting points for information that can help you assess the risk of vulnerabilities. Threat intelligence should include data from a wide range of sources, or analysts risk missing emerging vulnerabilities until it’s too late.