Why Threat Intelligence is So Effective for Vulnerability Prioritization?

What is vulnerability?

What is vulnerability intelligence?

What are the sources of vulnerability intelligence?

  • Information security sites like vendor blogs, official disclosure information on vulnerabilities, and security news sites.
  • Social media, where link sharing provides jumping-off points for uncovering useful intelligence
  • Code repositories such as GitHub, which yield insights into the development of proof-of-concept code for exploiting vulnerabilities
  • Paste sites such as Pastebin and Ghostbin (which are sometimes wrongly defined as dark web sources) that often house lists of exploitable vulnerabilities
  • The dark web, composed of communities and marketplaces with a barrier to entry, where exploits are developed, shared, and sold
  • Forums with no barrier to entry or requirement to be using specific software, where threat actors exchange information on vulnerabilities and exploits
  • Technical feeds that deliver data streams of potentially malicious indicators, which add useful contexts

What are CVE (Common Vulnerabilities and Exposures), The Common Vulnerability Scoring System (CVSS) and NVD (National Vulnerability Database)?

How to prioritize vulnerabilities?

  • Likelihood of exploitation: How likely is it that the specific vulnerability you’re analyzing will be taken advantage of by a hacker, a malicious user, malware, or some other threat?
  • Impact if exploited: How detrimental would it be if the vulnerability you’re analyzing were exploited?

What are the top vulnerabilities in 2020?

What are the top attack utilities in 2020?

  • Remote code execution (RCE): Code execution on a remote target. Typically refers to the ability to execute a payload on a target system (e.g., obtain a shell session). Aids in credential stealing, data exfiltration, and so on.
  • Network pivot: The ability to pivot from an external network to an internal network, most often by exploiting internet-facing systems such as VPNs, firewalls, routers, and other gateway devices. A network pivot gives an attacker visibility into both internal and external traffic and aids in data exfiltration, traffic sniffing, and further attacks within the target network.
  • Network infrastructure compromise: Compromise of networked infrastructures, such as a network management system or backup system, that may give an attacker access to everything managed by that software. Vulnerabilities in virtualization, automation, and/or device management infrastructure all fall into this category.
  • Local code execution: The ability to run code locally on a system to which the attacker already has some access. Most commonly used to escalate privileges (e.g., by executing code as the user running the vulnerable application).
  • File enumeration: The ability to enumerate files on a target. File reads do not give an attacker a path to code execution by themselves but instead function as primitives that allow attackers to gather the information that enables a secondary part of an exploit chain (e.g., remote code execution). Can aid in turning a post-authentication vulnerability into a pre-authentication vulnerability.

Which measurements should be taken for vulnerabilities?

  • Patch early and as often as possible.
  • Defense-in-depth is more efficient than just patching.
  • Keep an up-to-date inventory list that emphasizes assets or products that sit on the perimeter and/or may be used as pivot points for external attackers to gain access to the internal network.
  • Use a Cyber Threat Intelligence platform.

Does SOCRadar provide Vulnerability Intelligence?

  • Real-time alert for major vulnerability (Zero-day, critical patch, etc.)
  • Real-time alert for new exploits.
  • 100% SaaS solution, available 24/7/365
  • Weekly newsletters
  • Data collection from different OSINT sources
  • Most popular and critical CVEs
  • Relevant and timely intelligence information
  • Automated vulnerability detection
  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

--

--

We empower you to know the unknowns.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store