Welcome back to part two of our series on Vulnerability Management. In part one, we talked about the different external risks that could affect your organizational attack surface. Here, we’ll see how you can efficiently manage vulnerabilities by removing noise and adding context.
In 2018, a German security researcher named Christopher Bleckmann-Dreher presented an Austrian smartwatch company, Vidimensio, with a series of vulnerabilities affecting their watches. After repeated warnings and failures to follow-up, Bleckmann-Dreher intruded into their systems and printed the word “PWNED!” all over the tracking maps of hundreds of watches.
This is a very harmless example of a real problem that plagues the global threatlandscape. As per CISO Mag’s article, “Cutting the Vulnerability Noise with Context,” 20 percent of hacking activity focuses solely on vulnerabilities.
What kind of vulnerabilities are exploited most often?
Here is a quick look at the top three most exploited vulnerabilities:
- CVE-2018-8174: This is easily the most targeted vulnerability out there. Also known as “Double Kill,” this remote code execution (RCE) flaw in Windows VBScript can be exploited through Internet Explorer. Double Kill exists in four of the most popular exploit kits – RIG, Fallout, KaiXin, and Magnitude.
- CVE-2018-4878: The second most observed vulnerability is an Adobe Flash zero-day first identified in February 2019. While the company released a patch within hours, a large number of users have not yet applied it, leaving companies exposed and vulnerable to attack.
- CVE-2017-11882: This, once again, is a Microsoft-related vulnerability that allows arbitrary code to run when a maliciously modified file gets opened. This vulnerability has been associated with some major campaigns such as the QuasarRAT trojan and the prolific Andromeda botnet.
As you can see, some of the most commonly exploited vulnerabilities target Microsoft software. Cybercriminals consider two major factors as they plan attacks:
- Which tools are needed to target high-value victims?
- What other tools and exploit kits can be used to exploit vulnerabilities opportunistically?
So how do you stay one step ahead?
Risk models are not enough
A risk model can help organizations obtain data to build a cybersecurity framework that best aligns with the business. Modern risk models continually feed on new and evolving information; however, plugging gaps in the event of a data breach remains extremely difficult.
The main problem here is “noise.” Without proper background information, every incident seems critical. As such, your security will inevitably miss out on something urgent that can become the proverbial (or maybe literal) million-dollar mistake.
To find the vulnerabilities that matter, it’s crucial to make your risk models more efficient by applying contextual data.
Risk Models + Context
Context helps your business manage cyber risk and empowers your Security Operations Center (SOC) team to respond to the most critical tasks. Without context, your team will drown in the sludge of incidents that inevitably lead to alert fatigue.
So, how exactly do you “calculate” something as intangible as “context?” The most critical component comes from the careful study of the adversary’s capability, intent, and opportunity. These data points are crucial to make an efficient model and increase risk reduction.
Keep in mind that the starting point for any external adversary will be an outside-in perspective and the initial attack vector may target an externally facing exposed asset.
The Role of Attack Surface Intelligence
There are many layers of complexity involved in proper adversary analysis. However, contextual data points like this are required if you want to create a risk model that can significantly impact your systems.
Just being aware of your attack surface isn’t enough. It’s essential to know the motive and intent of a particular threat actor, which simply compounds the process’s overall difficulty. Some points must be noted while doing this risk analysis:
- The credibility of the adversity over time. Have they been successful in their attempts to exploit a particular vulnerability before?
- How is the adversary sharing information about a specific exploit? Is the exploit now available for the whole world, or is it available only with other credible criminals?
- What is the technical status and maturity of the exploit being discussed here?
Netenrich’s Attack Surface Intelligence (ASI) helps you understand the motive of a threat actor and the potential impact it can have on your organization. ASI continually scours your organization’s attack surface to hunt down vulnerabilities. It then cross-checks the vulnerability against known threat activity to give you context surrounding the issue and a brief history of the associated threat actor and their motive. We achieve this efficiently and to a high degree of accuracy by using a combination of threat and attack surface intelligence.
Vulnerability Management with Threat and Attack Surface Intelligence
Netenrich uses a combination of a threat and attack surface intelligence to help you find hidden risks, quickly contextualize and prioritize threats to improve vulnerability management and reduce fatigue. Contextual intelligence is part of Netenrich’s Resolution Intelligence framework for transforming digital operations into better business outcomes.
Resolution and contextual intelligence equip you to:
- Achieve continuous adversary insights that help prevent risk, streamline operations, and bridge skill gaps
- Identify the most critical alerts and act on them before they become dangerous
- Empower your SecOps and IT Ops to work efficiently together and reduce alert fatigue
Want to know more about attack surface intelligence and how it can help bolster your defenses?
Want to learn more about ASI?
Meanwhile, do keep an eye out and stay tuned for the third and final part of this series!