Top 3 tips to identify quality vulnerability intelligence
Vulnerability intelligence tools can be very useful to prioritize the key threats security professionals need to take action on for their organization, but it’s important to remember that some are better than others.
Vulnerability intelligence, defined as threat intelligence that is specifically applied to vulnerability information such as common vulnerabilities and exposures, solves a very real problem in vulnerability management. When vulnerabilities are prioritized by conventional means, such as common vulnerability scoring systems, 70-80% of the vulnerabilities in your network will “need action” almost immediately. This is not a sustainable workload and is a key reason why vulnerability management programs fail. A better solution to this problem is using vulnerability intelligence to help with remediation prioritization.
There are many threat intelligence products on the market available via data feeds that you correlate yourself. You can integrate these into your vulnerability scanner or aggregation product that enriches the data from other scanners and provides searching, dashboarding, reporting or other capabilities. Most security practitioners would rather have almost any vulnerability intelligence product on the market rather than simply going by CVSS.
SEE: Mobile device security policy (TechRepublic Premium)
However, there are some key differentiating factors to consider when looking at vulnerability intelligence tools, as not all vulnerability intelligence is created equal. Let’s look at three attributes of quality vulnerability intelligence.
Top 3 tips to identify quality vulnerability intelligence
Goes beyond exploit data and considers breach data
If your vulnerability intelligence is limited to telling you if exploits exist in the wild, without telling you anything about how popular or reliable those exploits are, your program is going to be less successful. A quality vulnerability intelligence feed or product will have some examples of exploitable vulnerabilities that nevertheless pose a low risk.
How can a vulnerability be exploitable and low risk? Reasons vary. Sometimes the available exploits are hard to use, the available exploits aren’t very reliable, or they make a lot of noise. When evaluating a vulnerability intelligence feed or product, it’s important not just to look at what they have to say about famous vulnerabilities like MS08-067 or Heartbleed. Look for some examples that your scanner flags as exploitable but the feed says are low risk.
If your feed doesn’t have any of those, it’s not considering whether the vulnerability shows up in breach data, and therefore isn’t any more useful than what we’ve been able to get out of a scanner alone since the early 2010s.
Breach data is far more useful than exploit data. If threat actors have successfully exploited a given vulnerability in a recent breach, it stands to reason they are more likely to try that same vulnerability against you.
Provides data and analysis to back up why it’s important
Years ago, I flagged a certain vulnerability as a top risk based on a vulnerability intelligence product I was using at the time. The update was easy, but a member of the IT organization saw an opening and decided to use it.
It was an information disclosure vulnerability. He stood up and said: “Red Hat says this vulnerability is low severity. You’re telling me you’re smarter than Red Hat?”
Unfortunately, all I had to go by were some attributes from the vulnerability intelligence provider. One of their sources had seen it in breach data, but there was no analysis beyond it: not even the name of the source. Red Hat made a stronger case.
The best antidote to these kinds of arguments is to have good analysis available on demand. Good vulnerability intelligence builds a strong case for why they rated a vulnerability the way that they did, what mitigations or compensating controls may be available and gives a competent security professional enough information that they can make a rational decision or recommendation — not just with iconography, but with actual words.
Analysis answers “the five W’s”
Quality analysis attempts to answer as many of the classic questions — who, what, when, where, why and how — as possible. Let’s apply them to vulnerability intelligence:
- Who is using the vulnerability and/or who discovered the activity?
- What malware kits take advantage of the vulnerability and/or what is the threat actor accomplishing by using the vulnerability?
- When did evidence of the activity begin to surface?
- Where are they targeting?
- Why else is this vulnerability noteworthy?
- How does the attack work?
When you pull up any random vulnerability in your vulnerability intelligence feed or product, the fewer answers the analysis has for these or similar questions, the lower its rating should be. If it’s a critical vulnerability according to their assessment, you should be able to answer four or five of those questions, or something very similar to those questions.
If your vulnerability intelligence feed or product cannot answer four or five of those questions on something it deems critical, it’s not a quality feed. Providers should be able to talk about how the attack works and offer some evidence of some activity around the vulnerability.
Evaluating vulnerability threat intelligence
The human mind is a tricky thing. We tend to weigh criticisms seven times as heavily as compliments. If the vulnerability intelligence feed is right 87.5% of the time, it feels more like 50%. Keep that in mind when evaluating a vulnerability intelligence feed, or for that matter any other security product.
We also need to be honest with ourselves. At the time of this writing, there were more than 188,000 known CVEs. It’s simply not practical for most organizations to analyze and assess every single one themselves. And, if you haven’t noticed, there is a shortage of good remediators and good security analysts in the workforce right now. Buying a good vulnerability intelligence product is a smart way to maximize your internal human resources. You equip them with the information, and they can use that information to work more productively and effectively.
David Farquhar has over 20 years of experience in IT security including serving as the Technical Account Manager for Qualys where he worked with customers to ensure they were following the best cyber practices. He currently serves as Solutions Architect for Nucleus Security.