Professional Documents
Culture Documents
INTELLIGENCE_
SOLUTIONS GUIDE
& RESOURCES
T H E VA L U E O F V U L N E R A B I L I T Y
INTELLIGENCE
According to Gartner, during the last decade, the average time between identification of
a vulnerability and an exploit has plummeted from 45 days to 15 days. With a drastically
reduced time window between the publication of a CVE and exploitation in the wild,
high-fidelity vulnerability intelligence is needed to set a strategy and patch the most
critical vulnerabilities before they lead to a breach.
Vulnerability intelligence is fast emerging as one of the most valued threat intelligence
use cases. It provides information about how vulnerabilities are being exploited
across the threat landscape helping prioritize response to these vulnerabilities. Good
intelligence means teams focus on the vulnerabilities that pose a real risk to the
organization and deprioritize those that do not.
VULNERABILITY
MANAGEMENT
VULNERABILITY
VULNERABILITY
INTELLIGENCE INTELLIGENCE
1
VULNERABILITY INTELLIGENCE:
CVSS AND BEYOND
The Common Vulnerability Scoring System (CVSS) is the
open industry standard to score base, temporal, and
80%
environmental severity of a vulnerability. This can help to
understand some key questions about the vulnerability:
23
1. Does it require user interaction?
3
SOURCES OF VULNERABILITY
INTELLIGENCE
For the context and the latest updates on the latest disclosed CVE’s and exploits you’ll want to have a comprehensive set of
data sources.
• https://nvd.nist.gov/vuln/data-feeds activity/2022/01/10/cisa-adds-15-known-exploited-
vulnerabilities-catalog
• https://www.cvedetails.com/vulnerability-list/
• https://www.auscert.org.au/bulletins/ or https://
• https://www.govcert.gov.hk/en/alerts.php
Vendor blogs and updated web pages that provide official
disclosure information on vulnerabilities and updates on • https://www.jpcert.or.jp/
• Catalin Cimpanu
• MalwareTech
• MalwareHunterTeam
• JAMESWT
• ExecuteMalware
• Abuse.ch
• Hasherezade
• Vitali Kremez
• Malware Traffic
4
ASSESSING RELIABILITY
PUBLIC CODE REPOSITORIES AND
PASTE SITES
Not all sources are made equal. An
• Code repositories such as GitHub and GitLab, that are the
effective vulnerability intelligence
standard for sharing exploit code and other associated
program should assess each source
tools among threat actors; the policy surrounding the
before taking action. Vulnerability
sharing of public exploits and malware samples has
Intelligence offerings have been around
however recently changed on GitHub.
long enough for internet trolls to
• Paste sites such as Pastebin that host lists of exploitable emerge and begin posting fake code
vulnerabilities snippets with mentions of “CVE”, “POC”,
or “Exploit” to public repositories (read
DARK WEB AND CLOSED SOURCES this story to learn more: https://blog.
zsec.uk/cve-2020-1350-research/)
• Dark web marketplaces and forums where exploits are
Unfortunately, a lot of vulnerability
discussed, shared, traded, and sold
intelligence is reliant on basic keyword
• Telegram and IRC Channels that discuss the latest matching and fails to effectively assess
vulnerabilities and exploits these sources. Risking mistaking
• Cybercriminal forums with barriers to entry, where experienced analyst who can assess
threat actors advertise the sale of proof-of-concept (POC) PoC exploits and accurately inform an
company industry/geography
5
OPER ATIONALIZING VULNER ABILITY
INTELLIGENCE
Vulnerability intelligence exists to provide actionable insights for vulnerability management. Once fused into your organization’s
threat model, vulnerability intelligence can be used across many internal functions to improve security planning.
How much intelligence does your security team need? “More” is not always a synonym for “better”―certainly not when it
comes to intelligence. Tailor your intelligence needs to your threat model, such as with a representation of the potential
threats to your organization from a hypothetical attacker’s point of view. In practice, this means adjusting your intelligence
requirements to your needs.
scale with the size of the business but the size of the threat MITRE ATT&CK framework within their Vulnerability
Management processes. By mapping CVEs to MITRE
landscape, a particular challenge for smaller organizations.
ATT&CK, teams immediately get context as to the
Sometimes in-house resources are devoted to this end,
what and the how of the attack, enabling teams to
and sometimes the work is outsourced. Either way, the perform remediation beyond patching.
intelligence will help prioritize patching schedules based on:
active threats to your sector and location, the presence (or
absence) of a working PoC code in the wild, and the use of
affected software or hardware by your organization or by a
third party.
risk and probability, helping you win managerial approval
TRIAGING to patch appropriately. You can now make them finally see
Vulnerability intelligence can help you spot key security flaws that the “if it ain’t broke, don’t fix it” approach is no longer
that may affect your organization in a sea of security flaws. sustainable.
New vulnerabilities are being identified at an unprecedented
rate and most of them will not be relevant to your MITIGATING
organization (despite what security headlines say). Then again, Patching your vulnerable hardware and software isn’t the
neglect to patch certain flaws and you could invite devastating end of the story. Some of you will already know that the
results. Instead, take our advice: study, prioritize, triage. In intelligence process is typically represented as a cycle, with
that order. every action informing the next one. As such, every patching
round will inevitably inform the next one and will result in an
COMMUNICATING adjusted security plan based on empirical evidence. Patching
Vulnerability intelligence can also support you when dealing your vulnerable hardware and software isn’t the end of the
with key executives in your organization. Being able to story. Some of you will already know that the intelligence
effectively communicate risks and opportunities across your process is typically represented as a cycle, with every action
company is a crucial skill, and one that takes time to develop. informing the next one. As such, every patching round will
By presenting vulnerabilities as part of a broader context― inevitably inform the next one and will result in an adjusted
not merely as CVE numbers―you can effectively convey real security plan based on empirical evidence.
6
DIGITAL SHADOWS’ VULNER ABILITY
INTELLIGENCE
Security teams need context on vulnerabilities that go beyond CVSS scores, helping
them to understand what the true risk is. For example, what is the probability of
exploitation? Is it appealing to threat actors? Is there proof of exploitation in the
wild? The process of investigating a vulnerability and getting the proper context to
understand, prioritize, and mitigate the risk can be piecemeal and often incomplete.
7
INVESTIGATE
A high priority vulnerability has emerged and is being blasted across email,
CNN, your Twitter feed, and more.
In SearchLight, you can search by CVE number and get one page with
everything you need to know. After reading the vulnerability profile, you
can investigate sources the profile links out to such as an associated GitHub
or intelligence reporting from Photon Research, follow the recommended
MITRE mitigations, or export the profile as a PDF to share with a wider
audience.
8
PRIORITIZE
You’ve got a long list of vulnerabilities and need to decide what is patched
first, and quickly.
SearchLight helps you to prioritize the one thousand things to what you
actually care about. Paste in a list of multiple CVEs or CPEs into SearchLight
and then apply filters to rank your list based on your organizational
priorities such as availability, CVSS attack vector, mitigations, and more.
Users can even search by product families to gauge risk from specific
software suppliers.
9
PIVOT
An alert comes through for a recent vulnerability and you need to understand its risk and exploitability.
You can easily pivot within seconds from an alert to a detailed profile on the vulnerability. Alongside a summary and
timeline of the vulnerability, you’ll be able to read additional sources or tags based on Exploit, Fixes, Advisories, and Photon
Intelligence reporting or other security writings assembled by our world-class team of intelligence analysts and security
experts. You’ll also save some time on analysis, as each vulnerability is mapped to MITRE ATT&CK by Photon with known
threat actor or malware associations linked to.
Profiles will also pull any mentions of the CVE across the open, deep, and dark web through ShadowSearch, the CVSS 3.0, and
additional context such as the vulnerability class, CWE, CPEs affected, and Mitigations available.
10
THANK
YOU_
www.digitalshadows.com
London
Columbus Building, Level 6,
7 Westferry Circus,
London, E14 4HD
+44 (0) 203 393 7001