VULNERABILITY

INTELLIGENCE_

SOLUTIONS GUIDE
& RESOURCES
 T H E VA L U E O F V U L N E R A B I L I T Y
INTELLIGENCE
According to Gartner, during the last decade, the average time between identification of
a vulnerability and an exploit has plummeted from 45 days to 15 days. With a drastically
reduced time window between the publication of a CVE and exploitation in the wild,
high-fidelity vulnerability intelligence is needed to set a strategy and patch the most
critical vulnerabilities before they lead to a breach.

Vulnerability intelligence is fast emerging as one of the most valued threat intelligence
use cases. It provides information about how vulnerabilities are being exploited
across the threat landscape helping prioritize response to these vulnerabilities. Good
intelligence means teams focus on the vulnerabilities that pose a real risk to the
organization and deprioritize those that do not.

VULNERABILITY
MANAGEMENT

An ongoing process of identifying,

investigating, assessing, reporting,
and patching vulnerabilities. At
some organizations, risk assess-
ment and patch prioritization may
be continually revisited by a VM
team throughout the course of a
THREAT
INTELLIGENCE day, while other companies may
VULNERABILITY take a “patch everything” approach
MANAGEMENT
with routine reviews of their assets
and scanning tools.

VULNERABILITY
VULNERABILITY
INTELLIGENCE INTELLIGENCE

Sometimes part of a vulnerability

management program and pro-
vides vital context on a given vul-
nerability to understand how likely
it is to be exploited.

1
 VULNERABILITY INTELLIGENCE:
CVSS AND BEYOND
The Common Vulnerability Scoring System (CVSS) is the
open industry standard to score base, temporal, and
80%
environmental severity of a vulnerability. This can help to
understand some key questions about the vulnerability:
23
1. Does it require user interaction?

2. Does it require user privileges?

3. Is it low complexity to exploit? 80% OF PUBLIC EXPLOITS ARE

4. Is it remotely exploitable? PUBLISHED BEFORE THE CVES
ARE PUBLISHED
For many organizations, CVSS provides a helpful way to
prioritize responding to these vulnerabilities. For example,
AN EXPLOIT IS PUBLISHED
23 DAYS BEFORE THE CVE IS
FIRST recommends having four priorities, with the highest
PUBLISHED.
(P1) consisting of those CVEs with a CVSS score of 7 and
above. These highest priority vulnerabilities ought to be —Palo Alto Network’s State of Exploit
patched within two weeks. Development

Like any numerical representation of risk, it’s helpful at a

Second, these scores lack the context on the likelihood
glance but doesn’t give a complete picture of the risk of
of exploitation. For true prioritization, teams will often be
exploitation and the potential impact each vulnerability could
forced to look across many different sources to inform
have on your organization. For example, research has found
their response. Furthermore, CVSS scores are not dynamic.
that only 75% of vulnerabilities with scores above 7 have
Although the threat landscape changes regularly, these
never been exploited.
changes are often not reflected in the score.
Delays in detection and reporting often mean that CVSS
scores are not as timely as people wish. CVSS is maintained
by the National Vulnerability Database (NVD) which can
be slow to the punch in identifying and announcing
vulnerabilities. If you’re doing vulnerability identification
correctly, you’re detecting and identifying vulnerabilities that
may not have a CVSS score or CVE name assigned yet.

FIRST CVSS-Based Patch Policy: https://www.first.org/cvss/v2/cvss-based-patch-policy.pdf

2
 TOP 10 QUESTIONS TO ASK In order to get to the bottom of “will this vulnerability
be exploited”, there are some sub-questions to ask. For
the threat intelligence geeks among you, let’s call these
Priority Intelligence Requirements.

1. HAS THE VULNERABILITY BEEN EXPLOITED IN THE WILD?

2. IS THE VULNERABILITY EMBEDDED IN PENTEST TOOLS?

3. IS THERE EVIDENCE OF EXPLOITABILITY?

4. IS AN EXPLOIT ADVERTISED FOR SALE ONLINE?

5. HAS A PROOF OF CONCEPT BEEN PUBLISHED ONLINE?

6. IS THE VULNERABILITY ASSOCIATED WITH MALWARE?

7. IS THE VULNERABILITY ASSOCIATED WITH A THREAT ACTOR?

8. HAS THE VULNERABILITY BEEN DISCUSSED IN A THREAT INTELLIGENCE REPORT?

9. HAS THE VULNERABILITY BEEN DISCUSSED ON CRIMINAL LOCATION?

10. HAS THE VULNERABILITY BEEN MENTIONED IN A NEWS ARTICLE?

ADDITIONAL CONTEXT FOR

VULNERABILITY INTELLIGENCE
By now, we all understand there are limitations to CVSS
scoring. However, there is still value to having this score
as an objective measure and industry standard. Your
organization can leverage the insight from CVSS scoring
alongside additional context from data sources that give you
an up-to-date view on exploit status, risk of exploitability,
business impact of an exploit.
So what additional context is necessary to prioritize
vulnerabilities? A CVSS score helps your teams understand
the technical severity of a vulnerability. To get a clear picture
of the overall risk you’ll want to understand the likelihood of
exploitation.
LIKELIHOOD OF AN EXPLOIT
Out of the 18,000 CVE’s published in 2020, only 473 were
ever exploited and caused a real business impact— that’s
about a 6% rate of exploit according to Kenna’s annual
report.
While it’s impossible to predict exactly which vulnerabilities
will be exploited in the future, you can gauge the likelihood
of an exploit based on the availability of proof of concept
(POC) code on GitHub or tools to exploit the vulnerability
posted for sale online.

3
 SOURCES OF VULNERABILITY
INTELLIGENCE
For the context and the latest updates on the latest disclosed CVE’s and exploits you’ll want to have a comprehensive set of
data sources.

VULNERABILITY DATABASES CERT ADVISORIES

(NVD)
• https://www.cisa.gov/uscert/mailing-lists-and-feeds
Official reporting on newly discovered CVEs and or (https://twitter.com/USCERT_gov)
vulnerabilities.
• https://www.cisa.gov/uscert/ncas/current-

• https://nvd.nist.gov/vuln/data-feeds activity/2022/01/10/cisa-adds-15-known-exploited-
vulnerabilities-catalog
• https://www.cvedetails.com/vulnerability-list/
• https://www.auscert.org.au/bulletins/ or https://

VENDOR SITES twitter.com/AusCERT

• https://www.govcert.gov.hk/en/alerts.php
Vendor blogs and updated web pages that provide official
disclosure information on vulnerabilities and updates on • https://www.jpcert.or.jp/

patches. • https://www.cert.ssi.gouv.fr/alerte/ (includes an RSS

feed)
• Vulnerabilities - Security Update Guide - Microsoft
and their MsftSecIntel Twitter Account
RESEARCHERS ON SOCIAL MEDIA
• https://wiki.scn.sap.com/wiki/display/PSR/
The+Official+SAP+Product+Security+Response+Space Social media, where discussions and URL-sharing on
Twitter and other sites report on zero-day vulnerabilities or
• https://helpx.adobe.com/security.html
uncover useful context.
• https://support.apple.com/en-us/HT201222
• Kevin Beaumont / DoublePulsar

• Catalin Cimpanu

• MalwareTech

• MalwareHunterTeam

• JAMESWT

• ExecuteMalware

• Abuse.ch

• Hasherezade

• James in the box

• Vitali Kremez

• Malware Traffic

4

PUBLIC CODE REPOSITORIES AND
PASTE SITES
• Code repositories such as GitHub and GitLab, that are the
standard for sharing exploit code and other associated
tools among threat actors; the policy surrounding the
sharing of public exploits and malware samples has
however recently changed on GitHub.
• Paste sites such as Pastebin that host lists of exploitable
vulnerabilities
DARK WEB AND CLOSED SOURCES
• Dark web marketplaces and forums where exploits are
discussed, shared, traded, and sold
• Telegram and IRC Channels that discuss the latest
vulnerabilities and exploits
• Cybercriminal forums with no barrier to entry, where
threat actors exchange information or generate interest
around specific exploits, vulnerabilities, and publicly-
issued patches
• Cybercriminal forums with barriers to entry, where
threat actors advertise the sale of proof-of-concept (POC)
code and recently discovered exploits and name victim
company industry/geography
5
ASSESSING RELIABILITY
Not all sources are made equal. An
effective vulnerability intelligence
program should assess each source
before taking action. Vulnerability
Intelligence offerings have been around
long enough for internet trolls to
emerge and begin posting fake code
snippets with mentions of “CVE”, “POC”,
or “Exploit” to public repositories (read
this story to learn more: https://blog.
zsec.uk/cve-2020-1350-research/)
Unfortunately, a lot of vulnerability
intelligence is reliant on basic keyword
matching and fails to effectively assess
these sources. Risking mistaking
propaganda for intelligence.
A more mature approach to
vulnerability intelligence is to combine
technology with the eyes of an
experienced analyst who can assess
PoC exploits and accurately inform an
action.
 OPER ATIONALIZING VULNER ABILITY
INTELLIGENCE
Vulnerability intelligence exists to provide actionable insights for vulnerability management. Once fused into your organization’s
threat model, vulnerability intelligence can be used across many internal functions to improve security planning.

How much intelligence does your security team need? “More” is not always a synonym for “better”―certainly not when it
comes to intelligence. Tailor your intelligence needs to your threat model, such as with a representation of the potential
threats to your organization from a hypothetical attacker’s point of view. In practice, this means adjusting your intelligence
requirements to your needs.

Incorporating vulnerability intelligence will help you

prevent and quickly mitigate the most relevant threats for
your specific organization. Be aware that gathering and MAPPING TO MITRE ATT&CK
processing massive amounts of information into precise,
timely, relevant intelligence requires human skills that do not Security teams can consider leveraging the

scale with the size of the business but the size of the threat
landscape, a particular challenge for smaller organizations.
Sometimes in-house resources are devoted to this end,
and sometimes the work is outsourced. Either way, the
intelligence will help prioritize patching schedules based on:
active threats to your sector and location, the presence (or
absence) of a working PoC code in the wild, and the use of
affected software or hardware by your organization or by a
third party.
TRIAGING
Vulnerability intelligence can help you spot key security flaws
that may affect your organization in a sea of security flaws.
New vulnerabilities are being identified at an unprecedented
rate and most of them will not be relevant to your
organization (despite what security headlines say). Then again,
neglect to patch certain flaws and you could invite devastating
results. Instead, take our advice: study, prioritize, triage. In
that order.
COMMUNICATING
Vulnerability intelligence can also support you when dealing
with key executives in your organization. Being able to
effectively communicate risks and opportunities across your
company is a crucial skill, and one that takes time to develop.
By presenting vulnerabilities as part of a broader context―
not merely as CVE numbers―you can effectively convey real
MITRE ATT&CK framework within their Vulnerability
Management processes. By mapping CVEs to MITRE
ATT&CK, teams immediately get context as to the
what and the how of the attack, enabling teams to
perform remediation beyond patching.
risk and probability, helping you win managerial approval
to patch appropriately. You can now make them finally see
that the “if it ain’t broke, don’t fix it” approach is no longer
sustainable.
MITIGATING
Patching your vulnerable hardware and software isn’t the
end of the story. Some of you will already know that the
intelligence process is typically represented as a cycle, with
every action informing the next one. As such, every patching
round will inevitably inform the next one and will result in an
adjusted security plan based on empirical evidence. Patching
your vulnerable hardware and software isn’t the end of the
story. Some of you will already know that the intelligence
process is typically represented as a cycle, with every action
informing the next one. As such, every patching round will
inevitably inform the next one and will result in an adjusted
security plan based on empirical evidence.

6
 DIGITAL SHADOWS’ VULNER ABILITY
INTELLIGENCE
Security teams need context on vulnerabilities that go beyond CVSS scores, helping
them to understand what the true risk is. For example, what is the probability of
exploitation? Is it appealing to threat actors? Is there proof of exploitation in the
wild? The process of investigating a vulnerability and getting the proper context to
understand, prioritize, and mitigate the risk can be piecemeal and often incomplete.

Vulnerability Intelligence with SearchLight is an all-in-one solution, providing all

necessary contextual information in a simple, skimmable profile. This rich context
includes CVSS score, vulnerability risk factors indicating likelihood of exploitation,
associated malware or threat actors, known fixes, advisories, exploits, and
intelligence encompassing open, closed, and technical sources and links when
applicable to associated GitHub repositories, security blogs, CERT advisories,
Twitter, and threat actor chatter.

7
 INVESTIGATE

A high priority vulnerability has emerged and is being blasted across email,
CNN, your Twitter feed, and more.

In SearchLight, you can search by CVE number and get one page with
everything you need to know. After reading the vulnerability profile, you
can investigate sources the profile links out to such as an associated GitHub
or intelligence reporting from Photon Research, follow the recommended
MITRE mitigations, or export the profile as a PDF to share with a wider
audience.

A SearchLight CVE Profile

8
 PRIORITIZE

You’ve got a long list of vulnerabilities and need to decide what is patched
first, and quickly.

SearchLight helps you to prioritize the one thousand things to what you
actually care about. Paste in a list of multiple CVEs or CPEs into SearchLight
and then apply filters to rank your list based on your organizational
priorities such as availability, CVSS attack vector, mitigations, and more.
Users can even search by product families to gauge risk from specific
software suppliers.

Paste and prioritize large lists of CVE’s in an instant

9
 PIVOT

An alert comes through for a recent vulnerability and you need to understand its risk and exploitability.

You can easily pivot within seconds from an alert to a detailed profile on the vulnerability. Alongside a summary and
timeline of the vulnerability, you’ll be able to read additional sources or tags based on Exploit, Fixes, Advisories, and Photon
Intelligence reporting or other security writings assembled by our world-class team of intelligence analysts and security
experts. You’ll also save some time on analysis, as each vulnerability is mapped to MITRE ATT&CK by Photon with known
threat actor or malware associations linked to.

Profiles will also pull any mentions of the CVE across the open, deep, and dark web through ShadowSearch, the CVSS 3.0, and
additional context such as the vulnerability class, CWE, CPEs affected, and Mitigations available.

MITRE ATT&CK Alignment and Associations in a SearchLight Vulnerability Profile

10
THANK
YOU_

About Digital Shadows

Digital Shadows minimizes digital risk by identifying unwanted exposure

and protecting against external threat. Organizations can suffer regulatory
fines, loss of intellectual property, and reputational damage when digital risk is
left unmanaged. Digital Shadows SearchLightTM helps you minimize these risks by
detecting data loss, securing your online brand, and reducing your attack surface.

To learn more and get free access to SearchLightTM, visit

www.digitalshadows.com

London
Columbus Building, Level 6,
7 Westferry Circus,
London, E14 4HD
+44 (0) 203 393 7001

San Francisco Plano

201 Mission St, Suite 1200 5700 Granite Pkwy
San Francisco, CA 94105 Ste. 920
+1 (888) 889 4143 Plano, TX 75024