Professional Documents
Culture Documents
Incident Response
The gap in your knowledge is much less likely to be from
Threat intelligence helps analysts uncover and more
your own systems and network — instead, what you really
quickly understand the evidence of breaches, reducing
don’t know is how likely it is that a threat actor is looking to
wasted time and improving effectiveness.
exploit the vulnerabilities your organization might be
susceptible to.
CISOs and Security Leaders
In addition to its operational benefits, threat intelligence
In this paper, we’ll examine how threat intelligence gathered
also has a strategic role to play. CISOs can use
and analyzed from a wide breadth of sources can arm you to
intelligence to inform improvements.
make risk-based decisions on remediating vulnerabilities.
More specifically, we’ll uncover how threat actor “chatter” in
dark web communities enables you to zero in on the LEARN MORE >
weaknesses being targeted by hackers in the real world.
The Race to Patch or
Exploit
The life of a CVE typically starts when a researcher or
vendor discovers a vulnerability and requests the
allocation of a CVE number. They will prepare an initial
analysis and “announce” the vulnerability on some
channel — most often formally on a company website
or perhaps in their own security blog. But this really is
just the beginning as security professionals work to
keep networks and data safe, so threat actors look for
ways to weaponize.
Vulnerability Lifecycle: The Security Community
Once the vulnerability is announced, work will be Security teams inside organizations will now need to
ongoing with NIST to determine exploitability and determine whether this vulnerability presents a great
assign a CVSS score. enough risk to deploy the patch, and this decision must
be balanced with the potential operational impact it
Proof-of-concept (POC) exploit code is also developed might have.
by security researchers, academics, and industry
professionals to demonstrate the potential exploitability
of vulnerabilities. In most cases, these tests are publicly
available through blogs and code repositories like
GitHub.
Today we were unlucky, but remember, Vulnerability databases consolidate The information provided by
we only have to be lucky once; you will information on disclosed vulnerability databases is limited to the
have to be lucky always.” vulnerabilities and also score their technical specifications and theoretical
IRA statement in the wake of the 1984 Brighton exploitability. Research from Recorded exploitability of vulnerabilities, which
bombing. Future has revealed that 75 percent of doesn’t always correlate to the actual
disclosed vulnerabilities appear on level of risk posed.
other online sources (e.g., social
Instead of simply racing to patch, look media, researcher blogs, and even the
for indications of true risk. This is most dark web) before they are picked up by
effectively achieved by combining the NIST National Vulnerability
internal data from vulnerability Database (NVD).
scanning, with contextualized external
intelligence to reveal whether
vulnerabilities are actually being
exploited.
Vulnerability databases and scanners
are sources of intelligence that can
help inform your potential weakness
to vulnerabilities. But as threat actor
interest in particular CVEs gathers
pace, there’s no arguing that you find
yourself exposed to much greater
actual risk. Truly risk-based
vulnerability management applies
intelligence from a wide breadth of
sources to reveal the milestones
through which the disclosed
vulnerability passes on its route to
ultimately becoming a commoditized
attack method.
Click to zoom
Sources of Threat Data
Information Security Sites: This would include vendor blogs, official disclosure information on vulnerabilities, and
security news sites.
Social Media: There is a lot of link sharing through social media, which makes it a useful jumping-off point for
uncovering more useful intelligence.
Code Repositories: GitHub is the most well-known code repository. These sites give useful insight into development of
proof-of-concept code for vulnerabilities.
Paste Sites: Sites like Pastebin and Ghostbin are often wrongly defined as being dark web locations. These sites which
aren’t listed by search engines often house lists of exploitable vulnerabilities.
Forums: These sites are distinct from dark web communities, as there is often no bar to entry or a requirement for
specific software to access them.
Technical Feeds: These are data streams of potentially malicious indicators. They have the potential to add very useful
context around the activities of malware or exploit kits.
In the Wild
Let’s imagine your vulnerability scanner has been busy
assessing which vulnerabilities affect systems in your
network. At this stage you have a list of CVEs.
An Office Vulnerability From Disclosure
to Commoditized Exploit
In our example, we’ve filtered that list The risk score is designed to help
to Microsoft products. Now we can inform faster decisions with an at-a-
augment this list of CVEs with external glance view of the likely risk this
threat intelligence available in vulnerability presents. To give true
Recorded Future — we’re using a context, it also updates in real time.
browser plugin to show a risk score For a more comprehensive view, we
associated with each CVE as well as a can click to open the Recorded Future
short summary of the evidence that Intelligence Card for this particular
informs that score. Microsoft Office vulnerability.
Click to zoom
The top section of the Intelligence Card
displays all of the evidence that
contributes to this CVE’s risk score of
89. In most cases, this summary would
be enough to make a decision around
the prioritization of addressing this
vulnerability. We’re going to dig a little
deeper to understand how intelligence
from a breadth of sources
demonstrates the increased risk posed
by this vulnerability.
Click to zoom
In this timeline, we can clearly see the risk milestones we outlined earlier in this CVE’s journey from vulnerability to exploit.
Click to zoom
The first thing you’ll notice is the gap (although small in this case) between the initial disclosure of the vulnerability and its
appearance in the NIST database.
You can also see that on the same day as the CVE appears in NVD, a Russian threat actor is already selling a “working” exploit
for it, and four days later, POC code appears on GitHub. After this initial flurry of activity around the vulnerability, it takes just
over two months for security researchers to begin reporting this exploit being added to existing malware and the creation of
a new exploit builder.
Click to zoom
3 Key Advantages of
Vulnerability Intelligence
Organizations that rely on relevant and timely threat
intelligence will have a better chance of responding to
critical vulnerabilities quickly enough to reduce the
risk of exploitation.
RAPIDLY ASSESS RISKS WITH IDENTIFY VULNERABILITIES DISCOVER UNDISCLOSED OR
INTELLIGENCE ON KNOWN WITH A HIGHER RISK OF BEING NEW VULNERABILITIES AND
VULNERABILITIES WEAPONIZED ZERO-DAY EXPLOITS
Recorded Future computes Threat intelligence from Recorded Recorded Future automates
vulnerability risk scores and Future will alert you when identification of exploit chatter for
presents evidence with links to vulnerabilities are linked to exploit unknown vulnerabilities, helping
sources. We’re merging kits or high-risk malware you improve remediation
intelligence on exploits and categories that are relevant to prioritization based on evidence
malicious code with NVD data for your enterprise. You can filter of increased adversary intent or
quick access to vendor advisories noise by fine-tuning alerts and their capabilities.
or remediation steps. You can dashboards that deliver the right
even enrich your security intelligence to the right personnel.
products with Intelligence Card
content.