Vulnerability Intelligence

From the Dark Web

The Disclosure to Exploit Risk Race
Making Risk-Based
Decisions Using
Vulnerability Intelligence
Weighing the risks posed by vulnerabilities in software
is a critical component of your information security. In
deciding what to address first, you must weigh the
balance between the likely impact of a vulnerability
being exploited, against the potential operational
impact of remediating.
Known Unknowns While this paper focuses specifically on using threat
intelligence to help with vulnerability management,
threat intelligence has a role in any security strategy.
In the real world, you may actually find yourself armed with
a reasonable amount of intelligence about whether an
Security Operations Centers
update could cause an interruption in business operations,
Threat intelligence can add valuable context to logs
or fail to deploy correctly. You’ll also most likely have
and events, helping to increase speed and efficiency
information from a vulnerability scanner to give you the
of alert triage.
level of technical exploitability for each vulnerability.

Incident Response
The gap in your knowledge is much less likely to be from
Threat intelligence helps analysts uncover and more
your own systems and network — instead, what you really
quickly understand the evidence of breaches, reducing
don’t know is how likely it is that a threat actor is looking to
wasted time and improving effectiveness.
exploit the vulnerabilities your organization might be
susceptible to.
CISOs and Security Leaders
In addition to its operational benefits, threat intelligence
In this paper, we’ll examine how threat intelligence gathered
also has a strategic role to play. CISOs can use
and analyzed from a wide breadth of sources can arm you to
intelligence to inform improvements.
make risk-based decisions on remediating vulnerabilities.
More specifically, we’ll uncover how threat actor “chatter” in
dark web communities enables you to zero in on the LEARN MORE >
weaknesses being targeted by hackers in the real world.
The Race to Patch or
Exploit
The life of a CVE typically starts when a researcher or
vendor discovers a vulnerability and requests the
allocation of a CVE number. They will prepare an initial
analysis and “announce” the vulnerability on some
channel — most often formally on a company website
or perhaps in their own security blog. But this really is
just the beginning as security professionals work to
keep networks and data safe, so threat actors look for
ways to weaponize.
 Vulnerability Lifecycle: The Security Community
Once the vulnerability is announced, work will be Security teams inside organizations will now need to
ongoing with NIST to determine exploitability and determine whether this vulnerability presents a great
assign a CVSS score. enough risk to deploy the patch, and this decision must
be balanced with the potential operational impact it
Proof-of-concept (POC) exploit code is also developed might have.
by security researchers, academics, and industry
professionals to demonstrate the potential exploitability
of vulnerabilities. In most cases, these tests are publicly
available through blogs and code repositories like
GitHub.

At the same time, vendors will be looking for strategies

to help remediate the risk from vulnerabilities. If the
vulnerability is judged to pose a significant enough risk,
this could be a short-term workaround. The ultimate
goal is making a patch available.
 Vulnerability Lifecycle: The Threat Actor Community
Threat actor communities are also monitoring sources
looking for vulnerabilities that can potentially be
exploited. The information they find is cascaded
through paste sites, forums, and dark web locations.
These communities will translate descriptions of
disclosures into their own language, as well as sharing
POC code with those technical enough to explore the
potential for it to be weaponized.

Once a method to exploit the vulnerability has been

successfully identified and built, adversaries will begin
to market their exploit builders in dark web markets,
usually selling them through untraceable
cryptocurrency.
Beyond the Race to Patch
If you’re an organization looking to protect your
network, users, and data, you’re in a race to remediate
risk against threat actors seeking to exploit
vulnerabilities. There’s also no doubt that attackers
looking to unlock one vulnerability have the advantage
over security professionals who may have to patch
hundreds or even thousands.
 Official Risk vs. Actual Risk
Today we were unlucky, but remember,
we only have to be lucky once; you will
have to be lucky always.”
IRA statement in the wake of the 1984 Brighton
bombing.
Instead of simply racing to patch, look
for indications of true risk. This is most
effectively achieved by combining
internal data from vulnerability
scanning, with contextualized external
intelligence to reveal whether
vulnerabilities are actually being
exploited.
Vulnerability databases consolidate The information provided by
information on disclosed vulnerability databases is limited to the
vulnerabilities and also score their technical specifications and theoretical
exploitability. Research from Recorded exploitability of vulnerabilities, which
Future has revealed that 75 percent of doesn’t always correlate to the actual
disclosed vulnerabilities appear on level of risk posed.
other online sources (e.g., social
media, researcher blogs, and even the
dark web) before they are picked up by
the NIST National Vulnerability
Database (NVD).
Vulnerability databases and scanners
are sources of intelligence that can
help inform your potential weakness
to vulnerabilities. But as threat actor
interest in particular CVEs gathers
pace, there’s no arguing that you find
yourself exposed to much greater
actual risk. Truly risk-based
vulnerability management applies
intelligence from a wide breadth of
sources to reveal the milestones
through which the disclosed
vulnerability passes on its route to
ultimately becoming a commoditized
attack method.

You can clearly see these milestones

aligned to the increased risk in this
diagram.
Click to zoom
Uncovering Exploit
Chatter
The ongoing metamorphosis of the “hacker” seems
continually fascinating to security professionals, as
well as the wider world. The clandestine lives of threat
actors have become fodder for some of the most
popular recent TV dramas and documentaries.
The Challenges and Rewards of Dark Web Threat Intelligence
But beyond being entertaining, gaining a better
understanding of how adversaries are motivated, their
relationships with others, and the methods they use all
contribute to measuring the true risk they pose to your
organization.
Of course, it’s no surprise to hear that the channels through
which threat actors communicate and operate are not
always easy to access or eavesdrop in. There are barriers
you would face in accessing and monitoring dark web
criminal communities without the aid of experts.
Firstly, underground forums are difficult to find (after all,
there’s no dark web Google) and they will change their
locations if they feel that their anonymity is at risk.
Secondly, collecting and processing information to find the
crumb that might be relevant to your security is no small
endeavour. Thirdly, there is likely to be some bar to entry,
whether financial or “kudos” from the rest of the community.
And finally, many of these forums operate exclusively in
local languages, so even if you were able access them, you
would need to be able to rapidly translate them to uncover
the real context.
Combining Threat Data Sources for
Intelligent Vulnerability Management
To overcome these challenges, Recorded Future combines
human expertise with advanced analytics and natural
language processing AI. This means that machines can be
permanently listening from the right sources, structuring
massive volumes of data, and allowing humans to rapidly
zero in on relevant intelligence.
Click to zoom
The dark web is a useful source of external threat
intelligence, but no single source of threat data should be
considered in isolation. In the examples that follow, we’ll
show the power in combining sources of threat data and
putting contextualized, actionable intelligence where you
need it to address the risk from vulnerabilities.
On the following page are a selection of some of the types of
sources that can be augmented with intelligence from the
dark web:
Sources of Threat Data
Information Security Sites: This would include vendor blogs, official disclosure information on vulnerabilities, and
security news sites.

Social Media: There is a lot of link sharing through social media, which makes it a useful jumping-off point for
uncovering more useful intelligence.

Code Repositories: GitHub is the most well-known code repository. These sites give useful insight into development of
proof-of-concept code for vulnerabilities.

Paste Sites: Sites like Pastebin and Ghostbin are often wrongly defined as being dark web locations. These sites which
aren’t listed by search engines often house lists of exploitable vulnerabilities.

Forums: These sites are distinct from dark web communities, as there is often no bar to entry or a requirement for
specific software to access them.

Technical Feeds: These are data streams of potentially malicious indicators. They have the potential to add very useful
context around the activities of malware or exploit kits.
In the Wild
Let’s imagine your vulnerability scanner has been busy
assessing which vulnerabilities affect systems in your
network. At this stage you have a list of CVEs.
An Office Vulnerability From Disclosure
to Commoditized Exploit
In our example, we’ve filtered that list
to Microsoft products. Now we can
augment this list of CVEs with external
threat intelligence available in
Recorded Future — we’re using a
browser plugin to show a risk score
associated with each CVE as well as a
short summary of the evidence that
informs that score.
Click to zoom
The risk score is designed to help
inform faster decisions with an at-a-
glance view of the likely risk this
vulnerability presents. To give true
context, it also updates in real time.
For a more comprehensive view, we
can click to open the Recorded Future
Intelligence Card for this particular
Microsoft Office vulnerability.
The top section of the Intelligence Card
displays all of the evidence that
contributes to this CVE’s risk score of
89. In most cases, this summary would
be enough to make a decision around
the prioritization of addressing this
vulnerability. We’re going to dig a little
deeper to understand how intelligence
from a breadth of sources
demonstrates the increased risk posed
by this vulnerability.

Click to zoom
In this timeline, we can clearly see the risk milestones we outlined earlier in this CVE’s journey from vulnerability to exploit.

Click to zoom

The first thing you’ll notice is the gap (although small in this case) between the initial disclosure of the vulnerability and its
appearance in the NIST database.
You can also see that on the same day as the CVE appears in NVD, a Russian threat actor is already selling a “working” exploit
for it, and four days later, POC code appears on GitHub. After this initial flurry of activity around the vulnerability, it takes just
over two months for security researchers to begin reporting this exploit being added to existing malware and the creation of
a new exploit builder.

This is just one example of how

references collected from dark web
sources can help give a strong
indication of real-world risk. More
importantly, it highlights how
information from these criminal
communities can be effectively
combined with other sources of data,
arming you with truly contextualized
threat intelligence.

Click to zoom
3 Key Advantages of
Vulnerability Intelligence
Organizations that rely on relevant and timely threat
intelligence will have a better chance of responding to
critical vulnerabilities quickly enough to reduce the
risk of exploitation.
RAPIDLY ASSESS RISKS WITH
INTELLIGENCE ON KNOWN
VULNERABILITIES
Recorded Future computes
vulnerability risk scores and
presents evidence with links to
sources. We’re merging
intelligence on exploits and
malicious code with NVD data for
quick access to vendor advisories
or remediation steps. You can
even enrich your security
products with Intelligence Card
content.
Click to zoom
IDENTIFY VULNERABILITIES
WITH A HIGHER RISK OF BEING
WEAPONIZED
Threat intelligence from Recorded
Future will alert you when
vulnerabilities are linked to exploit
kits or high-risk malware
categories that are relevant to
your enterprise. You can filter
noise by fine-tuning alerts and
dashboards that deliver the right
intelligence to the right personnel.
Click to zoom
DISCOVER UNDISCLOSED OR
NEW VULNERABILITIES AND
ZERO-DAY EXPLOITS
Recorded Future automates
identification of exploit chatter for
unknown vulnerabilities, helping
you improve remediation
prioritization based on evidence
of increased adversary intent or
their capabilities.
Click to zoom
See Threat Intelligence in Action
To find out more about how threat
intelligence empowers personnel
throughout your security function,
download our free white paper,
“Busting Threat Intelligence Myths: A
Guide for Security Professionals.”
If you want to learn more about threat
intelligence, there’s a wealth of articles
from industry experts and success
stories from our customers on our
blog.
BLOG
For a clearer idea of where threat
intelligence can integrate into your
vulnerability management or any other
part of your security program, get a
personalized demo of Recorded
Future's threat intelligence solution.
GET A DEMO
 Thank you for reading

Vulnerability Intelligence From the

Dark Web

Cookies Terms Privacy POW E RE D BY