The Practitioner’s Guide to Vulnerability Intelligence and Vulnerability Management

The amount of software being introduced into the market is increasing exponentially, and so too are the number of vulnerabilities. A vulnerability is a flaw in computer software or hardware that allows an attacker to cross privilege boundaries. This may allow for the disclosure of sensitive information, tampering with the integrity of the system, or denying legitimate users access to service or information (i.e. denial of service).

By taking advantage of flaws contained in products, threat actors can infiltrate an organization’s system, stealing sensitive data or causing damage to the network. A robust vulnerability management (VM) program enables organizations to identify assets that may be affected by critical, or highly exploitable vulnerabilities—enabling them to better prioritize and remediate risk.

What is vulnerability management?

Vulnerability management is the process of determining the level of risk each vulnerability poses, prioritizing them, and then remediating them based on asset-contextualized intelligence. To do this, the vulnerability management process takes the vulnerability intelligence an organization uses and builds upon it, performing the following functions:

1. Identify deployed assets and then collect known vulnerabilities affecting them.
2. Map those vulnerabilities to deployed assets used by the organization.
3. Prioritize issues based on asset criticality, exploitability, severity, threat likelihood, and other factors.
4. Remediate identified issues, or mitigate them via security controls or system hardening.

What is vulnerability intelligence?

However, because vulnerability management processes are dependent on vulnerability intelligence, it is important to first know what vulnerability intelligence is, and what separates good intelligence from bad.

Vulnerability intelligence is a specific form of threat intelligence focused on the aggregation or dissemination of information about computer vulnerabilities that may put organizations at risk.

In our State of Data Breach Intelligence report, we stated that hacking was the number one cause for data breaches—accounting for over 60 percent of all reported compromise events. By taking advantage of flaws, hackers can gain a foothold into organizations, creating chaos that can result in extreme financial loss. For this reason, having quality vulnerability intelligence is critical in order to achieve an efficient vulnerability management program.

The security industry has taken notice, with firms like Gartner noting the inefficiencies of old scanning technologies, while also designating risk-based vulnerability management (RBVM) the second most important security project last year.

However, performing research on vulnerability intelligence will likely result in multiple definitions. Some will lump together vulnerability intelligence and vulnerability management concepts together, and some may consider CVE/NVD as a comprehensive source of vulnerability intelligence—other definitions may be fundamentally incorrect.

There is a distinction between alternate definitions of vulnerability intelligence and the proper one. The importance of knowing the differences is crucial since your vulnerability intelligence will define the effectiveness of your Vulnerability Management Program.

If the vulnerability intelligence powering your Vulnerability Management Program is incomplete, your organization is at a greater risk of being compromised. And in order to decipher whether your organization is using an incomplete source, it is important to know the elements of vulnerability intelligence. Vulnerability intelligence can be broken down into three key functions:

1. Vulnerability Discovery
2. Vulnerability Research
3. Vulnerability Analysis

What is vulnerability discovery?

Vulnerability discovery is the first step in vulnerability intelligence and is the most important—since this is the foundation that will dictate the effectiveness of your vulnerability management program.

Vulnerability discovery is the process of researching a piece of computer software or hardware to evaluate for the presence of vulnerabilities. As an organization, you can only analyze the vulnerabilities you are aware of and it is impossible to mitigate, or remediate risk that you never knew existed.

This state is where researchers discover and publish vulnerabilities so that vulnerability databases (VDBs) can then aggregate and build upon those disclosures. It is vital that the vulnerability intelligence you rely on is aware that there are thousands of unique channels out there and actually monitors them.

The vulnerability discovery process can be broken into two steps:

1. Vulnerability sources
2. Vulnerability monitoring

Vulnerability sources

The more vulnerability sources you can identify, the more robust your vulnerability coverage becomes. Vulnerabilities are disclosed and published in a wide variety of mediums including mailing lists, blogs, service sites like GitHub, websites catering to exploit disclosure, and more.

Vulnerability disclosures are being published across platforms like social media, the deep web, researcher blogs, product bug trackers, code commits, and a lot more. Since there is no single source, it is vital that organizations intelligently aggregate as many vulnerabilities as they can so they can know which to focus on.

Vulnerability monitoring

In the scope of vulnerability intelligence, vulnerability monitoring is the act of keeping tabs on a wide variety of sources that produce vulnerability disclosures. This can be done in an automated fashion and relies more on human analysts. This process includes identifying new disclosures, determining if information is valid, normalizing the data, adding metadata, and then including it into the vulnerability feed. Mature vulnerability intelligence solutions then offer support for the data they aggregate to ensure an organization understands, and can better utilize that data.

This however can be a real challenge as vulnerabilities are being disclosed every hour of the day, leading to new sources being created daily. Adding to the difficulty is that a single source can sometimes contain thousands of disclosed vulnerabilities. That being said, what sources, and how many are you aware of and actively monitoring?

What is vulnerability research?

Vulnerability research is the process of researching vulnerabilities to determine if any of them affects your organization’s systems.

While monitoring vulnerability sources, you must research the vulnerabilities that appear and determine if any affects your organization’s systems. Does a vulnerability affect a vendor in your supply chain, or a product used by your organization? If it does, what versions of that product are also susceptible to that vulnerability? Is an exploit available? Can you install a patch or upgrade to remediate it?
This function is not so simple as vulnerability research can have different meanings and occur at different times depending on the role of the person performing it. The roles that can influence this are:

1. Vulnerability researchers
2. Vulnerability intelligence companies
3. Security analysts at organizations

For a vulnerability researcher, it includes doing the initial examination and investigation into a piece of computer software or hardware that contains bugs that may allow for privileges that weren’t intended.

For a vulnerability intelligence company, the term means the act of going through publicly disclosed vulnerabilities to determine if they are legitimate issues, aggregating that data, and then normalizing it for consumption by other organizations.

Organizations face a unique problem during vulnerability research. As an analyst, the term may mean researching if disclosed vulnerabilities impact their assets and what risk is posed. This means that your vulnerability research functions depend on the comprehensiveness of what researchers and VI companies do.

According to that definition, vulnerability intelligence companies should be doing more than just aggregating data—they are also responsible for determining if issues are legitimate and enhancing it with rich metadata. But if you think back to the last vulnerability you researched, how detailed was it?

What is vulnerability analysis?

Vulnerability analysis is the last function of the vulnerability intelligence lifecycle. In this state, you gauge the potential damage a vulnerability can cause if exploited. Ultimately, you are asking yourself, “now that I know this affects me, how bad can it be?”

To better understand overall and potential risk, you need vulnerability metadata, severity information, and impact data.

Vulnerability metadata

By definition, metadata is “a set of data that describes and gives information about other data.” For vulnerabilities, metadata may include the location of the attacker, the attack type, the high-level impact, availability of a solution, status of an exploit, aspects of the disclosure, general types of technology represented, authentication requirements, and more.

Severity

The vulnerability severity refers to how serious, or how big of a risk is associated with it. Low severity issues may not be prioritized as they are not seen to pose much risk to an organization, while high severity vulnerabilities are typically triaged and patched immediately.

Impact

When a vulnerability is exploited, it will impact a system in some manner that may or may not be noticeable to the administrators or users. At the highest level, confidentiality may be partially or fully impacted for example. Impacting integrity can mean a variety of things so it may be described via simple metadata (e.g. the CIA triad) and with verbose descriptions that precisely lay out what happens if exploited.

Why is vulnerability intelligence important?

Knowing these details are important for determining the scope of damage, however, key metadata and important details are often missing from most vulnerability entries and databases.

Most security teams are not able to spend their time on analyzing vulnerabilities. Instead, they are forced to spend more time validating entries and finding vulnerability metadata, severity, and impact themselves. Unfortunately, many vulnerability intelligence providers focus solely on collecting issues, but perform little to no quality checks, resulting in inaccuracies and invalid entries.

Vulnerability intelligence should be comprehensive, detailed, and timely. Organizations need to be aware of everything that is in the vulnerability disclosure landscape and have all the details so that they can manage risk as soon as possible. But do they have that kind of visibility using CVE / NVD?

Just because the public source may not have those details, it doesn’t mean that the information cannot be found. If your vulnerability intelligence feed consistently omits important metadata, it’s likely that your data provider is substituting vulnerability intelligence with CVE / NVD. And without detailed vulnerability intelligence, your organization’s Vulnerability Management Program will be severely crippled.

The importance of vulnerability management

If your organization does not have a vulnerability management program, or relies on a legacy approach such as vulnerability scanning, your prioritization and remediation processes will not occur in real-time. To proactively address risk, you need a solution that enables a risk-based approach.

Non-contextualized vulnerability data is overwhelming. According to Risk Based Security, a Flashpoint company, there are over 289,000 known vulnerabilities with the public source being unaware of over 93,000 of them, as of this publishing. In addition, tens of thousands of vulnerabilities are newly disclosed each year. As such, there are too many vulnerabilities for organizations to monitor and track in-house. Despite this, organizations still often try to aggregate and triage every issue, resulting in wasted resources.

Traditional remediation programs don’t consider the inherent volatility in the vulnerability disclosure landscape, and they often neglect key factors such as exploitability. A quality VMP addresses this by first focusing on the issues that affect the organization’s critical assets, rather than attempting to patch top-down.

This is what Gartner has to say about risk-based vulnerability management:

“Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.”

Gartner

Understanding the vulnerability management lifecycle

A risk-based approach enables organizations to more accurately assess the level of risk a vulnerability poses. To accomplish this, the vulnerability management lifecycle involves the following stages:

1. Reveal
2. Prioritize
3. Remediation
4. Verify

Surface your assets and reveal the vulnerabilities affecting them

The first step of the vulnerability management life cycle is revealing the vulnerabilities affecting your organization’s deployed assets. Assets can include servers, desktops, mobile devices, applications, and more. Identifying them leads into prioritization, which then enables your security teams to map vulnerabilities to any affected assets.

The purpose of this stage is to understand your attack surface, while also providing visibility into where your organization may be at-risk. Therefore, having comprehensive, detailed, and timely vulnerability intelligence is vital for this stage’s success. Public vulnerability intelligence sources like CVE/NVD fail to report over 93,000 vulnerabilities, meaning that if you’re relying on it, you are likely unaware of many unreported and highly exploitable issues affecting your assets.

Prioritizing vulnerabilities

Vulnerability prioritization takes place once organizations have identified at-risk assets and aggregated the known vulnerabilities affecting them. Then out of those vulnerabilities, based on their impact and likelihood of being exploited, organizations decide which of them they will focus their efforts to remediate.

To prioritize better, organizations should use asset risk scores to contextualize risk. An asset risk score is a numerical value that shows the overall importance of that asset to the organization based on its use and data being stored. It also considers the likelihood of that asset being compromised and its exposure to vulnerabilities.

Without doing this, security teams will likely experience the following problems:

1. Being overwhelmed by the amount of new vulnerabilities

Last year, nearly 30,000 vulnerabilities were newly disclosed and of those, 42.7% (12,794) had CVSSv2 scores between 6.0 – 10.0. This means that over the course of the year, security teams would have had to triage thousands of vulnerabilities—which is simply too many to patch within a year. Most vulnerability management frameworks dictate that organizations should address high-to-critical issues within 15 – 30 calendar days of initial detection, and with limited resources, this is nearly impossible without using a risk-based approach.

Recommended: CISA’s BOD 22-01: Vulnerability Management for Federal Agencies | Flashpoint

2. Lacking visibility of exploitable vulnerabilities

Prioritization based solely on CVSS scores fails to account for exploitability. CVSSv2 and CVSSv3 do not factor exploitability in their scoring, meaning that highly rated issues are not guaranteed to be actively used by threat actors. Sometimes the vulnerabilities that are being weaponized have ‘moderate’ or even ‘low’ CVSSv2 scores. Tunneling only on high-to-critical issues will likely create a gap in visibility and your VMP will need to prepare for this.

Vulnerability remediation

During the vulnerability remediation stage security teams patch, fix, or mitigate the vulnerabilities affecting the organization’s assets. Depending on the quality of your vulnerability intelligence feeds, remediation should be relatively straightforward. Most of the issues that usually slow down remediation stem from unactionable data, but if a vulnerability manager is already aware of which specific products are affected, which versions are vulnerable, and the location of where the asset is deployed, then the only remaining task is keeping track of owners and getting feedback.

Verify (getting feedback)

Large organizations have thousands of employees and millions of endpoints, so it is often a challenge finding out who is responsible for a particular asset. Monitoring progress and getting feedback can be difficult since patching is often done by security teams and not by those who prioritize vulnerabilities. However, Flashpoint’s suite of products can help organizations during their vulnerability remediation tracking tasks while also enabling a true risk-based vulnerability management program.

Vulnerability management best practices

Organizations can implement a risk-based approach to vulnerability management by following these best practices:

• Use comprehensive vulnerability intelligence. Most vulnerability management tools source their findings from CVE/NVD, which fails to report nearly one-third of all known vulnerabilities. In addition, the public source often omits vulnerability metadata such as exploitability and solution information. Using an independently researched vulnerability intelligence solution gives security teams all the details they need to research potential issues.
• Create a Configuration Management Database (CMDB). A CMDB captures all the configuration items in your network—including hardware, software, personnel, and documentation. It can be extremely useful for listing and categorizing deployed assets, facilitates asset risk scoring, and provides long-term benefits if maintained.
• Assign asset risk scores. Asset risk scores are data-driven and communicate which assets, if compromised, pose the most risk. Assigning values to specific assets enables organizations to map vulnerabilities to them, and gives them a clear picture of which ones require immediate attention. This will help make prioritization workloads more manageable and save future resources.
• Prioritize vulnerabilities not only on severity, but also on exploitability and threat likelihood. Organizations can reduce thousands of high-to-critical vulnerabilities down to a serviceable level by filtering them based on actionable severity and threat likelihood.
  
  Actionable severity sorts vulnerabilities into the following groups: remotely exploitable, known public exploit, and available solution. Remediating vulnerabilities that meet all three criteria first will best protect the organization as they progress through their workload, while maximizing resources.
  
  In addition, paying attention to deep and dark web (DDW) chatter and illicit communities can improve your prioritization process. Whenever threat actors are actively discussing a vulnerability and how to exploit it, you need to be aware and address it.

Recommended: Log4j Chatter: What Threat Actors Are Sharing About the Log4Shell Vulnerability

• Update your CMDB. Whenever vulnerabilities are remediated, update your CMDB with new information regarding versions, location, and etc. It may be a time-consuming task, but consistently maintaining your CMDB will be useful. The version of a product can dictate the remediation. Ensuring that details are current will save time triaging and will make remediation easier. It also reduces the possibility of wasting resources reacting to false positives or emergency vulnerability assessment reports.

Manage vulnerabilities with Flashpoint

Thousands of vulnerabilities are identified every year, and the exploitation of them has dramatically increased. Organizations have even less time than before to respond to critical issues. To better protect your network, enterprises need to proactively manage risk in a timely manner. Sign up for a free trial and see how quality intelligence empowers a vulnerability risk management program, allowing your security teams to prioritize and remediate what really matters.