The Role of Threat Intelligence in Vulnerability Management
- Sep 18, 2014
- Guest Author
Threat intelligence is an increasing popular buzzword in security magazine articles and blogs. It also is becoming more prevalent in product and services offerings from security vendors. The value of threat intelligence is that it can provide timely information on real-time threats and help improve detection and mitigation response times. When paired with your vulnerability management process, threat intelligence becomes a powerful way to quickly prioritize remediation.
The term is actually composed of two words “threat” and “intelligence”. “Threat” is the act of a person or a group of persons to make a risk become reality. For example, a threat takes the form of an actual human being exploiting an existing security vulnerability in system in order to breach the system’s security defenses and obtain some sort of information. “Intelligence” refers to information or information gathering activities that might indicate that a certain risk has become a reality… a real threat.
The threat intelligence accumulated by vendors or open source initiatives, refers to threat information about targeted attacks from certain hacking groups or nation-states in the form of customized malware or exploit kits. The information is either gathered from honey-pots (also referred to as honey-nets), intrusion detection vendors and Managed Security Service Providers (MSSPs). It is also accumulated as part of cyber forensic investigations of security breaches.
The data mainly contains source IP addresses, bot controllers’ domain names, observed malware unique hashes and timing of last change. They are distributed, resold and transmitted by vendors, non-profit honey-net projects, SANS ISC and the like. Judging from the structure of this information, the main data captured are the source IP addresses and the malware hashes. The malware hashes can be mapped with the site “VirusTotal” to the various corresponding anti-virus vendors’ malware names and definitions. The other information is the IP addresses. These addresses are the sources of either command-and-control bot servers or the source of the targeted attacks. These IP addresses are then used in firewalls and Intrusion Detection Systems to block certain address blocks or specific source IP addresses. The main problem I see here is that of the attribution, since it is likely that these IP addresses do not belong to the actual threat actor, but they are the IP addresses of the last hop before the attack reaches the intended target. Another interesting angle is to source the the threat vector or the malware used. In fact most of the research aimed at identifying the attacking actor begins with the threat vector used for the attack.
At NopSec, we focus on vulnerability management. We are particularly interested in cyber-attacks that, by means of an exploit or a piece of malware, take aim at exploiting specific and known vulnerabilities present in infrastructure and web applications. The correlation is particularly risky when you merge the following situations:
We do not use source IP address threat intelligence as input for Unified VRM, considering that by the time you know about the source of the attacks, the targeted information might already been exfiltrated! Following this logic, NopSec recommends prioritizing and fixing existing vulnerabilities in web applications and infrastructure based on a combination of factors: business and technical criticality, whether these vulnerabilities have available exploits, and whether these exploits are presently exploited in targeted and malware-based attacks.
The correlation of vulnerabilities found on your systems with real-time threats, known exploitations, malware, available patches can save your team time. The vulnerability remediation planning becomes very straightforward… fix the true risks facing your organization.
Learn about NopSec’s unique approach to vulnerability risk management. Best Practices Guide: Vulnerability Management