By The Recorded Future Team on May 2, 2019
In the first blog of this three-part series, we examined the current state of vulnerability management, which evidence suggests may very well have reached the crisis stage. In our second blog, we illustrated how vulnerability management programs without targeted threat intelligence make it difficult for security professionals to win the “cybersecurity race” and protect their company’s digital assets against cyberattacks.
In this third (and last) blog of this series, we’ll discuss how tapping into targeted threat intelligence enables security teams to identify exploits in real time, quickly add context to disclosed vulnerabilities, and better prioritize remediation efforts.
The Criticality of Context
Noun. The circumstances that form the setting for an event, statement, or idea in terms of which it can be fully understood and assessed.
Context clearly plays a critical role in IT vulnerability management. Only with the ability to fully understand and assess threats and risks can security teams effectively protect their company’s digital assets.
Instead of simply racing to “patch everything” when a new threat is discovered, context makes it possible to look for indicators of true risk. This is most effectively achieved by combining internal data generated by vulnerability scanners with contextualized external threat intelligence. Together, these sources of information reveal whether vulnerabilities on the network infrastructure are likely to be exploited.
Tapping into the right intelligence adds valuable context to logs and events to increase the speed and efficiency of alert triage. Security teams can then focus their efforts on where potential damage to the IT network is most likely to occur, and where damage will have the greatest negative impact on business operations if an attack were to succeed.
Multiple Information Sources Are Required for Accurate Context
The key to using threat intelligence that provides accurate context is to rely on a solution that combines advanced analytics with natural language processing and AI. This enables your internal security experts to tune vulnerability management tools to listen to the correct intelligence sources and process massive volumes of data so they can rapidly zero in on relevant threats.
Threat intelligence often begins by scanning the dark web, which is a useful source of external threat intelligence. But no single source of threat data should be considered in isolation. Several additional sources are needed to augment intelligence collected from the dark web:
- Information security sites such as vendor blogs, official disclosures of vulnerability information, and security news sources
- Social media link sharing that provides jumping-off points for uncovering useful intelligence
- Repositories, like GitHub, that generate insights into proof-of-concept code development for defending against threats
- Paste sites, like Pastebin and Ghostbin, that aren’t listed by search engines but house lists of exploitable vulnerabilities
- Security discussion forums where there is often no barrier to entry or a requirement for specific software to gain access (making them distinct from dark web communities)
- Technical data feeds with indicators of activities related to potential malware and exploit kits
By using a threat intelligence solution that taps into the data produced by these sources in conjunction with dark web information, your security team can generate contextualized actions for addressing the risk of the vulnerabilities specific to your IT environment.
Choosing the Right Threat Intelligence Platform
It’s also important to carefully choose the threat intelligence platform you will use to support your vulnerability management program. Not all offerings have the ability to tap into the dark web, and not all offerings have the ability to ingest, analyze, and relay the data to other systems in a meaningful way.
To this last point, key attributes to look for in a threat intelligence solution are machine-readable outputs that can integrate with your other security tools. This enables the intelligence to be seamlessly ingested into the software that runs in your vulnerability management program.
Integration is important because it allows you to correlate scans of systems inside your network with the contextualized threat intelligence for a clearer view of the actual risk. This, in turn, gives your security team three core capabilities:
- Identifying Exploits in Real Time: Combining real-time alerts with access to the development of proof-of-concept code and exploits added to widely-used kits
- Adding Context to Disclosed Vulnerabilities: Quick access to exploit chatter, proof-of-concept malware on the dark web, and intelligence from other hard-to-reach sources
- Prioritizing Remediation: Better visibility into specific indicators that point to an announced vulnerability being exploited by threat actors
These capabilities streamline the identification of emerging threats by going beyond the collection of data from official vulnerability databases, which often lag behind vendor announcements. Security teams can thus make faster, more informed security decisions and take a strategic approach to prioritizing, measuring, and balancing the risk of vulnerabilities, doing so in a way that is tied back to the business.
Watch the video below to learn more about how threat intelligence helps vulnerability management teams identify threats faster:
Keep Your IT Infrastructure Functioning at Peak Levels
To enhance security posture and improve resilience, organizations need a risk-based vulnerability management approach that identifies vulnerabilities across all assets. They also need to prioritize mitigation efforts based on business criticality and actual risk.
To achieve these objectives, as presented above, your security team must understand the context around threats, vulnerabilities, and the digital assets that may be affected. Armed with this information, they are better equipped to tackle threats to vulnerabilities head-on — and ensure your company’s IT infrastructure keeps functioning at peak levels.
For more information on how to leverage effective threat intelligence to improve your vulnerability management program, request a personalized demo of Recorded Future.