Vulnerability Intelligence: The Essential Guide
If you’re familiar with our work, you have most likely heard “vulnerabilities this” or “vulnerability intelligence that” – but what is a vulnerability and what does Vulnerability Intelligence (VI) actually mean?
A vulnerability is a flaw in computer software or hardware that allows an attacker to cross privilege boundaries. This may allow for the disclosure of sensitive information, tampering with the integrity of the system, or denying legitimate users access to service or information (i.e. denial of service).
According to Upguard, vulnerabilities are the number one cause of data breaches. By taking advantage of flaws hackers can gain a foothold into organizations and cause chaos that can result in extreme financial loss. For this reason, Risk-based Vulnerability Management (RBVM) has been designated by Gartner as 2021’s second most important security project.
But even though true Risk-based Vulnerability Management is important, you can’t achieve it without proper Vulnerability Intelligence.
What is Vulnerability Intelligence?
Vulnerability Intelligence is a specific form of threat intelligence focused on the aggregation or dissemination of information about computer vulnerabilities that may put organizations at risk.
If you do some research on vulnerability intelligence you will probably find multiple definitions. Some will lump together vulnerability intelligence and vulnerability management concepts together, some will consider CVE/NVD as VI, and some may be fundamentally incorrect.
The distinction between alternative definitions of VI and the proper one is very important. The reason being that your VI defines the effectiveness of your Vulnerability Management Program (VMP). If the VI powering your VMP is incomplete, your organization is at a greater risk of being compromised. To make matters worse, you might not even know that your current VI is incomplete as many tools aren’t aware that they are innately missing over 84,000 known vulnerabilities.
In order to decipher whether your organization is utilizing an incomplete source, it is important to know the elements of Vulnerability Intelligence. VI can be broken down into three key functions:
What is Vulnerability Discovery?
Vulnerability discovery is the process of researching a piece of computer software or hardware to evaluate for the presence of vulnerabilities.
Even though this is the first step in VI, it is the most important as Vulnerability Discovery is the foundation of VI and ultimately dictates your VMP. As an organization you can only analyze the vulnerabilities you are aware of. It is impossible to mitigate or remediate risks that you never knew existed.
This stage is where researchers discover and publish vulnerabilities so that vulnerability databases (VDBs) can then aggregate and build upon those disclosures. This occurs before you begin your daily workflow. It is vital that the vulnerability intelligence you rely on is aware that there are thousands of unique channels out there and actually monitors them.
The Vulnerability Discovery process can be broken into two steps:
The more vulnerability sources you can identify, the more robust your vulnerability coverage becomes. Vulnerabilities are disclosed and published in a wide variety of mediums including mailing lists, blogs, service sites like GitHub, websites catering to exploit disclosure (e.g. Packetstorm), and more.
Many years ago, organizations could rely on a few mailing lists and vendor security advisories that would bring the latest vulnerabilities to their doorstep. Unfortunately, those golden days are over as this practice is not feasible. Despite that, some VI providers are essentially operating with this defunct model.
The practices of the past no longer work because of the growing number of vulnerabilities in software products. Since the early 2000s, new vulnerabilities have been disclosed by the tens of thousands. But what is the most common source where all of these vulnerabilities are reported? The answer is, there is no common source! There is no longer one medium that has fully replaced the de-facto sources of the past, not even the Common Vulnerabilities and Exposures (CVE) database and the National Vulnerability Database (NVD). At this time, even CVE/NVD struggles to identify vulnerability sources as they are missing over at least 84,000 vulnerabilities.
The truth is that vulnerability disclosures are being published across platforms like social media, the deep web, researcher blogs, product bug trackers, code commits, and a lot more. Since there is no single source, it is vital that organizations intelligently aggregate as many vulnerabilities as they can so they can know which to focus on. The following is the number of vulnerabilities according to the vulnerability aggregation method:
More vulnerability sources identified translates into more comprehensive intelligence and better outcomes.
In the scope of vulnerability intelligence, vulnerability monitoring is the act of keeping tabs on a wide variety of sources that produce vulnerability disclosures. This can be done in a somewhat automated fashion and/or rely more heavily on human analysts. This process includes identifying new disclosures, determining if the information is valid, normalizing the data, adding metadata, and including it in a vulnerability intelligence feed. Mature VI solutions then offer support for the data they aggregate to ensure an organization understands, and can better utilize that data.
This however can be a real challenge as vulnerabilities are being disclosed every hour of every day, all year, leading to new sources being created daily. Adding to the difficulty is that a single source can sometimes contain thousands of newly disclosed vulnerabilities. That being said, what sources, and how many are you aware of and actively monitoring?
What is Vulnerability Research?
Vulnerability research is the process where you research vulnerabilities and determine if any of them affects your organization’s systems.
As you monitor your sources, you must research the vulnerabilities that appear and determine if any affects your organization’s systems. Does a vulnerability affect a vendor in your supply chain, or a product used by your organization? If it does, what versions of that product are also susceptible to that vulnerability? Is an exploit available? Can you install a patch or upgrade to remediate it?
However, this function is not so simple as vulnerability research can have different meanings and occur at different times depending on the role of the person performing it. The roles that can influence this are:
- Vulnerability researchers
- Vulnerability intelligence companies
- Security analysts at organizations
For a vulnerability researcher, it includes doing the initial examination and investigation into if a piece of computer software or hardware contains bugs that may allow for privileges that weren’t intended.
For a vulnerability intelligence company like us, the term means the act of going through publicly disclosed vulnerabilities to determine if they are legitimate issues, aggregating that data, and normalizing it for consumption by other organizations.
Organizations face a unique problem during vulnerability research. As an analyst, the term may mean researching if disclosed vulnerabilities impact their assets and what risk is posed. This means that your vulnerability research functions depend on the comprehensiveness of what researchers and VI companies do.
According to the definition, VI companies should be doing more than just aggregating data – they are also responsible for determining if issues are legitimate and enhancing it with rich metadata. But if you think back to the last vulnerability you researched, how detailed was it?
What is Vulnerability Analysis?
Vulnerability analysis is the last function of vulnerability intelligence. In this stage, you gauge the potential damage a vulnerability can cause if exploited. Ultimately, you need to ask yourself, “now that I know this affects me, how bad can it be?“
To answer that question security professionals often rely on vulnerability metadata, severity information, and impact data.
By definition, metadata is “a set of data that describes and gives information about other data.” For vulnerabilities, metadata may include the location of the attacker, the attack type, the high-level impact, availability of a solution, status of an exploit, aspects of the disclosure, general types of technology represented, authentication requirements, and more.
The vulnerability severity refers to how serious, or how big of a risk is associated with it. Low severity issues may not be prioritized as they are not seen to pose much risk to an organization, while high severity vulnerabilities are typically triaged and patched immediately.
When a vulnerability is exploited, it will impact a system in some manner that may or may not be noticeable to the administrators or users. At the highest level, it will impact confidentiality, integrity, or availability (CIA). At a more granular level, confidentiality may be partially or fully impacted for example. Impacting integrity can mean a variety of things so it may be described via simple metadata (i.e. the CIA triad) and with verbose descriptions that precisely lay out what happens if exploited.
As a security professional, you may be chuckling to yourself right now. Sure, knowing those details are important for determining the scope of damage, but that kind of information is often missing from most vulnerability entries and databases.
Chances are that most of your time is not spent on analyzing vulnerabilities. Instead, you likely find yourself spending more time validating the entry and finding that vulnerability metadata, severity, and impact yourself. This may be the reality for organizations that rely on public databases. Unfortunately, many vulnerability intelligence providers focus solely on collecting issues, but perform little to no quality checks, resulting in inaccuracies and invalid entries.
Lineas Enables Effective Risk-Based Vulnerability Management (RBVM) with VulnB
VulnDB’s extensive research was the essential component that enabled Lineas to identify risk in a more comprehensive manner by quickly prioritizing and remediating vulnerabilities for better outcomes.
No Substitute for Better Data
Now that you know what each part of vulnerability intelligence entails, you can begin to assess the steps your organization will need to take to achieve true risk-based vulnerability management. If your current security tool or vulnerability intelligence process lacks in the discovery, research , or analysis functions, it will be necessary to look for improvements.
Vulnerability intelligence should be comprehensive, detailed, and timely. You need to be aware of everything that is in the vulnerability disclosure landscape and have all the details so that you can manage risk as soon as possible. But can you be certain that you have that kind of visibility?
There is no substitute for better data. It’s either great or… not so great.
“Knowing key details like exploit caveats and solution details is important for risk mitigation or remediation, but that kind of information is often missing from most vulnerability entries and databases.”Brian Martin, Vulnerability Historian, Risk Based Security
Important metadata like attacker location, attack type, impact, solution availability, and exploit status often give you the kind of visibility needed for risk-based vulnerability management. Without it, you can’t definitively determine if a vulnerability needs to be patched, if other affected systems should be bolstered, or if the issue requires more resources than it is worth.
But just because those details aren’t included doesn’t mean that information is unknown. If your vulnerability intelligence tool consistently omits important metadata, it’s likely that your data provider is substituting vulnerability intelligence with CVE/NVD. As we mentioned earlier, it is vital that vulnerability intelligence companies discover and monitor as many sources as they can. Just relying on one source is not enough.
The Most Comprehensive Source of Vulnerability Intelligence
Power real-time prioritization and remediation decisions with the only source of comprehensive vulnerability and supply-chain intelligence.
The Risk Based Security Platform is built on VulnDB, the most comprehensive, timely and actionable source of vulnerability intelligence available. It tracks over 264,000 vulnerabilities, including IT, OT, IoT, and open source libraries and dependencies.
Each vulnerability entry is standardized and easy to consume, containing over 60 potential classifications including vendor risk ratings, product risk ratings, and detailed exploit & solution information. The Platform helps break the tangled process of research, analysis, prioritization and remediation allowing security professionals to manage vulnerabilities in real-time without the need for scanning and fragmented workflows.
The Platform is the only solution that provides scanless, real-time vulnerability intelligence with vendor and product risk ratings. With this data, your team can reveal the vulnerabilities that apply to your organization, prioritize what impacts your assets and products, and coordinate remediation.
Gain visibility into the overall security posture of your organization with advanced dashboards that draw attention to the latest vulnerability disclosures that apply to your organization. The Platform for Vulnerability Management can automate risk prioritization by specifying the criticality of various assets in your environment, allowing your team to focus on the most important issues while assigning and tracking remediation tasks.