[BreachExchange] Intelligent defence in the era of global distributed cyber-crime

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 8 20:22:17 EST 2018


In 2017, we have seen alarming cyber-attacks on a global scale, symptoms of
an organised threat landscape flush with crimeware and exploits with the
potential for worldwide reach. Perhaps the most worrying aspect of the
WannaCry and Petya attacks was that they involved known vulnerabilities
with highly publicised exploits. Yet, organisations fell victim on a scale
never seen before.

This is not to say these organisations didn't have mature security programs
or talented personnel — it means that, fundamentally, the way we've
approached vulnerability management is no longer enough to combat today's

Over the past several years, there has been a marked shift in the threat
landscape. First, attackers have become increasingly organised, working
together to share or sell attack tools, services and TTPs. The result is a
commercialised cyber-crime marketplace where more individuals than ever can
piecemeal advanced attacks requiring little of their own skill or
intervention as the attack unfolds.

The availability of crimeware in an increasingly connected world has made
for a perfect storm for cyber-criminals to make a lot of money quickly and
easily. First, they target low–hanging fruit; in the case of businesses,
this could mean open ports or unpatched vulnerabilities (with exploits for
the purchase). Second, they cast their net as wide as possible to maximise
the ROI of their selected attack method. If the same attack can be carried
out on multiple companies — great. If it can be automated to spread
worldwide — even better.

There is a silver lining to this new trend, however. Because ROI is so
important to the distributed cyber-crime business model, the same methods
are used, reused, repackaged and resold over and over again. For
vulnerability management, this means focusing on the small subset of
vulnerabilities with active exploits in the wild, as well as those exposed
within the organisation, will have a tremendous impact on their security
and force opportunistic cyber-criminals to look elsewhere for their next

Why traditional vulnerability management falls short

Most vulnerability management programmes are based on the Common
Vulnerability Scoring System (CVSS). This system was developed more than a
decade ago and was designed to help organisations prioritise patching. CVSS
had intentions of providing “temporal” scores incorporating up–to–date
threat intelligence and vendor input, including on available fixes, but
this was never fully implemented. CVSS also could not accurately determine
“environmental” scores of the potential impacts within an organisation.

So, unfortunately, traditional vulnerability management relies on CVSS base
scores of intrinsic properties of the vulnerability. The problem with this
score is that vulnerabilities don't exist in a vacuum. Changes within the
threat landscape and within the organisation in which they exist impact the
threat a vulnerability poses. Without this larger context, remediation
priorities can be skewed, focusing precious resources on relatively
low–risk vulnerabilities while leaving those more likely to be used in an
attack within reach of threat actors.

A new approach: threat–centric vulnerability management

To stay protected in the era of distributed cyber-crime, organisations need
to take their vulnerability management programme to the next level.
Threat–centric vulnerability management (TCVM) is a new approach that
collects data from a wide range of sources, including threat intelligence;
uses modelling and simulation to analyse vulnerabilities within their
unique environment and prioritise them accurately; and provides remediation
guidance based on available resources.

Internally, TCVM collects data on known vulnerabilities within the
organisations, asset information, patch levels and the state of network
topology and security controls in place. It builds this data into a model
to understand vulnerability exposure, attack paths (including of multi–step
attacks), potential business impacts, and remediation options beyond
patching, such as rule changes or IPS signatures.

Externally, TCVM correlates this information with CVSS scores and, more
importantly, security–analyst verified threat intelligence from dozens of
security data feeds and investigations in the dark web. This highlights
vulnerabilities with available exploits, such as those with a POC, and
those observed to be actively exploited in the wild. It also shows which
vulnerabilities are being packaged in distributed crimeware, such as
ransomware, exploit kits, etc.

With this complete context, remediation actions can be aligned with the
threat level a vulnerability poses — not just a generic CVSS score. Those
that are being actively exploited or exposed within the network pose an
imminent threat and need to be dealt with immediately. Other
vulnerabilities pose a potential threat and can be dealt with over time,
but need to be monitored for changes in the threat landscape or network

Automation and centralisation for intelligent defence

Because of the scale and complexity of data the TCVM approach requires,
tasks have to be automated. From data collection to contextual analysis,
these processes are essentially impossible to perform manually, especially
in an enterprise network. While tools are available for automating each
step within the TCVM workflow, there are advantages to efficiency — and ROI
— of centralising management on a single platform.

With automation and centralisation, vulnerability management and incident
response teams can dedicate even more resources to acting on intelligence
rather than gathering and analysing it. The systematic approach of TCVM
ensures that actions are informed with the full context surrounding a
vulnerability, so organisations can take on attackers proactively and keep
their networks secure from the distributed cyber-crime threat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180108/bba5c750/attachment.html>

More information about the BreachExchange mailing list