Intelligent defence in the era of global distributed cyber-crime
Intelligent defence in the era of global distributed cyber-crime

In 2017, we have seen alarming cyber-attacks on a global scale, symptoms of an organised threat landscape flush with crimeware and exploits with the potential for worldwide reach. Perhaps the most worrying aspect of the WannaCry and Petya attacks was that they involved known vulnerabilities with highly publicised exploits. Yet, organisations fell victim on a scale never seen before.

This is not to say these organisations didn't have mature security programs or talented personnel — it means that, fundamentally, the way we've approached vulnerability management is no longer enough to combat today's threats.

Over the past several years, there has been a marked shift in the threat landscape. First, attackers have become increasingly organised, working together to share or sell attack tools, services and TTPs. The result is a commercialised cyber-crime marketplace where more individuals than ever can piecemeal advanced attacks requiring little of their own skill or intervention as the attack unfolds.

The availability of crimeware in an increasingly connected world has made for a perfect storm for cyber-criminals to make a lot of money quickly and easily. First, they target low–hanging fruit; in the case of businesses, this could mean open ports or unpatched vulnerabilities (with exploits for the purchase). Second, they cast their net as wide as possible to maximise the ROI of their selected attack method. If the same attack can be carried out on multiple companies — great. If it can be automated to spread worldwide — even better.

There is a silver lining to this new trend, however. Because ROI is so important to the distributed cyber-crime business model, the same methods are used, reused, repackaged and resold over and over again. For vulnerability management, this means focusing on the small subset of vulnerabilities with active exploits in the wild, as well as those exposed within the organisation, will have a tremendous impact on their security and force opportunistic cyber-criminals to look elsewhere for their next victim.

Why traditional vulnerability management falls short

Most vulnerability management programmes are based on the Common Vulnerability Scoring System (CVSS). This system was developed more than a decade ago and was designed to help organisations prioritise patching. CVSS had intentions of providing “temporal” scores incorporating up–to–date threat intelligence and vendor input, including on available fixes, but this was never fully implemented. CVSS also could not accurately determine “environmental” scores of the potential impacts within an organisation.

So, unfortunately, traditional vulnerability management relies on CVSS base scores of intrinsic properties of the vulnerability. The problem with this score is that vulnerabilities don't exist in a vacuum. Changes within the threat landscape and within the organisation in which they exist impact the threat a vulnerability poses. Without this larger context, remediation priorities can be skewed, focusing precious resources on relatively low–risk vulnerabilities while leaving those more likely to be used in an attack within reach of threat actors.

A new approach: threat–centric vulnerability management

To stay protected in the era of distributed cyber-crime, organisations need to take their vulnerability management programme to the next level. Threat–centric vulnerability management (TCVM) is a new approach that collects data from a wide range of sources, including threat intelligence; uses modelling and simulation to analyse vulnerabilities within their unique environment and prioritise them accurately; and provides remediation guidance based on available resources.

Internally, TCVM collects data on known vulnerabilities within the organisations, asset information, patch levels and the state of network topology and security controls in place. It builds this data into a model to understand vulnerability exposure, attack paths (including of multi–step attacks), potential business impacts, and remediation options beyond patching, such as rule changes or IPS signatures.

Externally, TCVM correlates this information with CVSS scores and, more importantly, security–analyst verified threat intelligence from dozens of security data feeds and investigations in the dark web. This highlights vulnerabilities with available exploits, such as those with a POC, and those observed to be actively exploited in the wild. It also shows which vulnerabilities are being packaged in distributed crimeware, such as ransomware, exploit kits, etc.

With this complete context, remediation actions can be aligned with the threat level a vulnerability poses — not just a generic CVSS score. Those that are being actively exploited or exposed within the network pose an imminent threat and need to be dealt with immediately. Other vulnerabilities pose a potential threat and can be dealt with over time, but need to be monitored for changes in the threat landscape or network exposure.

Automation and centralisation for intelligent defence

Because of the scale and complexity of data the TCVM approach requires, tasks have to be automated. From data collection to contextual analysis, these processes are essentially impossible to perform manually, especially in an enterprise network. While tools are available for automating each step within the TCVM workflow, there are advantages to efficiency — and ROI — of centralising management on a single platform.

With automation and centralisation, vulnerability management and incident response teams can dedicate even more resources to acting on intelligence rather than gathering and analysing it. The systematic approach of TCVM ensures that actions are informed with the full context surrounding a vulnerability, so organisations can take on attackers proactively and keep their networks secure from the distributed cyber-crime threat.

Contributed by Ravid CircusVP Products, Skybox Security

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.