Vulnerability Intelligence Lessens Exposure to Weaponized Bugs
By Cheng Lu
Microsoft’s monthly Patch Tuesday security updates and Oracle’s quarterly Critical Patch Updates bring some order to the chaotic world of vulnerability management. But for many organizations, these release days are still a fire drill of the most stressful magnitude as network and sysadmins around the world try to make sense of massive dumps of sometimes hundreds of Windows or Oracle patches.
Fixes need to be assessed according to the assets they affect, deployments must be prioritized according to criticality, and patches must be compatibility tested before they’re rolled out to production environments. It’s complicated, and all of this is done against a rapidly closing window between vulnerability disclosure and the public availability of exploits.
Not all bugs are eventually weaponized, and not all organizations are immediate targets; this is the complexity albatross that hangs over vulnerability management. One thing that may ease this tension is a measure of intelligence from closed, illicit communities that could give organizations an inkling that an exploit is about to be dropped publicly.
By having a bead on discussions within dark web communities, for example, decision makers can understand when threat actors are experimenting with ways to exploit a newly disclosed vulnerability, finding new attack vectors for the bug, or are actively targeting it.
Flashpoint Senior Vulnerability Analyst Cheng Lu will explain why vulnerability intelligence is crucial to overall vulnerability and patch management during a webinar called “From CVE to Exploit: How Vulnerability Intelligence Can Lessen Your Exposure,” Sept. 24 at 11 a.m. ET.
Earlier this year, a critical WinRAR vulnerability was disclosed and patched. The vulnerability—which had been present in half of Windows machines and potentially affected a half-billion users—could be used to plant malware or malicious code that would persist after reboots. Worse, the vulnerable code had been part of Windows for 19 years.
From Flashpoint’s visibility into leading illicit forums, analysts discovered significantly more discussions about this bug, its CVE number, and the publicly available proof-of-concept exploit that had been dropped in the weeks after Microsoft released its patch. Most of the discussions were happening in English- and Russian-language forums, with topics centered around the PoC code, how to make it work, what versions of Python were required to make it run, and more dissection of the code.
This type of data-gathering generates invaluable intelligence about critical vulnerabilities that supersedes a general criticality score derived by the respective vendors or MITRE, for example, which manages the Common Vulnerabilities and Exposures (CVE) entries and assigns a criticality rating based upon the Common Vulnerability Scoring System (CVSS).
CVSS-based scores are meant to bring standardization to rating the severity of a vulnerability’s potential impact, as well as to help organizations prioritize how they’re going to respond in terms of triage and patching. But basing risk decisions just on a CVSS rating is dangerous.
A more thorough risk assessment is preferred, one that applies additional context to the discussion based upon vulnerability intelligence. This can help decision-makers formulate their own decisions about whether a particular vulnerability, if exploited, will impact their business and how.
We invite you to learn more about the role of vulnerability intelligence as it relates to vulnerability and patch management. Flashpoint is hosting a webinar on Sept. 24 (11 a.m. ET) presented by Senior Vulnerability Analyst Cheng Lu. He will cover the current vulnerability landscape, how intelligence can help predict the weaponization of vulnerabilities, how access and insight into illicit communities is crucial to developing intelligence about exploits, and more about Flashpoint’s CVE Dashboard.
Senior Analyst, Hunt Team
Cheng Lu is a Senior Analyst on Flashpoint’s renowned Hunt Team. He specializes in vulnerability research and holds a Bachelor of Science degree in computer science and math from Towson University