Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four
One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put an organization’s data, employees and customers at risk. In this
four-part blog series, FireEye Mandiant Threat Intelligence
highlights the value of CTI in enabling vulnerability management,
and unveils new research into the latest threats, trends and recommendations.
Organizations often have to make difficult choices when it comes to
patch prioritization. Many are faced with securing complex network
infrastructure with thousands of systems, different operating systems,
and disparate geographical locations. Even when armed with a
simplified vulnerability
rating system, it can be hard to know where to start. This
problem is compounded by the ever-changing threat landscape and increased
access to zero-days.
At FireEye, we apply the rich body of knowledge accumulated over
years of global intelligence collection, incident response
investigations, and device detections, to help our customers defend
their networks. This understanding helps us to discern between
hundreds of newly disclosed vulnerabilities to provide ratings and
assessments that empower network defenders to focus on the most
significant threats and effectively mitigate risk to their organizations.
In this blog post, we’ll demonstrate how we apply intelligence to
help organizations assess risk and make informed decisions about
vulnerability management and patching in their environments.
Functions of Vulnerability Intelligence
Vulnerability intelligence helps clients to protect their
organizations, assets, and users in three main ways:
Figure 1: Vulnerability intelligence can
help with risk assessment and informed decision making
Tailoring Vulnerability Prioritization
We believe it is important for organizations to build a defensive
strategy that prioritizes the types of threats that are most likely to
impact their environment, and the threats that could cause the most
damage. When organizations have a clear picture of the spectrum of
threat actors, malware families, campaigns, and tactics that are most
relevant to their organization, they can make more nuanced
prioritization decisions when those threats are linked to exploitation
of vulnerabilities. A lower risk vulnerability that is actively being
exploited in the wild against your organization or similar
organizations likely has a greater potential impact to you than a
vulnerability with a higher rating that is not actively being exploited.
Figure 2: Patch Prioritization Philosophy
Integration of Vulnerability Intelligence in Internal Workflows
Based on our experience assisting organizations globally with
enacting intelligence-led security, we outline three use cases for
integrating vulnerability intelligence into internal workflows.
Figure 3: Integration of vulnerability
intelligence into internal workflows
Tools and Use Cases for Operationalizing Vulnerability Intelligence
1. Automate Processes by Fusing Intelligence with Internal Data
Automation is valuable to security teams with limited
resources. Similar to automated detecting and blocking of indicator
data, vulnerability threat intelligence can be automated by merging
data from internal vulnerability scans with threat intelligence (via
systems like the Mandiant Intelligence
API) and aggregated into a SIEM, Threat Intelligence Platform,
and/or ticketing system. This enhances visibility into various sources
of both internal and external data with vulnerability intelligence
providing risk ratings and indicating which vulnerabilities are being
actively exploited. FireEye also offers a custom tool called FireEye
Intelligence Vulnerability Explorer (“FIVE”), described in more detail
below for quickly correlating vulnerabilities found in logs and scans
with Mandiant ratings.
Security teams can similarly automate communication and workflow
tracking processes using threat intelligence by defining rules for
auto-generating tickets based on certain combinations of Mandiant risk
and exploitation ratings; for example,
internal service-level-agreements (SLAs) could state that ‘high’ risk
vulnerabilities that have an exploitation rating of ‘available,’
‘confirmed,’ or ‘wide’ must be patched within a set number of days. Of
course, the SLA will depend on the company’s operational needs, the
capability of the team that is advising the patch process, and
executive buy-in to the SLA process. Similarly, there may be an SLA
defined for patching vulnerabilities that are of a certain age. Threat
intelligence tells us that adversaries continue to use older
vulnerabilities as long as they remain effective. For example, as
recently as January 2020, we observed a Chinese cyber espionage group
use an exploit for CVE-2012-0158, a Microsoft Office stack-based
buffer overflow vulnerability originally released in 2012, in
malicious email attachments to target organizations in Southeast
Asia. Automating the vulnerability-scan-to-vulnerability-intelligence
correlation process can help bring this type of issue to light.
Another potential use case employing automation would be
incorporating vulnerability intelligence as security teams are testing
updates or new hardware and software prior to introduction into the
production environment. This could dramatically reduce the number of
vulnerabilities that need to be patched in production and help
prioritize those vulnerabilities that need to be patched first based
on your organization’s unique threat profile and business operations.
2. Communicating with Internal Stakeholders
Teams can leverage vulnerability reporting to send internal
messaging, such as flash-style notifications, to alert other teams
when Mandiant rates a vulnerability known to impact your systems high
or critical. These are the vulnerabilities that should take priority
in patching and should be patched outside of the regular cycle.
Data-informed intelligence analysis may help convince stakeholders
outside of the security organization the importance of patching
quickly, even when this is inconvenient to business operations. Threat
Intelligence can inform an organization’s appropriate use of resources
for security given the potential business impact of security incidents.
3. Threat Modeling
Organizations can leverage vulnerability threat intelligence to
inform their threat modeling to gain insight into the most likely
threats to their organization, and better prepare to address threats
in the mid to long term. Knowledge of which adversaries pose the
greatest threat to your organization, and then knowledge of which
vulnerabilities those threat groups are exploiting in their
operations, can enable your organization to build out security
controls and monitoring based on those specific CVEs.
Examples
The following examples illustrate workflows supported by
vulnerability threat intelligence to demonstrate how organizations can
operationalize threat intelligence in their existing security teams to
automate processes and increase efficiency given limited resources.
Example 1: Using FIVE for Ad-hoc Vulnerability Prioritization
The FireEye Intelligence Vulnerability Explorer (“FIVE”) tool is
available for customers here. It is
available for MacOS and Windows, requires a valid subscription for
Mandiant Vulnerability Intelligence, and is driven from an API integration.
Figure 4: FIVE Tool for Windows and MacOS
In this scenario, an organization’s intelligence team was asked to
quickly identify any vulnerability that required patching from a
server vulnerability scan after that server was rebuilt from a backup
image. The intelligence team was presented with a text file containing
a list of CVE numbers. Users can drag-and-drop a text readable file
(CSV, TEXT, JSON, etc.) into the FIVE tool and the CVE numbers will be
discovered from the file using regex. As shown in Figure 6 (below), in
this example, the following vulnerabilities were found in the file and
presented to the user.
Figure 5: FIVE tool startup screen
waiting for file input
Figure 6: FIVE tool after successfully
regexing the CVE-IDs from the file
After selecting all CVE-IDs, the user clicked the “Fetch
Vulnerabilities” button, causing the application to make the necessary
two-stage API call to the Intelligence API.
The output depicted in Figure 7 shows the user which vulnerabilities
should be prioritized based on FireEye’s risk and exploitation
ratings. The red and maroon boxes indicate vulnerabilities that
require attention, while the yellow indicate vulnerabilities that
should be reviewed for possible action. Details of the vulnerabilities
are displayed below, with associated intelligence report links
providing further context.
Figure 7: FIVE tool with meta-data,
CVE-IDs, and links to related Intelligence Reports
FIVE can also facilitate other use cases for vulnerability
intelligence. For example, this chart can be attached in messaging to
other internal stakeholders or executives for review, as part of a
status update to provide visibility on the organization’s
vulnerability management program.
Example 2: Vulnerability Prioritization, Internal Communications,
Threat Modeling
CVE-2019-19781 is a vulnerability affecting Citrix that Mandiant
Threat Intelligence rated critical. Mandiant discussed early exploitation
of this vulnerability in a January 2020 blog post. We continued
to monitor for additional exploitation, and informed our clients when
we observed exploitation by ransomware operators and Chinese espionage
group, APT41.
In cases like these, threat intelligence can help impacted
organizations find the “signal” in the “noise” and prioritize patching
using knowledge of exploitation and the motives and targeting patterns
of threat actors behind the exploitation. Enterprises can use
intelligence to inform internal stakeholders of the potential risk and
provide context as to the potential business and financial impact of a
ransomware infection or an intrusion by a highly resourced state
sponsored group. This support the immediate patch prioritization
decision while simultaneously emphasizing the value of a holistically
informed security organization.
Example 3: Intelligence Reduces Unnecessary Resource Expenditure —
Automating Vulnerability Prioritization and Communications
Another common application for vulnerability intelligence is
informing security teams and stakeholders when to stand down. When a
vulnerability is reported in the media, organizations often spin up
resources to patch as quickly as possible. Leveraging threat
intelligence in security processes help an organization discern when
it is necessary to respond in an all-hands-on-deck manner.
Take the case of the CVE-2019-12650,
originally disclosed on Sept. 25, 2019 with an NVD rating of “High.”
Without further information, an organization relying on this score to
determine prioritization may include this vulnerability in the same
patch cycle along with numerous other vulnerabilities rated High or
Critical. As previously discussed, we have experts review
the vulnerability and determine that it required the highest
level of privileges available to successfully exploit, and there was
no evidence of exploitation in the wild.
This is a case where threat intelligence reporting as well as
automation can effectively minimize the need to unnecessarily spin up
resources. Although the public NVD score rated this vulnerability
high, Mandiant Intelligence rated it as “low” risk due to the high
level of privileges needed to use it and lack of exploitation in the
wild. Based on this assessment, organizations may decide that this
vulnerability could be patched in the regular cycle and does not
necessitate use of additional resources to patch out-of-band. When
Mandiant ratings are automatically integrated into the patching ticket
generation process, this can support efficient prioritization.
Furthermore, an organization could use the analysis to issue an
internal communication informing stakeholders of the reasoning behind
lowering the prioritization.
Vulnerabilities: Managed
Because we have been closely monitoring vulnerability exploitation
trends for years, we were able to distinguish when attacker use of zero-days
evolved from use by a select class of highly skilled attackers, to
becoming accessible to less skilled groups with enough money to burn.
Our observations consistently underscore the speed
with which attackers exploit useful vulnerabilities, and the lack of
exploitation for vulnerabilities that are hard to use or do not help
attackers fulfill their objectives. Our understanding of the threat
landscape helps us to discern between hundreds of newly disclosed
vulnerabilities to provide ratings and assessments that empower
network defenders to focus on the most significant threats and
effectively mitigate risk to their organizations.
Mandiant Threat Intelligence enables organizations to implement a
defense-in-depth approach to holistically mitigate risk by taking all
feasible steps—not just patching—to prevent, detect, and stymie
attackers at every stage of the attack lifecycle with both technology
and human solutions.
Register today to hear FireEye Mandiant Threat Intelligence experts
discuss the latest in vulnerability
threats, trends and recommendations in our upcoming April 30 webinar.
Additional Resources
Mandiant offers Intelligence
Capability Development (ICD) services to help organizations
optimize their ability to consume, analyze and apply threat intelligence.
The FIVE tool is
available on the FireEye Market. It requires a valid
subscription for Mandiant Vulnerability Intelligence, and is driven
from an API integration. Please contact your Intelligence Enablement
Manager or FireEye Support to obtain API keys.
Mandiant’s OT Asset Vulnerability Assessment Service informs
customers of relevant vulnerabilities by matching a customer’s asset
list against vulnerabilities and advisories. Relevant vulnerabilities
and advisories are delivered in a report from as little as once a
year, to as often as once a week. Additional add-on services such as
asset inventory development and deep dive analysis of critical assets
are available. Please contact your Intelligence Enablement Manager for
more information.