Recent attacks like WannaCry and NotPetya have highlighted an alarming trend towards a new era of global, distributed cybercrime.
Cyber attackers are becoming increasingly sophisticated and organised, causing a rapid growth of readily available attack tools that are wreaking havoc on networks and businesses who’ve yet to adapt to this new threat.
This shift in the threat landscape is marked by the commercialisation of cybercrime, where hackers work in organised groups, selling tools and services on the dark web for anyone willing to pay the price and trying to target as many would–be victims as possible.
Previously, cybercriminals would act alone or in small groups, developing proprietary TTPs and exploits to be used in specific attacks. Now, under the distributed attack model, we’re not only seeing attacks on a global scale, we’re seeing organisations caught in “collateral damage attacks” such as NotPetya which appeared to target Ukraine, yet affected businesses worldwide using a common accounting software.
In the age of distributed cybercrime, vulnerability management is a vital element of cyber defense. The business model behind distributed cybercrime aims for the best ROI and looks for the path of least resistance — widespread attacks requiring minimal skill or intervention and targeting “low–hanging fruit.”
This last element of the model often means using proven vulnerability exploits and those packaged in crimeware, such as exploit kits or ransomware. Distributed attacks can also take multiple steps, exploiting secondary vulnerabilities or leveraging other methods, such as worms, to spread rapidly.
Traditional vulnerability management approaches that look at the vulnerability severity and asset criticality are ill–equipped to face this threat, and may put organisations at more risk because they inaccurately prioritise remediation, putting efforts in the wrong place.
What’s missing from these approaches is the correlation of vulnerabilities, the unique environment in which they exist and intelligence of the current threat landscape. Without complete context, vulnerabilities used in active exploits or exposed in the network could be left in reach of attackers.
Threat-centric vulnerability management (TCVM) offers a much more robust approach. It takes into account the various internal and external factors that influence the threat a vulnerability poses — either imminent or potential.
>See also: Cyber attacks are spreading at record pace
Internal factors include and organisation’s vulnerabilities, assets, security controls and network topology, including on–premise, multi–cloud and industrial networks.
Externally, TCVM leverages up–to–date threat intelligence of active and available exploits, as well as if vulnerabilities are packaged in available crimeware. With this information, vulnerability remediation is accurately prioritised so security teams can focus on the small subset of their vulnerabilities in need of immediate attention.
How TCVM works
TCVM is made up of the following five key components, which work together to build a solid vulnerability management program:
• Assessment and discovery: data collection of vulnerabilities within an organisation’s systems are correlated with a model of security controls, network topology and assets.
• Threat intelligence: intelligence feeds and security analyst research are consolidated to understand which exploits are active, available or packaged in crimeware.
• Prioritisation: using the model, threat intelligence, attack vector analytics and simulations, vulnerabilities are analysed in their unique environment; vulnerabilities exposed in the network or actively exploited in the wild are flagged as top priorities.
• Remediation: patches or other compensating controls (IPS signatures, access rules, segmentation, etc.) are implemented to prevent exploitation; remediation urgency is aligned with the threat posed by each vulnerability.
• Oversight: remediation is tracked to ensure threats are neutralised and progress is made to reduce overall risk; unmitigated vulnerabilities are monitored for changes in exposure or exploitability.
As the trend towards the commercialisation of cybercrime continues, TCVM will play a key role in helping organisations to minimise the risk of cyber attacks.
Why traditional methods fall short
As we move towards adopting a TCVM approach, it is important to learn from the Common Vulnerability Scoring System (CVSS). Developed over ten years ago, it was designed to help organisations prioritise patching.
Each vulnerability is scored according to the likelihood and ease of successful exploitation, as well as the estimated impact of successful exploitation. The CVSS specification defines three levels of scores: base, temporal, and environmental.
Base scores involve the static characteristics of a vulnerability only. Temporal scores start with base scores and factor in characteristics that change over time, such as the availability of exploits. Finally, environment scores start with temporal scores and allow an organisation to consider some aspects of the context of their own environment.
Unfortunately, these objectives were never fully implemented. Major vulnerability databases and security software vendors invested their scarce resources into producing base scores and not into maintaining tens of thousands of temporal scores on a daily basis. And without a source of temporal scores, organisations couldn’t generate environmental scores.
So only base CVSS scores have been used, and understandably they’ve been insufficient for prioritising vulnerability remediation.
TCVM takes into account the lessons learned from CVSS as well as many other observations about vulnerability management to provide accurate assessments of vulnerability severity.
Automation and centralisation
The sheer scale of the task ahead when it comes to identifying, assessing and prioritising the huge number of vulnerabilities can be daunting. This is especially true of businesses with data silos between vendors and technologies, disconnected processes and limited visibility of their attack surface.
Trying to manually correlate all the information necessary for TCVM to be successful is essentially impossible — the approach must be automated.
There are solutions available to automate the various steps in TCVM, but there is an advantage to incorporating it under one centralised platform. Not only does a singular platform improve ease of use and efficiency, it also increases the ROI of existing solutions, rather than adding more point products to the mix.
Time to adapt
Traditional vulnerability management approaches have failed to adapt to the rapidly-changing threat landscape, and as a result have become ineffective, wasting precious time and resources.
The new TCVM approach accurately prioritises vulnerabilities according to their urgency, using complete context of the attack surface, both within the organisation and the threat landscape. In this way, the attack surface is systematically reduced with informed remediation planning.
Implementing TCVM methodology gives organisations the ability to be proactive against threats, greatly reducing the chance of damaging attacks and data breaches. It also enables dynamic security programs that can adapt as the threat landscape evolves and the organisation grows.
Sourced from Ravid Circus, VP Products at Skybox Security