Staying ahead of the distributed cybercrime threat

What cybercrime vulnerability management approach will keep businesses ahead of the hackers in the cyber security landscape?

Recent attacks like WannaCry and NotPetya have highlighted an alarming trend towards a new era of global, distributed cybercrime.

Cyber attackers are becoming increasingly sophisticated and organised, causing a rapid growth of readily available attack tools that are wreaking havoc on networks and businesses who’ve yet to adapt to this new threat.

This shift in the threat landscape is marked by the commercialisation of cybercrime, where hackers work in organised groups, selling tools and services on the dark web for anyone willing to pay the price and trying to target as many would–be victims as possible.

Previously, cybercriminals would act alone or in small groups, developing proprietary TTPs and exploits to be used in specific attacks. Now, under the distributed attack model, we’re not only seeing attacks on a global scale, we’re seeing organisations caught in “collateral damage attacks” such as NotPetya which appeared to target Ukraine, yet affected businesses worldwide using a common accounting software.

>See also: How prepared are security professionals to defend cyber threats?

In the age of distributed cybercrime, vulnerability management is a vital element of cyber defense. The business model behind distributed cybercrime aims for the best ROI and looks for the path of least resistance — widespread attacks requiring minimal skill or intervention and targeting “low–hanging fruit.”

This last element of the model often means using proven vulnerability exploits and those packaged in crimeware, such as exploit kits or ransomware. Distributed attacks can also take multiple steps, exploiting secondary vulnerabilities or leveraging other methods, such as worms, to spread rapidly.

Traditional vulnerability management approaches that look at the vulnerability severity and asset criticality are ill–equipped to face this threat, and may put organisations at more risk because they inaccurately prioritise remediation, putting efforts in the wrong place.

What’s missing from these approaches is the correlation of vulnerabilities, the unique environment in which they exist and intelligence of the current threat landscape. Without complete context, vulnerabilities used in active exploits or exposed in the network could be left in reach of attackers.

Threat-centric vulnerability management (TCVM) offers a much more robust approach. It takes into account the various internal and external factors that influence the threat a vulnerability poses — either imminent or potential.

>See also: Cyber attacks are spreading at record pace

Internal factors include and organisation’s vulnerabilities, assets, security controls and network topology, including on–premise, multi–cloud and industrial networks.

Externally, TCVM leverages up–to–date threat intelligence of active and available exploits, as well as if vulnerabilities are packaged in available crimeware. With this information, vulnerability remediation is accurately prioritised so security teams can focus on the small subset of their vulnerabilities in need of immediate attention.

How TCVM works

TCVM is made up of the following five key components, which work together to build a solid vulnerability management program:

 Assessment and discovery: data collection of vulnerabilities within an organisation’s systems are correlated with a model of security controls, network topology and assets.
 Threat intelligence: intelligence feeds and security analyst research are consolidated to understand which exploits are active, available or packaged in crimeware.
 Prioritisation: using the model, threat intelligence, attack vector analytics and simulations, vulnerabilities are analysed in their unique environment; vulnerabilities exposed in the network or actively exploited in the wild are flagged as top priorities.

>See also: Insider and third-party access rank as the ‘top cyber threats’

 Remediation: patches or other compensating controls (IPS signatures, access rules, segmentation, etc.) are implemented to prevent exploitation; remediation urgency is aligned with the threat posed by each vulnerability.
 Oversight: remediation is tracked to ensure threats are neutralised and progress is made to reduce overall risk; unmitigated vulnerabilities are monitored for changes in exposure or exploitability.

As the trend towards the commercialisation of cybercrime continues, TCVM will play a key role in helping organisations to minimise the risk of cyber attacks.

Why traditional methods fall short

As we move towards adopting a TCVM approach, it is important to learn from the Common Vulnerability Scoring System (CVSS). Developed over ten years ago, it was designed to help organisations prioritise patching.

Each vulnerability is scored according to the likelihood and ease of successful exploitation, as well as the estimated impact of successful exploitation. The CVSS specification defines three levels of scores: base, temporal, and environmental.

Base scores involve the static characteristics of a vulnerability only. Temporal scores start with base scores and factor in characteristics that change over time, such as the availability of exploits. Finally, environment scores start with temporal scores and allow an organisation to consider some aspects of the context of their own environment.

>See also: How to fight the forces in the cyber threat universe

Unfortunately, these objectives were never fully implemented. Major vulnerability databases and security software vendors invested their scarce resources into producing base scores and not into maintaining tens of thousands of temporal scores on a daily basis. And without a source of temporal scores, organisations couldn’t generate environmental scores.

So only base CVSS scores have been used, and understandably they’ve been insufficient for prioritising vulnerability remediation.

TCVM takes into account the lessons learned from CVSS as well as many other observations about vulnerability management to provide accurate assessments of vulnerability severity.

Automation and centralisation

The sheer scale of the task ahead when it comes to identifying, assessing and prioritising the huge number of vulnerabilities can be daunting. This is especially true of businesses with data silos between vendors and technologies, disconnected processes and limited visibility of their attack surface.

Trying to manually correlate all the information necessary for TCVM to be successful is essentially impossible — the approach must be automated.

>See also: Securing the endpoint from dangerous cyber threats

There are solutions available to automate the various steps in TCVM, but there is an advantage to incorporating it under one centralised platform. Not only does a singular platform improve ease of use and efficiency, it also increases the ROI of existing solutions, rather than adding more point products to the mix.

Time to adapt

Traditional vulnerability management approaches have failed to adapt to the rapidly-changing threat landscape, and as a result have become ineffective, wasting precious time and resources.

The new TCVM approach accurately prioritises vulnerabilities according to their urgency, using complete context of the attack surface, both within the organisation and the threat landscape. In this way, the attack surface is systematically reduced with informed remediation planning.

Implementing TCVM methodology gives organisations the ability to be proactive against threats, greatly reducing the chance of damaging attacks and data breaches. It also enables dynamic security programs that can adapt as the threat landscape evolves and the organisation grows.


Sourced from Ravid Circus, VP Products at Skybox Security

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...