Vulnerability Intelligence in the Age of Rapid Exploitation and Patch Fatigue
Vulnerability Intelligence in the Age of Rapid Exploitation and Patch Fatigue

With the advent of automated malware creation, distribution and attacks, InfoSec teams are finding that protection tools -- firewalls, intrusion detection and prevention systems (IDS/IPS), anti-virus products and others -- are becoming less effective.

This protection approach, based on threat intelligence, worked well before hackers found a way to quickly disguise malware and speed up attacks with a variety of techniques, such as:

  • Compiling each piece of malware with a different signature for evasion based on file hashes
  • Giving automatically generated IPs, hostnames and URLs to the command and control (C&C) servers that power their malware and exploit kits 
  •  Using botnets, exploit kits and other methods and tools to launch attacks with massive speed, intensity, complexity and scope

Keeping track of all these malware variants and constantly changing C&C servers has become a “catch me if you can” game in which hackers unfortunately have the upper hand.

Given this reality -- like it or not -- organizations have to assume that bad guys will find a way to bypass protection systems.

Here's where vulnerability intelligence comes to the rescue.

Large numbers of cleverly disguised malware attacks are designed to exploit a much smaller number of vulnerabilities.

If malware gets past your protection mechanisms but finds no vulnerability to exploit among your IT assets, the attack fizzles out.

In an ideal world, an organization would be able to patch 100 percent of its vulnerabilities, and thus fully immunize its IT environment against breaches.

Unfortunately, this is not possible, for a number of reasons, including that:

  • Some vulnerabilities have no patch available
  • With thousands of vulnerabilities disclosed annually, no IT department has the time or resources to fix or mitigate every single one

Taking this into account, vulnerability intelligence, like threat intelligence, collects real world data on cyber attacks but goes a step further and maps it back to the targeted vulnerability.

As a result, organizations have another way to defend themselves, beyond trying heroically to block every single attack.

Relying on vulnerability intelligence, they can also patch or mitigate a critical vulnerability and in one fell swoop defuse the risk from all attacks designed to exploit that particular software flaw.

Vulnerability intelligence takes in data from research on active attacks, exploit kits, IDS, IPS, anti-virus products and other sources.

In addition to isolating the core vulnerabilities being targeted and identifying them, vulnerability intelligence also measures their current exploitation states, which is a valuable piece of context that helps organizations prioritize their vulnerability remediation work.

For example, Adobe Flash is the component that is attacked the most by exploit kits. It was the target of hundreds of campaigns and malware attacks last year and in 2015.

But, as seen in the graph below, the attacks focused on only 15 vulnerabilities in 2015, and seven in 2016. The takeaway from this: organizations should prioritize remediating the actively attacked vulnerabilities first.

Undoubtedly, there are challenges involved in vulnerability intelligence. Highly-skilled researchers must do complex, manual analysis to identify the core vulnerability a particular malware attack is crafted to exploit.

Still, vulnerability intelligence yields valuable results for organizations suffering from “patch fatigue” as they stare at hundreds or thousands of patches they could apply to their systems.

With vulnerability intelligence software, organizations get useful context so they can pinpoint which patches will reduce the most risk, and apply those ones first.