The distributed approach to cybercrime has forever changed the threat landscape. It was erected around a business model of maximising ROI — reusing tried–and–true attack methods rather than organically developing new ones, targeting as many victims as possible and automating the attack workflow. The WannaCry attack of 2017 is the perfect example of this approach in action. It used the NSA–developed EternalBlue exploit, affected businesses and individuals worldwide and spread like wildfire via a worm.
However, attacks like NotPetya and the recent Ordinypt wiper targeting German businesses show another a new danger of the distributed approach — attackers using ransomware aren’t necessarily nterested in collecting ransom but, rather, destroying data. So even meeting the cybercriminal’s demands won’t guarantee you can recover your files.
Whatever the motive for these attacks, there is a glimmer of hope to be found in the distributed approach. Because the approach so often reuses known methods, the set of attack vectors is relatively small. For example, 85 percent of exploit traffic can be attributed to just 10 vulnerabilities, according to the Verizon Data Breach Incident Report. The other 15 percent consists of roughly 900 CVEs. By focusing on these small subsets of vulnerabilities amidst the millions in enterprise systems, organisations can maximise their own ROI by targeting resources at vulnerabilities most likely to be used in an attack.
Hopefully, ransom payments aren’t part of your 2018 security budget. Enacting new defence strategies to proactively combat today’s threats should be.
Vulnerability Management by CVSS Scores
Most vulnerability management programs are based on the Common Vulnerability Scoring System (CVSS). The system, developed in 2005, was designed to help organisations prioritise patching at a time when the threat landscape looked much different. It’s “temporal” scores are meant to incorporate up–to–date threat intelligence and vendor input, but these was never fully implemented. As a result, CVSS can’t accurately determine “environmental” scores to reflect the potential impacts within an organisation.
Traditional vulnerability management, thus, must rely on CVSS “base” scores which only include intrinsic properties of the vulnerability. The problem with this score is that the severity level of a vulnerability changes due to activity in the threat landscape and changes in the network. Without this larger context, vulnerabilities are inaccurately prioritised for remediation. This means attention is given to actually lower–risk vulnerabilities, while those more likely to be used in an attack remain unmitigated.
Shifting to a TCVM Approach
In contrast, threat–centric vulnerability management (TCVM) offers a much more robust approach. TCVM considers the many complexities of today’s networks and activity in the current threat landscape to accurately establish which vulnerabilities need immediate attention. Here’s how it works:
- Assessment: consolidate vulnerability data from third–party scanners and scanless vulnerability assessments
- Modelling: incorporate data into the network model matching vulnerabilities with assets and the surrounding network topology and security controls
- Intelligence: consolidate threat intelligence feeds and security analyst research to identify which vulnerabilities have available or active exploits in the wild, and which are being used in ransomware, exploit kits, etc.
- Prioritisation: combine results of model simulations with threat intelligence to prioritise vulnerabilities’ actual severity level; vulnerabilities exposed in the network or actively exploited in the wild present an imminent threat, while others pose a potential threat.
- Remediation planning: remediate imminent threats immediately via available patches or other compensating controls (rule changes, IPS signatures, etc.); potential threats should be dealt with as part of gradual risk reduction activities
- Oversight: track remediation to ensure threats are neutralised and risk is systematically reduced; monitor unmitigated vulnerabilities for changes in network exposure or use in the wild
Each of these steps requires a massive amount of data and context. Using the TCVM approach is essentially impossible with manual processes, especially considering the scale and near–constant evolution of enterprise networks and the threat landscape. Organisations need to turn to automation so efforts aren’t wasted on data collection and analysis but, rather, can be put toward proactive threat response and strategic security improvements.
A centralised TCVM platform to manage everything from assessment to remediation and tracking is also beneficial as it provides a comprehensive view of the vulnerability, network and remediation status. Centralised platforms improve efficiency, reduce reliance on point products and the personnel needed to manage them. It also increases the ROI of other solutions in place as it turns their data into actionable intelligence, enhancing their value in your security program.
Distributed cybercrime is here to stay. And we’ll likely only see more attacks like WannaCry and NotPetya as even more threat actors test the limits of available tools. Organisations need to be sure their cyber defences are up to the challenge and start proactively addressing the security issues becoming a favourite of global cyberattacks. Taking a TCVM approach to vulnerability management ensures just that — security teams have the agility to pivot wherever the threat landscape goes and secure their networks efficiently and effectively before an attack occurs.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.