More Than Three Quarters Of Vulnerabilities Are Disclosed On Dark Web And Security Sources Before National Vulnerability Database Publication

Time lag of seven days between public disclosure and official notification places organizations at significant risk of threats and calls into question the reliability of official disclosure channels.

BOSTON –  Recorded Future, the threat intelligence company, has today revealed new research uncovering that from over 12,500 disclosed Common Vulnerabilities and Exposures (CVEs), more than 75% were publicly reported online before they were published to the NIST’s centralized National Vulnerability Database (NVD). Sources reporting include easily accessible sites such as news media, blogs, and social media pages as well as more remote areas of the web including the dark web, paste sites, and criminal forums. This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them unknowingly open to potential exploits and unable to make strategic and informed decisions on their security strategy. Additionally, the vulnerability content available on the dark web illustrates that the adversary community is actively monitoring and acting on the broad set of sources initially releasing vulnerability information.

The data, taken from the beginning of 2016, showed that the median lag was seven days between a CVE being revealed to ultimately being published on the NIST’s NVD. This time lag also significantly differed between vendor announcements and NVD publishing, with the fastest on average one day later and the slowest published with a 172 day average delay.

Additional key findings from the research revealed:

  • More than 1,500 sources reported on vulnerabilities prior to release, including information security sources like blogs or social feeds and adversary sources on the dark web.
  • 5% of vulnerabilities are detailed in dark web prior to NVD release and these have higher severity levels than expected.
  • 30% of vulnerabilities published to the dark web were in foreign languages.
  • In the case of the Dirty-Cow vulnerability (CVE-2016-5195), the proof-of-concept (POC) was posted to Pastebin 15 days before NVD publication. The original security report was translated to Russian and posted on an exploit forum two days after the report was first released.
  • Over 500 CVEs first reported online in 2016 are still awaiting NVD publication.

Christopher Ahlberg, CEO at Recorded Future, comments: “There has long been a belief that there is a significant time delay between the unofficial and official sources for vulnerability disclosure. This research clearly indicates that the NVD and official reporting channels aren’t able to keep pace with the volume of CVEs in the wild. Organizations need to look to other sources to apply meaningful and actionable intelligence if they are to protect their organizations.”

As demonstrated with the recent global WannaCry ransomware attack, many organizations, particularly when a CVE is first publicized in media outlets, hit the panic button to issue a patch based on a reported number of systems affected by any given CVE. The recommended best practices for organizations are to adopt a proactive and risk-based approach to addressing vulnerabilities, and to utilize intelligence from sites that are more difficult to access, such as the dark web, but that are the first to see chatter on new threats and potential zero-days. Security teams need to look at whether the CVE could affect them, assess their appetite for risk, and then only focus on the CVEs that have the highest risk of being exploited. By building a more comprehensive set of risk rules, based on applied intelligence from both friendly and adversary sources, organizations can make infinitely more informed strategic security decisions.

“These findings demonstrate the need for organizations to look beyond the official channels of vulnerability disclosure, such as the NVD, and take a proactive view of vulnerability management that focuses on risk,” says Bill Ladd, chief data scientist at Recorded Future. “Security teams can no longer do vulnerability management by numbers. By accessing, aggregating, and applying the available intelligence from a wealth of additional sources, including the dark web, social media, news outlets, and forums, organizations will have a better understanding of their risk and can make informed, strategic decisions that positively impact the business.”

For more detail on the research visit www.recordedfuture.com/vulnerability-disclosure-delay.