• Obtain intelligence about what attackers are doing (Likelihood!)
- Internal sources: IPS / IDS, AV, Honeypots
- External sources: threat feeds, threat exchanges, online chatter
• Maintain visibility of assets, and how important they are (Impact!)
- CMDB & Vulnerability Scanners
- IAM, Finance, etc … extremely long tail
• Cross-reference intelligence with problems in your environment
- ATT&CK, CVE, CPE, CWE, Internal Identifiers
• Distribute information continuously
Defining Risk Based Vulnerability Management
Sources of Useful Intelligence
1. Open Source Intelligence & Dark Web
2. Intrusion Detection Systems
3. File-oriented AV analysis APIs - samples from malspam, some APT
4. Honeypots such as Bad Packets and Greynoise - internet-wide scans
(often focused on compromised IoT or early info gathering)
5. Local Honeypots
6. Antivirus and Endpoint - on-device attempts
So Let’s Explore!
1. OSINT & DarkWeb
2. IDS Signatures (Events)
3. Suspicious File Analysis
All analyzed across a set of 12 months historical
OSINT and Darkweb As a Source
APT activity intermingled with more widespread activity
OSINT can be gamed by simply publishing fake information
It can be a great leading indicator, Also helpful for predictions.
Scanned vulnerabilities drive the high counts- but are they the most important?
Normalization by unique CVEs can help
Consider placement: Perimeter? Datacenter? Cloud?
Helpful to understand the process of signature creation … driven by exploits?
IDS Events As A Source
Microsoft Office dominating this year – fits with common knowledge
Less prone to false positives than OSINT, but also require a sig, time needed.
Significantly less volume than IDS in hits
Grounded in signatures (a good thing!)
Suspicious Files As a Source
Challenges to a Single “Top X”
1. Cannot compare on pure count, or weighted counts
2. Technique-to-detect and perspective matter
3. Your threat model matters!
4. Is the vulnerability even still out there?
Context matters… so where to begin?
Identifying the most exploited CVEs
• Gathered CVEs identified by all 3 sources
• Cross-referenced with vulnerability prevalence
• Ranked from (1) most prevalent to (10) least
• Tagged with the source that identified the
Vulnerability in our analysis
The Real Top 10 … er, Top 3*!
1) Oracle Java (JDK and JRE)
2) Adobe Flash Player
3) Microsoft Office (Word, Excel etc)
… (then everything else)
* product list is derived by pulling CPE data from the 255 vulnerabilities scored at 100 on Kenna’s Risk Meter Score