Another issue is that not all vulnerabilities get assigned CVEs, such as web applications that are updated at the server and require no customer interaction. Unfortunately, mobile app vulnerabilities that require customer interaction to install an update are also not receiving CVEs. There were 14,185 vulnerabilities reported in 2015, 6,000 more than what was reported in the National Vulnerability Database and CVE, according to the 2015 VulnDB Report from Risk Based Security.
“The real value of the CVE system to consumers and information security practitioners is not actually measuring risk and security impact, but cataloging all known risks to a system regardless of severity,” says Kymberlee Price, senior director of researcher operations at BugCrowd.
Time to start listening
Because CVE does not cover every exploit, you must look beyond the CVE to get a complete picture of what’s coming your way. This means you should stop pegging your vulnerability management activities exclusively to vendor announcements and start exploring other sources of information to stay on top of the latest disclosures. Your vulnerability management teams would be more effective if they looked for mentions of proof-of-concepts out on the web and signs of exploit activity within your environment.
There is a lot of public vulnerability information available beyond official vendor notifications -- so much so that defenders can’t be expected to stay abreast of all the blog posts disclosing various vulnerabilities, mailing list discussions between researchers regarding a particular security flaw, and other public notices. Instead of trying to subscribe to every possible mailing list and RSS feed, your vulnerability management team can go right to the forums and listen to what potential attackers are saying. That’s the best kind of advance warning.
“If I am responsible for vulnerability management in my organization, I would be paying attention to forum conversations, looking for substantial chatter about specific vulnerabilities,” Gundert says. “You won't catch a zero-day, but you will catch flaws that you will otherwise have to wait weeks to get guidance from vendors.”
As a threat intelligence company, Recorded Future wants enterprises to use its platform to listen for the threat chatter on forums -- English-speaking or foreign language -- but there are other options. Organizations can select a handful of forums, IRC channels, and other online sources to monitor discussions. In fact, Record Future analysts noted users consistently sharing posts written by individuals who appear to be recognized as a reliable source of information. Simply tracking what those "experts" are saying would help uncover conversations around the latest flaws. Keeping an eye on what is shared on GitHub can also go a long way to uncovering attackers’ plans.
Threat intelligence helps reduce the signal-to-noise ratio and uncover useful information, but it’s not the only way to find these conversations.
Sign up for CIO Asia eNewsletters.