How to Keep on Top of Emerging Cyber Threats
Every single day around 60 new vulnerabilities are discovered in software used throughout the world. Not all are serious but just one can be enough to cause a breach – so not patching these can lead to disaster. This was the case with EternalBlue, an exploit for a vulnerability in Microsoft Windows SMB (file and printer sharing). Even though a patch was made available a month before the exploit was made public, not all organisations applied it quickly enough. This led to the infamous WannaCry ransomware attack, and many others. WannaCry infiltrated systems in 150 countries, knocking hospitals across the UK offline as well as hitting Government systems and railway networks.
With a 2021 report finding 5,250 confirmed data breaches across the world, and with the median financial impact of a breach reaching $21,659, it is vital that you have within your cybersecurity armoury in-depth knowledge and the ability to continuously monitor for new emerging risks and security threats. But with so much noise out there, how do you do that? Don’t worry, help is here with our extensive list of sources and solutions to keep you on track...
News and blogs
Cybersecurity journalists and bloggers dedicate their working lives to helping people become more informed and better protected against cyber threats which is why they are a great place for insight. Try:
1. The Register (search terms: cybersecurity, netsec, sysadmin)
2. Threat Post
3. SC Magazine (in particular, its Vulnerabilities section)
4. Dark Reading
The mainstream media may have become dramatically quicker in reporting news but it will never beat the speed of social media. Within seconds of something being identified, it can be reported on social media, but unlike mainstream news, the information won’t always be verified before publication and could be incorrect. This could lead to panic within your team or at the very least wasted time. And with millions of social media profiles to follow, which feeds can you trust?
On Twitter, we recommend:
10. The profiles of the media titles above
11. Content tagged by #infosec, #cybersecurity, #netsec, #sysadmin. By doing this, you’ll see news as it breaks and identify new experts to follow.
On Reddit try the following subreddits:
12. r/cybersecurity, r/netsec, r/sysadmin. If you’re familiar with IFTTT, you can use it to send you notifications when something gains popularity on the feed so that you’re only monitoring the posts worth your time.
Vulnerability and Risk Advisory Feeds
This list wouldn’t be complete without risk advisory feeds, of which there are many:
13. SANS, one of the most trusted sources for cybersecurity training and research produces several newsletters
14. Cybersecurity and Infrastructure Security Agency for the US
15. The European Union CERT (CERT-EU)
16. Open CVE
18. The Computer Emergency Readiness Team Coordination Center (CERT/CC)
19. National Vulnerability Database
Of course, it requires a great deal of time and commitment to monitor so many sources; more than most cybersecurity teams can spare. And when a new vulnerability has been exposed, how can you be certain that you even have it? Modern technical infrastructure is so complex, and changing constantly, so most companies rely on a vulnerability scanner to inspect their systems for potential weaknesses.
It is common for scans to take place as infrequently as quarterly. In this instance, critical vulnerabilities could be identified far too late, making the exercise of scanning almost redundant. We recommend using a vulnerability scanner on your external facing infrastructure once a month at least but as new vulnerabilities are discovered every day, some organisations may need weekly or even daily scans.
Proactive vulnerability scanning
With Intruder, you're able to find your weaknesses before the hackers do by running proactive vulnerability scans of your systems. Providing 24/7 monitoring, Intruder automatically scans users’ systems when new vulnerabilities are released, and notifies your team about newly discovered threats via Slack, email or Microsoft Teams.
Thanks to this unique approach, in January 2020, when a public exploit code was released that could be used to exploit the weakness of one of our clients, a leading law firm, we scanned the organisation’s systems on the same day, discovered a vulnerable system, and notified them of the issue with recommended remediation advice. This gave the client a head start with prioritising a fix for this serious weakness, allowing them the time they needed to put mitigations in place as soon as possible.
Whereas traditional vulnerability scanners are complicated to use, require in-house expertise, and significant time investment, Intruder was designed so that even small IT teams can achieve best-in-class cyber protection. It explains the real risks and provides remediation advice in easy-to-understand language, and it can integrate with AWS, GCP, Azure, JIRA or extend to 2,000+ other apps with Zapier.
While there is no way of ensuring your organisation is completely protected from a cyber breach, there are plenty of sources – from news to forums – to keep you on top of the biggest cyber threats to your business. But if your team doesn’t have the time needed to read every alert, then having a paid solution that will find your weaknesses before the hackers do, is your best bet.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.