Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
At the beginning of our conversation on vulnerability intelligence a couple of weeks ago, I briefly touched on a fictional weeklong scenario that involved vulnerability disclosure, PoC (proof-of-concept) release, and mass scanning that ended with victims hit by exploits. I get it, a week to go from vulnerability to working exploit may seem like hyperbole, but we’ve seen recent cases where things moved almost that quickly–from just a couple of weeks to a month.
Probably, hardly enough time for the defenders to react and patch, to be perfectly honest.
Researchers developing PoCs are a natural byproduct of the existence of imperfect code and the greater need to secure all the things. It’s likely *most* researchers mean well when they release a PoC, but done incorrectly it can exacerbate the vulnerability problem.
It’s not just a really catchy song by the Smiths, it’s also a fairly spirited debate that can be separated into two arguments.
On one side, there’s the thought that publicly disclosing a proof-of-concept in the wake of a vulnerability announcement forces the hand of everyone with a stake in the security game. It gives teams the ability to independently verify whether a network’s systems are exploitable, which enables better understanding of scale and severity, and leads to informed decisions about remediation. Best of all, it makes vendors develop fixes more quickly, and pushes end users to apply the patches.
On the other hand, there are some who advocate making patches available immediately when vulnerabilities are announced, and slowing down the release of PoCs until organizations are patched. In theory, this allows time for everyone to get their collective acts together so that they’re secured by the time vulnerabilities reach exploitation.
Now, there are flaws in each argument. The first argument assumes that every organization has the technical expertise or available resources to basically “red team” their infrastructure, and has all kinds of free time because they’re already caught up on all of the other patching and maintenance. As Chris touched on in an earlier blog, the reality is that there are competing priorities in every organization, which often boil down to time and resources devoted to patching.
The second argument assumes a high barrier to entry for developing workable exploits. Nation-states and the more well-financed criminal groups out there are already buying up zero-days, and are likely sophisticated enough to figure out how to exploit a vulnerability based on what was fixed in a patch, or in a PoC demonstration that might’ve left out a few steps. As we found out in our vulnerability research, criminal forum users are more than happy to share their knowledge or otherwise rent out their expertise, so it may not always be the bigger players who get the win on exploits.
Those who were paying attention to the Great Exchange ProxyLogon Disaster we all felt earlier in 2021 got a front-row seat to the debate. While the activity itself was known around December and into January, in the middle of the investigations, a researcher posted a public PoC that made it easy for actors to make the leap into exploit in pretty short order. Within 20 days of that PoC publication, the number of adversaries attempting to exploit the ProxyLogon vulnerability increased exponentially. At the time, many prominent researchers and security firms were erring on the side of caution, and it’s likely that this researcher felt some of the internet’s wrath on this one.
As it turns out, there was a wealth of examples just this year where vulnerabilities went to the dark side of the Force.
Besides the aforementioned Exchange vulnerability that saw mass exploitation in less than a month after the PoC was published, we saw a similar story in a few recent case studies. Pulse Secure was one that not only saw the use of an out-of-cycle security advisory in April 2021, and within roughly 3 days of that announcement, Digital Shadows (now ReliaQuest) saw the first working PoC appear on GitHub. Sadly, it took nearly two more weeks before Pulse Secure was able to catch up with a patch.
VMware had a similar problem on its hands with a PoC that came about within two weeks of its own announcement involving vulnerabilities with vSphere during the summer of 2021. With vSphere playing such a major role in virtual server management, the patching and mitigations may have left network teams overwhelmed when trying to sort out the question of maintenance.
As we’ve been harping on over the last month, talking about vulnerability intelligence, knowing that critical context behind vulnerabilities just might make deciding to patch or mitigate an easier decision. There’s some oft-cited research out there that indicates a small percentage of vulnerabilities even get to the proof-of-concept stage, much less exploited. It helps to have that understanding of how they’re using it, or if they’re even using it to know how at-risk you might be.
You might have a stack of critical vulnerabilities to worry about, but knowing whether they’re getting into the proof or exploit neighborhoods just might be what you need to bump up the patching schedule. It could be a matter of days or weeks before adversaries not only discover your vulnerable infrastructure, but are then able to leverage an exploit to get in. Ransomware operators might be using it to extort you financially, nation-states could be after the accesses or other secrets you offer, or it might just be an opportunity for criminals to steal data for resale elsewhere.
There’s a reason why Sun Tzu’s quotes get reused so often when talking about security. To loosely paraphrase, knowing what your adversary is up to can help you win the battle, or at least give you a fighting chance (my add). Having intelligence as a layer in your defenses arms you for the fight, and should coexist within a risk-based vulnerability management model, as my team discussed in a previous blog. To use another tired security proverb: Defenders need to be lucky all the time, an adversary only needs that luck once.
If you’re curious how intelligence can help you in the fight, you can always take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a 7-day test drive; or, if you have some pretty specific needs, there’s a chance we have some ideas that we can discuss over a demo sometime.