Vulnerability intelligence is fast emerging as one of the most valued threat intelligence use cases. It provides information about how vulnerabilities are being exploited across the threat landscape helping prioritize response to these vulnerabilities. 

Vulnerability Intelligence vs Vulnerability Management

Vulnerability intelligence sits at the intersection of vulnerability management and threat intelligence. 

Vulnerability management is an ongoing process of identifying, investigating, assessing, reporting, and patching vulnerabilities.

Vulnerability intelligence, on the other hand, exists to provide actionable insights for vulnerability management. It is sometimes part of a vulnerability management program and provides vital context on a given vulnerability to understand how likely it is to be exploited.

While some vulnerability management tools include elements of Vulnerability Intelligence, there is a lack of context about how these vulnerabilities are being traded, discussed, and exploited across the threat landscape. 

CVSS Scores Miss Critical Context

The majority of vulnerability management efforts for VM rely on Common Vulnerability Scoring System (CVSS)  to prioritize their patching.  Like any numerical representation of risk, it’s helpful at a glance but doesn’t give a complete picture of the risk of exploitation and the potential impact each vulnerability could have on your organization. For example, research has found that only 75% of vulnerabilities with scores above 7 have never been exploited. 

Delays in detection and reporting often mean that CVSS scores are not as timely as people wish. CVSS is maintained by the National Vulnerability Database (NVD) which can be slow to the punch in identifying and announcing vulnerabilities.

Second, these scores lack the context on the likelihood of exploitation. For true prioritization, teams will often be forced to look across many different sources to inform their response. Furthermore, CVSS scores are not dynamic. Although the threat landscape changes regularly, these changes are often not reflected in the score.

Vulnerability Intelligence is the missing piece of the puzzle that enables security teams to go beyond CVSS scores.

Sources of Vulnerability Intelligence

For the context and the latest updates on the latest disclosed CVE’s and exploits you’ll want to have a comprehensive set of data sources. This includes:

  • Vulnerability Databases (NVD)
  • Researchers on Social Media
  • CERT Advisories
  • Vendor Sites
  • Public Code Repositories
  • Video Sharing Platforms.
  • Paste Sites
  • Criminal Forums and Dark Web Markets

Not all sources are made equal. An effective vulnerability intelligence program should assess each source before taking action. We assess the reliability of sources in other forms of threat intelligence, so why should vulnerability intelligence be different?

Developing Clear Requirements

While it’s impossible to predict exactly which vulnerabilities will be exploited in the future, you can gauge the likelihood of an exploit based on the availability of proof of concept (POC) code on GitHub or tools to exploit the vulnerability posted for sale online.

Most threat intelligence programs need clear requirements to drive effective collection. Again, why should vulnerability intelligence be different? Teams should define the key questions they care about that will help to better prioritize their response.

Here are ten key questions to consider asking: 

  1. Has the vulnerability been exploited in the wild?
  2. Is the vulnerability embedded in pentest tools 
  3. Is there evidence of exploitability? 
  4. Is an exploit advertised for sale online? 
  5. Has a proof of concept been published online? 
  6. Is the vulnerability associated with malware? 
  7. Is the vulnerability associated with a threat actor?
  8. Has the vulnerability been discussed in a threat intelligence report?
  9. Has the vulnerability been discussed on criminal location?
  10. Has the vulnerability been mentioned in a news article?