When he moved over to the other side of the firewall, Velazco -- now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm -- duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.
Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.
"The intelligence part is important: People should, instead of focusing on the vulnerabilities and on the numbers, focus on the attackers," Velazco says. "We have to mitigate risk before the exploit happens. If you try to mitigate after, that is more costly, has more impact, and is more dangerous for your company."
Velazco will present his experiences using intelligence on attackers to create a better vulnerability management program next week at the Information Systems Security Association (ISSA) conference in Nashville.
The idea of intelligence-driven defense -- using information on risk and attacker behavior to inform decisions -- is not new. In 2011, security researcher Dan Guido analyzed the vulnerabilities exploited by the top toolkits in the cybercriminal underground and found that only 27 of the possible 8,000 vulnerabilities released over two years were actually included in the kits. Two simple steps could protect systems against those attacks, he found.
Guido recently updated the presentation and found that companies could be protected from every attack in current exploit kits by upgrading to Windows 7, not using Java in the Internet zone, enforcing data-execution protection, securing Adobe Reader, and using Microsoft's Enhanced Mitigation Experience Toolkit to lock down systems. Just by observing attacker behavior, it's obvious that they focus on a few applications -- Microsoft Office, Adobe Reader, Java, and Internet Explorer -- to get the maximum impact from their exploits, he says.
"You don't really have to be in quote-unquote threat intelligence to understand that trend," says Guido, now CEO at Trail of Bits, a security consultancy. "That should have been drilled into people over the past five or six years, well enough that, if you are not patching those applications within days of the fixes coming out, you are failing."
[Attackers are increasingly cribbing code from existing exploits, rather than creating new ones. See Expert: Attacks, Not Vulnerabilities, Are Keys To IT Defense.]
Some vulnerability management firms provide an exploitability metric to help companies prioritize their patches. Qualys, for example, created a metric two years ago that allows companies to filter their vulnerabilities by exploitability rating. Yet only about 600 customers are currently using it, says Wolfgang Kandek, chief technology officer for the vulnerability management firm.
While compliance mandates require a more comprehensive approach to patching, a mature company should have two tracks for patching vulnerabilities: a fast track for the most critical and a more measured track for fixing the rest, he says.
"As a first good challenge, fixing all the vulnerabilities that have exploits available in any of the major databases is a good step," Kandek says.
Measuring criticality by the Common Vulnerability Scoring System (CVSS) score is not a good approach, as researchers have already found that the scores are not good indicators of exploitability. In a presentation at BSides Las Vegas, Risk I/O data scientist Michael Roytman found that fixing a random CVSS-10 vulnerability gave a firm only a 3.5 percent chance of having patched a critical flaw. Fixing a random vulnerability exploited by the Metasploit project increased that chance to 25 percent.
In addition, companies need to scrutinize the common vectors more closely, says Trail of Bits' Guido. Just patching the latest vulnerabilities is not enough because that does not protect the company against unknown vulnerabilities.
"There is a wealth of vulnerabilities out there, and you are not going to find them all. People are not going to tag them all with CVE numbers," Guido says. "So you have to make it so you know if someone takes advantage of one and have a response to that."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.