You’re probably hunting vulnerabilities wrong
The majority of vulnerabilities are reported on the dark web, security sites and sources before official publication to the National Vulnerability Database, according to new research.
Keeping an eye on new vulnerabilities is a key part of any CISO or security professional’s job role, and while it is an endless task in many ways, it’s also one that needs to be managed effectively.
However, new research has shown that perhaps one of the most obvious and well-known sources of new vulnerabilities - the US Government’s National Institute for Standards and Technology (NIST) National Vulnerability Database (NVD) is considerably out of date.
An impressive 75 per cent of vulnerabilities have already been disclosed elsewhere prior to NVD release with an average of seven days prior notice. This gap is rapidly widening too, essentially leading to the NVD becoming an increasingly unreliable source of vulnerability information.
On the bright side, higher severity vulnerabilities have shorter release lags as more effort is put into communicating and remediating more serious vulnerabilities. Over 1,500 sources reported over 114,000 times on vulnerabilities prior to release, including community intelligence and adversary intelligence sources on the deep and dark web. The major vendors involved are Google, Apple, Microsoft, and Oracle, according to researchers from Recorded Future.
Researchers differ on the time delay between a vulnerability being officially recognised and allocated a CVE reference and an exploit being available, but in some cases the delay can be very short indeed. A week is regarded as a maximum – the race looks something like this:
The researchers found that at least 5 per cent of vulnerabilities are detailed in the deep and dark web prior to NVD release and these have higher severity levels than expected. Interestingly, only a perhaps-lower-than-expected 30 per cent are found in foreign language content.
“We observed 12,517 CVEs that were first published on NVD in 2016-2017. Of these, 75% (9,505) had open, deep, or dark web coverage available prior to the NVD release. We observed a median gap of seven days advance notice for these CVEs. Median is certainly not to be confused with the mean. Longer gaps are quite common with 25% of CVEs having at least 50-day gaps and 10% having gaps of over 170 days”, stated the researchers.
So where are these reliable early sources of vulnerabilities? Unfortunately, the researchers found first reporting of CVEs on more than 300 sources, from the fairly obvious advisories from the affected companies themselves, such as Oracle Technology Network and Android Security Bulletin Advisories, to less obvious areas. The latter included Rapid7’s Metasploit Exploit Database and Security-Database, as well as perhaps the top tip of the day - the Chinese National Vulnerability Database maintained by the China Information Security Evaluation Center, which first reported 200 CVEs since 2016.
In short, trusting only specific vendors and major government databases as your sole source of vulnerability information is a flawed plan. Although that probably comes as no surprise, the difficulty of keeping tabs on more than 300 sources is considerable, and that’s before any mitigation work. That said, the headline-grabbing WannaCry exploit had the impact it did because patches hadn’t been applied in time, not that the threat hadn’t been recognised, defined as a CVE and then patched by the vendor.
Ilia Kolochenko, CEO of High-Tech Bridge commented at the time that it was the enterprise part of the chain that really failed: “The real problem comes from organizations that failed to install security patches for almost two months, implement appropriate network segregation and assure daily backups. Cybercriminals are just leveraging their carelessness.
“Unfortunately, I don’t think that we will see a significant difference in the near future. Negligent IT personnel don’t have a clear incentive to change anything, as it will hardly improve their own lives, salaries or even comfort at work. Once several IT contractors will be held liable for negligence and breach of duty [for failure to install security patches for two months] – we will start seeing vigorous improvements. Otherwise, omitting temporary and minor ameliorations, nothing will really change.”