BLOG

Threat Intelligence & Vulnerability Management 101: Best Practice Guide

10 minute read

The best way to outsmart the adversary is to anticipate their next move. This is true of both cyber, and physical, enemies. However, this assumes a level of gusto on the bad actors’ part – when the reality is that many threat actors and groups are more interested in easy success than trying to innovate. For instance, a common approach for threat actors is to exploit existing software vulnerabilities, an arguably easy attack vector, because employees don’t routinely allow updates to their devices. In fact, in 2021 alone there were over 20K vulnerabilities found – easy pickings for bad actors. The fix? Threat intelligence that informs  vulnerability management, so organizations can prioritize their efforts to prevent the most likely exploits before they happen.

In this post, we’ll cover the broad scope of vulnerabilities as well as the best methods for intelligence-driven mitigation. We’ll also discuss a few best practices to put in place to see immediate, measurable results. 

What is threat intelligence?

Threat intelligence overall is the practice of collecting large amounts of data from various sources, including the surface, deep, and dark web, and analyzing them to provide context and actionable insights to improve decision making. In other words, knowing which areas of your business are vulnerable to cyber attacks requires a level of threat intelligence. 

Of course, that’s what you might hear about threat intelligence from a marketing standpoint. For the security professionals who are in the weeds on a daily basis working to thwart and respond to attacks, threat intelligence tells them what is worth worrying about and what is worthless chatter. 

Although business leaders often focus on the nefarious threat actors operating throughout the dark web, an impactful threat intelligence program must have the power to collect across the entire internet – open, deep, and dark – at scale, monitor social media, and sustain visibility in covert communications channels. Security professionals are challenged to maintain awareness of the various threat actors, underground forums, vulnerability exploits, and attack vectors…and how those threats specifically pertain to their organization, including all critical internal and external assets. 

Why is threat intelligence important?

Threat intelligence capitalizes on the collection of hundreds of thousands, sometimes even millions of datapoints, and adds context that highlights the biggest risks security professionals need to address. 

The notion that all threat actors are sophisticated, meticulous computer experts has been proven false. But, since threat actors have long had the advantage in the digital world of going unnoticed before a cyberattack, that element of surprise has often been misinterpreted – or even intentionally misrepresented – as sophistication.  To counter that historical advantage of stealth, leaders across industries now view threat intelligence as a vital component of a mature, proactive cybersecurity posture.

Threat intelligence provides visibility into cyber-activities, not only providing insights into what  attackers have done, but also often delivering assessments of what they will likely do next. When configured properly, threat intelligence empowers security teams to more effectively identify and disrupt impending targeted attacks. Security teams can be alerted about relevant, active breaches that are secretly exposing the personal identifiable information (PII) of customers or executives to thousands of earnest cybercriminals.

A strong intelligence program also empowers  teams outside security to make better decisions.Whether teams are fundamentally responsible for security or not, disseminating relevant intelligence across the organization can help all teams mitigate risk for the organization, its partners, and its customers. Intelligence can create vast time and effort reduction against low-level threats, attacks aimed at dissimilar companies, and concerns around vulnerability exploits targeting systems and applications not present in your network. In 2021 alone, there were more than 20,000 common vulnerabilities and exposures (CVEs) reported. It is worth noting that this figure only accounts for known vulnerabilities, meaning zero-day threats represent additional uncalculated risks to organizations. Nobody has enough time, energy, or personnel to address that many vulnerabilities in real time. Confidently prioritizing threats and patching vulnerabilities most likely to be exploited by them is the key to risk reduction.

According to the most recent SANS Institute CTI Survey, only around one-third of respondents had formal, documented intelligence requirements and another one-third said their requirements were created on an ad hoc basis. Documenting intelligence requirements – aligned to identified stakeholders – is a key starting point for any security organization. Without these requirements as a guide, intelligence collection, analysis, and production are unlikely to yield the expected value. Conversely, stakeholder-approved intelligence requirements enable intelligence teams to track meaningful metrics and measure the impact of the intelligence program. Maturing ad hoc intelligence processes into a holistic, strategic threat intelligence program that incorporates the intelligence cycle and documented requirements empowers a security organization to put more energy into supporting the growth of their business, rather than wasting valuable resources chasing threats hyped by the media (but not relevant to the business).

How does threat intelligence work?

We previously mentioned what threat intelligence means. But how does it actually work? 

Threat intelligence works through the intelligence cycle. This is also sometimes referred to as the cyber threat intelligence cycle, although it doesn’t apply only to cyber threats. The threat intelligence cycle provides a framework for your security teams to plan and implement their protective tactics and strategies against malicious digital behaviors. There are six phases in the Intelligence Cycle: 

According to the most recent SANS Institute CTI Survey, only around one-third of respondents had formal, documented intelligence requirements and another one-third said their requirements were created on an ad hoc basis. Documenting intelligence requirements – aligned to identified stakeholders – is a key starting point for any security organization. Without these requirements as a guide, intelligence collection, analysis, and production are unlikely to yield the expected value. Conversely, stakeholder-approved intelligence requirements enable intelligence teams to track meaningful metrics and measure the impact of the intelligence program. Maturing ad hoc intelligence processes into a holistic, strategic threat intelligence program that incorporates the intelligence cycle and documented requirements empowers a security organization to put more energy into supporting the growth of their business, rather than wasting valuable resources chasing threats hyped by the media (but not relevant to the business).

Through threat intelligence, businesses are able to gain insight into the reality of the risks they’re facing. This includes insight into dark web forums where threat actors may be discussing vulnerabilities that were not otherwise known or disclosed. 

What is vulnerability management?

Vulnerability management is similar to the threat intelligence cycle, because it too is cyclical in nature.

Vulnerability management is the practice or process of identification and classification of vulnerabilities followed by the remediation, mitigation of, and reporting on software vulnerabilities, sometimes called CVEs or Zero Day exposures. This is different from the practice of vulnerability intelligence or assessment, which we will dive into in a moment. 

How does vulnerability management work?

Threat intelligence and vulnerability management work hand in hand to address weaknesses. Vulnerability management is a strategic initiative that works in four stages:

  1. Identification: This is done through vulnerability intelligence, which looks for common vulnerabilities and exposures in software used throughout your organization as well as other businesses or software your org utilizes. 
  2. Evaluation: Whether through an outside analyst, AI-powered software, or internal team, this stage tells security teams whether the software vulnerability presents a real risk to the organization and how high that level of risk is. This helps in the prioritization of pushing software updates and other response efforts. 
  3. Treatment/Mitigation: In this stage, the security team can put into place software patches and updates as well as other methods of remediation. This stage may include the acceptance of a vulnerability that is deemed low risk. 
  4. Reporting: Reporting should include a vulnerability assessment of any that were accepted, as well as the dissemination of information to the IT security team on vulnerabilities that were resolved or mitigated. This can help during the evaluation or triage stage should another risk of similar nature occur. 

What is vulnerability intelligence?

Vulnerability management and vulnerability intelligence are often, incorrectly, used interchangeably. However, vulnerability intelligence is only the first step or stage in vulnerability management. 

Vulnerability intelligence is a specific form of threat intelligence focused on the aggregation or dissemination of information about device or software vulnerabilities, including new vulnerabilities and updates to those previously known, in order to help security professionals and systems administrators make better, more complete decisions about treating vulnerability risks. In other words, vulnerability intelligence is cyber threat intelligence that deals specifically with software vulnerabilities, bugs, and exploits that may be used by digital adversaries to infiltrate target organizations. 

This intelligence is gathered through a variety of methods including, but not limited to, deploying red teams to test your network and software, monitoring the dark web for chatter of common vulnerabilities, and keeping a pulse on software patches and updates being pushed and why. 

Vulnerability intelligence vs. vulnerability management

As previously mentioned, vulnerability intelligence is just one stage in the vulnerability management lifecycle. Where many organizations fall flat is having a vulnerability intelligence program without an actionable vulnerability management strategy – or vice versa. 

Vulnerability intelligence will only tell you what the current vulnerabilities are and what type of risk these vulnerabilities present. It won’t, however, tell you what to do about them or whether you should do anything at all. That is all part of the ongoing cycle of vulnerability management. Likewise vulnerability management without intelligence can’t tell you which vulnerabilities exist at all. 

Best practices for vulnerability intelligence and management

When it comes to building a threat intelligence and vulnerability management strategy, there are a few best practices to get you started. 

Best Practice 1: Plan ahead with room for flexibility

This best practice seems so simple, yet when it comes to vulnerability intelligence and management, it can often be overlooked. That is simply to have a vulnerability intelligence or threat intelligence software in place so that you can plan ahead when patches or updates need to be made. 

Vulnerabilities will always be part of the threat environment. Planning ahead for software vulnerabilities and having an incident response plan in place in case a CVE is exploited can save time and energy later. Additionally, it’s crucial to include vulnerability intelligence in your overall threat intelligence strategy. 

Best Practice 2: Understand threat priorities

When a big, newsworthy breach happens, your executives are probably asking “are we at risk?” – and the answer is, maybe. But the only way to know is to know which type of device or software you use that houses the most sensitive information. For example, a vulnerability found in Microsoft office might not be as big of a risk to your business when your entire company uses Google on Apple devices. 

Going a step further, focus on the vulnerabilities that will impact your industry most. It might be tempting to worry when companies like Uber are compromised through CVEs resulting in breaches. However, stay in your lane and you won’t go wrong. 

Best Practice 3: Strategically patch and apply updates

The final best practice applies more to the vulnerability management cycle than the vulnerability intelligence side, however it is something we would be remiss not to share. 

Pushing software updates and patches isn’t always the right answer to address CVEs. Of course, you shouldn’t avoid vulnerability recommendations and updates, but it’s important to patch strategically. That requires your IT team to look at the impact of each patch or update to make sure that it will not negatively impact another software application. Patch strategically and have your security team and IT staff work in tandem to ensure that all updates are pushed to users properly. 

How ZeroFox handles threat intelligence and vulnerability management

ZeroFox understands the need to quickly and efficiently address common vulnerabilities that allow threat actors to target your business. With ZeroFox’s team of dedicated threat intelligence experts combined with AI and automation, customers are able to stay aware of vulnerabilities with actionable insights. 

If you’re in the process of creating your threat intelligence program and strategy, download our Buyer’s Guide for Threat Intelligence

See ZeroFox in action