Introduction to Vulnerability Management

Staying one step ahead of potential threats has become an increasingly challenging endeavor. As threat actors continue to refine their tactics and become more advanced, the need to anticipate and mitigate risks has never been more important. This is as true for large organizations as it is for the general consumer (you and me). 

A defensive technique I mentioned in a previous post is called Threat Intelligence. This is a proactive approach towards security which empowers security teams with insights and sometimes indicators towards emerging threats and potential attack patterns. Threat intelligence is where human expertise and discernment  meets technological analysis to gather and analyze data to predict potential threats. The process involves identifying threat actors, determining their motives, tactics, techniques, and procedures (TTPs), as well as finding patterns in the targets and vulnerabilities that these threat actors exploit. Human insight and experience coupled with technology can help keep defenders one step ahead when safeguarding networks and personal data.

One of the critical factors in staying proactive rather than re-active involves early threat detection. This relies upon human-driven analysis to pick up on potential threats before they come to fruition. One way to do this is to monitor online forums, dark web marketplaces, and social media sites. Indicators of compromise can be found and discussed in some of the “darker” places of the Internet and many organizations have placed contacts within these areas to keep an eye on chatter and transactions of data, especially data involved in recent breaches (see “haveibeenpwned.com”). This sometimes allows for ethical cybersecurity professionals to be tipped off to threats before a threat actor can use the data for an attack.

TTPs (Tactics, Techniques, Procedures) can kind of be thought of as a Modus Operandi (MO) of threat actors. If a known threat actor is attributed to several attacks in a row, and they all involve hospitals and start with Remote Desktop Protocol (RDP) exploitation, maybe the hospital that you are a SOC Analyst at should take extra precautions when configuring and allowing RDP. Picking up on attack patterns and TTPs can proactively help keep your data safe.

Speaking of SOC (Security Operations Center), tuning alerts and filtering out “noise” and false positives is another way to proactively use threat intelligence (even benign threat intelligence) to better fine-tune security events and make sure that your team is alert and ready for when a true-positive alert comes through. Alert-fatigue is real and many SOC Analysts feel it. Having the right human intuition paired with the right technology stack is imperative to a successful defense.

Lastly, and this can speak to SOC Analysts again, having the right security awareness training for employees can go a long way. It does not do much good if only your 8 SOC employees are aware of TTPs of a threat actors, or if only your CEO knows about a password list that was floating around on the darkweb. Empowering your human employees with threat intelligence can in turn produce more, actionable threat intelligence. Organizations are only as strong as their weakest link and security is everyone’s job. Ensure that recent attack trends and the potential security threats that your organization is watching out for are appropriately disseminated to all applicable employees or personnel who have a stake in your information assets. Remember that threat intelligence is an ongoing task which is always changing with the threat landscape, changing attackers, tools, and methodologies. Threat intelligence is most effective when it is paired with powerful technology, driven and curated by human expertise.