competition between network security experts and competitors

Posted by lipsius at 2020-03-15

《The Race Between Security Professionals and Adversaries》

Source: Internet threat intelligence, Bill Ladd, June 7, 2017

This paper studies all vulnerabilities between the first disclosure and release of the national vulnerability database (NVD) to understand the schedule of security organizations and threat actors.

75% of the vulnerabilities were disclosed prior to the release of NVD, with a median of seven days' notice.

This gap in the middle is increasing, the ability to keep vulnerability management teams up to date

It's becoming more complex, and it's getting worse as the gap grows.

More than 1500 sources reported more than 114000 vulnerabilities prior to release

Second, including the opponent intelligence sources of deep net and dark net.

Higher severity vulnerabilities have a shorter release lag because more work is used

Communicate and fix more serious vulnerabilities. In addition, different companies have different lag time differences.

Before NVD was released, 5% of the vulnerabilities had been analyzed in detail on deep net and dark net,

These vulnerabilities are more serious than expected. 30% of the loopholes were found in foreign language.

The main manufacturers involved are Google, apple, Microsoft and Oracle.

Figure 1. Vulnerability timeline

The importance of a comprehensive strategy for risk assessment of emerging vulnerabilities has been previously reported and some important case studies have been provided.

This article also looked at NIST's national vulnerability database (NVD) release and development time for vulnerabilities, which typically takes a week to determine. In this study, the author provides a more data-driven overview of emerging vulnerability ecosystems.

This paper first investigates the well-known fact that there is often a time difference between the news of the first vulnerability release and the NVD release vulnerability. The survey used the platform of Recorded Future to apply Natural Language Processing and machine learning to an open, deep and dark network. Recorded future collected and analyzed content from more than 750000 sources. For this investigation, we mainly rely on CVE vulnerability information base, product and company entity detection.

In this paper, 12517 CVE vulnerabilities first published on NVD during 2016-2017 are observed, of which 75% (9505) have open, deep and dark network coverage before the release of NVD. It is observed that these CVEs have a median of seven days' notice in advance. The median is certainly not to be confused with the average. 25% of CVEs have a gap of at least 50 days, and 10% have a gap of more than 170 days.

The author also studied the trend of CVE gap published in early 2016 and found that over time, the average time difference of CVE published in six months was five months, and the CVE announced in the next six months was eight days. These are the CVEs that were subsequently added to the NVD. At present, there are still more than 500 CVEs discovered for the first time in 2016 waiting for the release of NVD.

Figure 2. General life cycle of CVE

The typical life cycle of CVE begins when researchers or suppliers discover a vulnerability and request a CVE number. They will prepare the preliminary analysis and publish the loopholes in some channels, most formally on the company's website, or perhaps in the security blog. NIST will work simultaneously to conduct a preliminary analysis for the NVD release. Waiting for NVD release is obviously not enough to realize in time. In fact, 114709 CVE documents were observed from 1575 different sources during the NVD release period. In addition, 15669 tweets were observed.

Obviously, other content sources need to keep track of the latest vulnerabilities. Through this article, we will be surprised to find that CVE's first report appears on more than 300 sources. The sources of these first announcements are mainly from the companies themselves, such as Oracle technology network and Android security bulletin advisories. Others are various vulnerability projects or aggregators running on a wide range of vendors, such as rapid7's Metasploit exploit database and security database. Of course, it is not easy to understand the status quo, and only English content can not meet the needs. For example, it can be seen that about 200 CVEs were first released by China national vulnerability database maintained by China Information Security Assessment Center.

Figure 3. China National Information Security Vulnerability Database cnnvd

Carefully observe the gap between vulnerability announcement and NVD release, and also observe different behaviors of different organizations. Some companies manage fairly closely with a small median gap between Adobe (one day) and Microsoft (two days). Other companies have an intermediate time gap of more than 30 days.

Figure 4. Vulnerability release time difference of multiple companies

Above: gap between initial vulnerability release and NVD release in 2016-2017. Includes CVE with positive gaps and companies / projects with more than 100 vulnerabilities. The center line in each block diagram represents the median of the data value in the frame, and the frame itself is defined by the first and fourth quartiles of the data. Whiskers extend to data points in the main data distribution and treat each point as an "outlier.".

The length of these gaps is not clear. When the gap between the organization's announcement and NVD's announcement is very small, can they quickly solve and deal with new vulnerabilities, or do they not announce known vulnerabilities until the last minute, so that customers do not know the available infrastructure? Do companies with large gaps give customers as much information as possible to protect themselves, or invest insufficient resources to manage vulnerabilities in their products?

In general, the final median CVss score of CVE is 6.8, with more than one week's notice time difference compared with the median CVss score of CVE. This difference is statistically significant, as it is clear that more organizations and NVD analysts are focusing on more serious vulnerabilities.

Figure 5. A marathon to fix holes

So it's the just side and their competition - identifying bugs, developing them as soon as possible, releasing and deploying patches. It's a game because they are rivals to each other.

Opponents will not wait for NVD releases and preliminary CVss scores to plan attacks. Games usually start with the first release of a security breach. This has driven events in the opponent's organization, and since then, the game content has become the development and deployment of patches. We often see that the reports of researchers are directly transferred to the website resources of deep net and dark net. They may even be translated into Russian for display at the Russian crime forum. POC code is therefore discussed, released and sold.

Opponents are also using unfair advantages to compete. They only need to get a loophole through the organization's defense to cause damage. The vulnerability management team needs to guard against all possible vulnerabilities.

The author investigated the use of recorded future to collect smart email from opponents in dark areas of the Internet, including paste sites, crime forums and onion sites - places where you don't want to see your email address.

Perhaps surprisingly, competitors are not shy of working explicitly with CVE identifiers. The effectiveness of common vulnerability naming is equally useful for adversaries and security researchers.

Before the release of NVD, the author observed 539 CVE reports on deep web and dark web pages - 53 different sources (accounting for 5% of all predicted CVE, 30% of which are foreign language content), and observed that 91 independent actors participated in up to 10 CVE actions. They are clearly monitoring the various sources needed to track recent vulnerabilities. Not surprisingly, opponents focused on more dangerous vulnerabilities (median CVss score 6.5, baseline 6.0)

Figure 6. CVss score of deep / dark network

In fact, the median CVss of the top 20 vulnerabilities in deep and dark networks is 7.2. It is expected that the CVss score of adversary intelligence sources will be higher, and it is suspected that the more serious CVE can be patched faster, and it is not always valuable to developers. In NVD's competitor report, the company ranked first is Google, second is apple, third is Microsoft, and fourth is Oracle. In fact, Google has more CVEs than the last three combined. CVE example: dirty cow

To take a specific example, the Linux vulnerability cve-dynamic195 (commonly known as dirty cow) was announced on October 19, 2016 and covered by many information security sources. Within two days, the preliminary report was translated into Russian and released at the Russian crime forum. Six days later, the POC code was placed on Pastebin. This potential exploit code was available two weeks before the initial launch of the CVE by NVD on November 10.

Recorded future maintains a vulnerability risk score that combines risk related content with available CVss scores. On the risk list, we can often see 600-700 unpublished CVEs. On any day, we can see reports of 30-40 vulnerabilities on the deep net and the dark net. At the time of analysis, the author also checked the unpublished top-level CVE.

What will become the next loophole for you or your company?

The analysis of new vulnerabilities in this paper shows the importance of using comprehensive methods to collect information about new vulnerabilities. Individuals cannot independently monitor the collection of the entire relevant source. It should also be clear that the adversary organizations and security professionals observe the same original resources, and select and select the most suitable loopholes to work. Many of their functions can be observed and used to help VRM teams prioritize actions.

Original link: