Validated Vulnerability Intelligence

V
Written By Threat NG Staff

Validated vulnerability intelligence is a specific type of threat intelligence that provides enriched, contextual, and verified information about security vulnerabilities. Unlike a basic vulnerability scanner that simply flags a Common Vulnerabilities and Exposures (CVE) ID and a severity score, validated vulnerability intelligence adds a crucial layer of real-world context to help organizations prioritize what to fix first.

Key components of Validated Vulnerability Intelligence:

  • Exploitability: This goes beyond a vulnerability's theoretical severity rating (like CVSS) and provides information on whether a working exploit exists for it. This includes whether a proof-of-concept (PoC) code is available on platforms like GitHub or if a full-fledged exploit is being sold or discussed on dark web forums.

  • Active Exploitation: This is the most critical component. Validated intelligence confirms if a vulnerability is being actively exploited in the wild by cybercriminals, nation-state actors, or ransomware gangs. If a vulnerability is being actively used in attacks, its priority for remediation skyrockets, regardless of its base severity score.

  • Threat Actor and Campaign Context: It connects a specific vulnerability to a known threat actor or a malicious campaign. For example, knowing that a vulnerability is a favored entry point in a particular ransomware group allows an organization to align its defenses with the real-world tactics, techniques, and procedures (TTPs) of its adversaries.

  • Business Impact: It helps an organization understand the actual risk of a vulnerability by considering the criticality of the affected asset. A high-severity vulnerability on a non-critical, isolated system is less of an immediate threat than a medium-severity vulnerability on an internet-facing server that handles sensitive data.

Validated vulnerability intelligence transforms raw data into actionable insights, enabling a risk-based approach to vulnerability management. It helps security teams shift from a reactive, "patch everything" model to a proactive one that focuses on the vulnerabilities that pose the most significant and most immediate threat to their specific environment.

ThreatNG helps with validated vulnerability intelligence by moving beyond simple lists of vulnerabilities to provide context, prioritization, and real-world exploitability information. It does this by combining external discovery and assessment with a rich set of continuously updated intelligence repositories.

External Discovery & Assessment

ThreatNG's external discovery capability is the foundational first step. It finds all of an organization's internet-facing assets, including those that are unknown or forgotten, like exposed APIs, misconfigured cloud instances, or development environments left online. This is crucial for validated vulnerability intelligence because you can't assess or prioritize a vulnerability on an asset you don't know exists.

Following discovery, ThreatNG performs a variety of external assessments to find and validate vulnerabilities from an attacker’s perspective.

  • Cyber Risk Exposure: This assessment evaluates multiple parameters to determine an organization's overall cyber risk exposure. For example, ThreatNG can discover a web server with a known vulnerability (CVE) and determine that it also has an exposed sensitive port, such as a database port. The combination of these two findings validates that the vulnerability is not just theoretical but could be a direct entry point for an attacker, making it a high-priority risk.

  • NHI (Non-Human Identity) Exposure: This assessment uncovers and evaluates risks from non-human identities like API keys and service accounts. For instance, ThreatNG's Sensitive Code Exposure investigation module could find an exposed AWS API key in a public mobile app marketplace. This finding is a validated risk because the exposed key is a real, exploitable credential that an attacker could use to gain unauthorized access to cloud resources.

Reporting & Continuous Monitoring

ThreatNG provides detailed reports that translate raw vulnerability data into actionable intelligence. The reports include risk levels, reasoning, recommendations, and reference links. This helps security teams and leadership prioritize which vulnerabilities to address first. For example, a report might highlight a vulnerability with a high-risk score because it is a known entry point for ransomware, providing the necessary context to justify immediate remediation efforts.

Continuous monitoring is a key component of ThreatNG's approach to validated intelligence. It constantly monitors for changes to the external attack surface and new vulnerabilities that may emerge. This ensures that intelligence remains relevant and up-to-date. If a new, actively exploited vulnerability is announced, ThreatNG's continuous monitoring can immediately alert the organization if its exposed assets are affected, allowing for proactive, rather than reactive, remediation.

Investigation Modules

ThreatNG's investigation modules are essential for enriching and validating vulnerability intelligence by providing deeper context.

  • Sensitive Code Exposure: This module scans public code repositories and mobile apps for exposed secrets and credentials. An example is finding a PostgreSQL password file in a public GitHub repository. This finding is validated intelligence because it provides a real credential that could be used to compromise a database, proving the existence of an exploitable pathway.

  • Search Engine Exploitation: ThreatNG checks for information that an attacker could find through search engines. For example, it could discover that a .git folder is exposed on a website's subdomain. This finding, while seemingly minor, is validated intelligence because it indicates a misconfiguration that could allow an attacker to download the website's source code, potentially leading to the discovery of more serious vulnerabilities or exposed credentials.

Intelligence Repositories

ThreatNG's intelligence repositories, branded as DarCache, are the heart of its validated vulnerability intelligence.

  • DarCache Vulnerability: This repository offers a comprehensive and proactive approach to managing external risks by evaluating their real-world exploitability and the likelihood of exploitation. It consists of several components:

    • NVD (National Vulnerability Database): Provides the technical characteristics and impact of each vulnerability.

    • EPSS (Exploit Prediction Scoring System): Offers a probabilistic estimate of the likelihood of a vulnerability being exploited in the near future, enabling a more forward-looking approach to prioritization.

    • KEV (Known Exploited Vulnerabilities): Lists vulnerabilities that are actively being exploited in the wild, giving critical context for prioritizing remediation efforts.

    • DarCache eXploit: Provides direct links to verified Proof-of-Concept (PoC) exploits on platforms like GitHub. This allows security teams to reproduce the vulnerability and assess its real-world impact, effectively validating the intelligence.

Complementary Solutions

ThreatNG's validated vulnerability intelligence can work with complementary solutions to enhance an organization's overall security posture.

  • Vulnerability Management Platforms: ThreatNG's external-facing, validated intelligence can be fed into an internal vulnerability management platform. For example, suppose ThreatNG identifies a vulnerability that is listed on the KEV catalog. In that case, the vulnerability management platform can use this external context to automatically assign it a higher priority for remediation, regardless of its internal scan score. This synergy ensures that the organization focuses its limited resources on the threats that are most likely to be weaponized.

  • SIEM (Security Information and Event Management) Platforms: The validated intelligence from ThreatNG can be integrated with a SIEM to correlate external threats with internal activity. For instance, if ThreatNG identifies a known exploitable vulnerability on an external-facing server, the SIEM can be configured to alert on any unusual network traffic, brute-force attempts, or suspicious user activity related to that server. This helps the organization detect an attack in progress and respond quickly, because the SIEM has been pre-armed with external threat intelligence from ThreatNG.

  • Threat Intelligence Platforms (TIPs): ThreatNG's DarCache intelligence, including data on ransomware gangs, compromised credentials, and actively exploited vulnerabilities, can enrich an organization's existing TIP. This provides a more comprehensive view of the threat landscape by combining ThreatNG's external perspective with the TIP's wider range of intelligence sources. For instance, a security analyst can use the TIP to cross-reference a compromised credential found by ThreatNG with known threat actor TTPs from other sources, enabling a more targeted and effective threat hunt.

Threat NG Staff
Previous

Validated Exposure
Next

Vendor Concentration Risk