Why Your Threat Feed Alone Isn’t Good Enough
Share with Your Network
Without solid intel on the cyber threats that are active and emerging, it’s impossible to fully protect your infrastructure and applications from successful exploits. That’s why so much attention is paid to threat and exploit feeds.
But there’s a big difference between raw intel streaming in from a couple of feeds and having insight you can act on. Threat intel certainly helps inform your vulnerability management strategy, but intel alone isn’t enough. You need actionable intel.
Making intel actionable
This requires a whole lot more than threat data. It requires an array of elements that together provide a contextual awareness of the risk every single vulnerability poses to your environment.
Here’s a brief rundown of those elements:
Extensive threat, vulnerability and exploit data. Threat and exploit feeds are useful in taking a pulse of known activity that could increase your risk of an event. The problem is each feed tends to track and provide information on a specific type of threat. But the array of threats targeting your top vulnerabilities is plentiful and growing. So subscribing to one or two feeds won’t come close to giving you a clear picture of the threat landscape. For that, you need to integrate data from multiple feeds. Here at Kenna, we leverage intel from more than 18 threat and exploit intelligence feeds in order to provide coverage across an array of attack methods.
Threat and exploit data alone doesn’t deliver insight, however. Gaining complete contextual awareness requires understanding all you can about every known vulnerability. This means looking deeply at the unique characteristics of each vulnerability and asking questions that help assess its relative risk to you. In addition to the standard information you’ll find in its CVE (Common Vulnerabilities and Exposures) entry or in its National Vulnerability Database (NVD) listing, or even in Common Vulnerability Scoring System (CVSS) score, this picture must include other vital and relevant external information, such as a list of vulnerable products, whether or not the CVE is exploitable by remote code execution, and available exploits and fixes. Kenna also factors in what we call Popular Targets, a unique measure of how prevalent a specific CVE is in the real world. (This has proven to be valuable in predicting future exploits.) Additionally, you’ll want coverage from a variety of sources, including networks sensors like IDS/IPS, file and malware analysis, OSINT, and dark web, etc.
Data science-generated intel. Data science involves the techniques necessary to sift through all that threat and vulnerability data, analyze it, and come to a conclusion about which vulnerabilities are truly the most likely to be exploited. At Kenna, this involves various data science techniques, chief of which is supervised machine learning— predictive algorithms whose output becomes more accurate over time as they ingest and process more data for training purposes. We use supervised machine learning (a more targeted and ultimately more effective implementation of machine learning) within our predictive modeling. It allows us to analyze and learn from a large quantity and breadth of real-world data about vulnerabilities—what’s in the NVD and MITRE, which exploit kits are available, which CVEs have been successfully exploited in the wild (and how often and how many times), etc. And it enables us to create high-fidelity forecasts of exploitations. By harnessing these techniques, we can predict the weaponization of new vulns with 94% accuracy.
Why intel alone isn’t nearly good enough
It’s common (and frankly understandable) for Security professionals to assume that, if they haven’t experienced a major breach to date, their current vulnerability management strategy must be good enough to keep future attacks at bay. But threats are a constantly moving target, and bad actors are counting and acting upon that misguided assumption—just as they’re banking on the assertion that one or two threat feeds is enough to give you a full sense of the threat landscape.
Consider that in the first three months of 2021, the NVD published an average of 31 new CVEs every day. That’s a lot of vulns. Now consider that, according to our research, 80% of the vulnerabilities you remediate actually don’t pose a serious risk. So not only are threats mounting, but most organizations are wasting eight out of every 10 remediation hours fixing vulnerabilities where that time may be better spent reducing risk elsewhere.
This is why threat data alone isn’t good enough. It will tell you of potential threats to someone, possibly, but it may not be a threat to you. Because intel isn’t insight. Intel isn’t automatically actionable. Intel lacks context.