Delve into the minds of threat actors by joining us on Thursday, January 13, to watch a session from The Remediation Summit by Yossi Glazer, Vulcan Cyber principal product manager, titled, "A Threat Actor's Perspective on Risk."
It’s no surprise that threat actors look to take advantage of exposed public-facing assets, often exploiting known vulnerabilities. Few pass up the opportunity of an open door into a system.
It isn’t too difficult to figure out how a hacker operates. They are lazy, or depending on your perspective, opportunistic and efficient. But even with this knowledge, enterprise IT security teams too often make a hacker’s job easy and still fail to prioritize, manage and mitigate risk brought on by cyber security debt. According to our latest research conducted in conjunction with Gartner Pulse, most organizations are not adequately prioritizing according to business risk, leaving their most important and valuable assets open to attack.
When we classify exploits, we tend to do so by the ways in which they communicate with our systems. Hackers will generally look for remote exploits first as they are easier to use for attacks than local exploits, as long as the vulnerability it exploits has not been mitigated or patched. A famous example of this was the WannaCry exploit using the Eternal Blue vulnerability. While a patch was quickly released, WannaCry was successful by targeting organizations that were too slow to mitigate and remediate.
Where threat actors find exploits
Exploits are shared online on various exploit libraries and sites of questionable credibility. Exploit and proof of concept data propagates quickly, with hackers waiting to pounce; organizations who are proactive about patching and mitigating vulnerabilities stand the best chance of protecting business assets.
The more sources that share the exploits, the more critical the leveraged vulnerability becomes to the cyber security team. This input should be integral toyour risk scoring and vulnerability prioritization efforts. The Vulcan Cyber platform provides accessible exploit data and a risk indicator that is used as part of the risk score. Also, the weight attached to the risk score should be adjustable according to your risk appetite and unique business asset context.
While there are many sources listing exploits, they are not all equal in terms of credibility. The research team at Vulcan Cyber ranked the exploit sites in order of accuracy and credibility. This threat intelligence is made available through the Vulcan Cyber platform with easy access to a list of published threats, exploits, and sources. This intelligence can be reviewed to gain further insights into the potential risk of a vulnerability from the perspective of threat actors using known exploits, their maturity and availability.
With public-facing assets being the most popular for threat actors, we must identify these within our system. But searching for assets with relevant IP addresses is not enough, and scanners can often miss those assets which slip through the cracks.
In order to best identify and prioritize these assets, we must set our own rules for identification that consider the impact of future changes made to the environments containing the assets. Once these assets have all been identified, you can add them to your risk score and accurately prioritize them as more important. The Vulcan Cyber platform already has an out-of-the-box method of identifying these assets displaying all external-facing assets, including those that scanners might miss.
For a deeper dive into how we can apply threat intelligence data to our cyber risk prioritization models, check out my full session titled, “: A Threat Actor's Perspective on Risk,” from The Remediation Summit.