2017 NopSec State of Vulnerability Risk Management Report
With the turning of the leaves and the first cold fall nights, usually at NopSec it means that the 2017 edition of our annual State of Vulnerability Risk Management Report is due. This year we are particularly excited because we collaborated with the exploration of a potential threat intelligence source and also our partnership with the LevelBlue Labs Security Research Team for the research related to malware correlation.
The analysis of this year’s vulnerability trends could not come at a better (or worse) time since several relevant data breaches hit the news wires lately. The “400-pound gorilla” in the house is Equifax, with its multi-million customer records data breach and its patchable vulnerability on Apache Struts exploited by attackers to gain access to the compromised data. We will see from our 2017 State of Vulnerability Risk Management Report that these patch management delays are quite common, but avoidable nevertheless.
In the 2017 State of Vulnerability Risk Management Report we analyzed over a million of our customers’ anonymized unique security vulnerabilities. (By unique we mean security vulnerabilities that affect a specific customer, a unique host, on a unique TCP/UDP port). For the most part we use CVE and CWE categorization to correlate vulnerabilities, together with the presence of the 30+ unique threat intelligence feeds that NopSec Unified VRM utilizes, which include exploit-db and Metasploit exploits, active malware and targeted attack data, vendor patch data, social media conversations involving the related vulnerabilities and host value and impact information.
The 2017 report focused on what the industry verticals have in common in terms of vulnerability categorization, which vendors and industries are affected the most by which vulnerabilities, which components affect the most the vulnerability risk determination, whether we could draw the same conclusion reached in terms of the vulnerability risk and social media correlation as far as the Dark Web is concerned, and how to use these data to efficiently manage your vulnerability risk management program.
Before going on the discussion of our report’s results, a few disclaimers are due. First of all, this is not a random or representative sample. The data comes from our clients’ vulnerability population, which is necessarily skewed toward the industries most represented, including financial services and health care. Also, the sample is not all encompassing and cannot be considered representative of the population of vulnerabilities. This is also not an Intrusion Detection System, meaning the system cannot be used to predict security intrusions. With that said, this research can still offer important insights to people that would like to improve their vulnerability risk management program.
Industry Verticals
Figure 1
The first analysis we conducted in our customers’ vulnerability data was to understand overall which industry vertical has the most vulnerabilities (Figure 1), which was Healthcare, followed in second by the Financial Industry. A possible explanation for this is that the lower level of security maturity for Healthcare, and the huge number of assets under management for the Financial industry played a factor in explaining these numbers.
Vendor Susceptibility
Figure 2
Industries and Vendors
Figure 3
Figure 4
Combining the analysis between industries and vendors (Figures 3 and 4), we see across the board that Microsoft and Adobe vulnerabilities are still on top of the chart. Application-related Oracle and Java vulnerabilities are important to consider across all industries. Each industry however has its own peculiar technology stack, which in turns has its own unique vulnerabilities.
Exploit Rates
Then we turned our attention to analyze whether there are particularly good indicators of risk to classify and prioritize vulnerabilities.
Figure 5
Figure 6
The result (Figure 5) indicates that the vulnerabilities risk is directly correlated to the number of public exploits related to those vulnerabilities. Obviously, if a vulnerability has a public exploit the risk associated with it increases in terms of probability of compromises.
Social Media and the Dark Web
Also our research determined that the likelihood of a vulnerability having an exploit, given its number of Twitter interactions, is proportional to the rate of Twitter interactions for those vulnerabilities that do have an exploit. What that really means in plain English is that both public exploit presence and social media interactions are good predictors of a vulnerability risk of causing any damages (Figure 6).
After considering social media data as a predictor of vulnerability risk, we turned our attention to Dark Web data. We gathered open Dark Web CVE vulnerability mentions in non-restricted forums and markets on the Tor-browsable Onion-router networks. Particularly, we were looking for vulnerability CVEs for sale that had no previous disclosure in public exploits.
| Source |
Distinct CVEs |
| Twitter Data |
11.8K |
| Dark Web Data |
9.3K |
Figure 7
Despite the collection of CVE data on the Dark Web being relevant, unfortunately we could not determine a direct correlation between exploitability and mention on the Dark Web as a risk component like we did for the social media mentions (Figure 7). This may be because we only analyzed the open Dark Web - not restricted by passwords and gated communities - which represent only a relatively small part of the overall Dark Web, which is restricted to access.
AlienVault OTX
With the help of AlienVault OTX - Open Source Threat Exchange - community, we worked to determine how AlienVault OTX threat and malware feed correlates with other expressions of vulnerability risks, such as the social media vulnerability mentions.
Figure 8
We determined that the AlienVault OTX pulses that reference a specific vulnerability 46% of the times have social media activity in the critical range - 100+ tweets - meaning that social media activity and attack and malware activity in the wild have important correlation (Figure 8).
Conclusion
In conclusion, based on our 2017 State of Vulnerability Risk Management research, we determined that:
- Threats and attacks are predictable based on the analyzed data. We need to prepare for those! Use ”good hygiene” vulnerability management and correlated threat intelligence.
- Organizations of diverse sizes and industries continue to struggle to efficiently and accurately prioritize vulnerability risks and remediating efficiently found security vulnerabilities.
- Approach with caution combining data mining and machine learning. Give this work to professionals to draw the right conclusions
- Go back to the basics of security, assessing assets’ risk and threat modeling and mitigation.
Thanks for the attention and see you next time at mid-year mark for our next NopSec State of Vulnerability Risk Management Report.
You can download a full copy of NopSec 2017 State of Vulnerability Risk Management Report from the following URL: http://www.nopsec.com/sov .