Read the original article: Separating the Signal from the Noise: How Mandiant Intelligence Rates
Vulnerabilities — Intelligence for Vulnerability Management, Part Three
One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put an organization’s data, employees and customers at risk. In this
four-part blog series, FireEye Mandiant Threat Intelligence
highlights the value of CTI in enabling vulnerability management,
and unveils new research into the latest threats, trends and recommendations.
Every information security practitioner knows that patching
vulnerabilities is one of the first steps towards a healthy and
well-maintained organization. But with thousands of vulnerabilities
disclosed each year and media hype about the newest “branded”
vulnerability on the news, it’s hard to know where to start.
The National Vulnerability Database (NVD) considers a range of
factors that are fed into an automated process to arrive at a score
for CVSSv3. Mandiant Threat Intelligence takes a different approach,
drawing on the insight and experience of our analysts (Figure 1). This
human input allows for qualitative factors to be taken into
consideration, which gives additional focus to what matters to
security operations.
Figure 1: How Mandiant Rates Vulnerabilities
Assisting Patch Prioritization
We believe our approach results in a score that is more useful for
determining patching priorities, as it allows for the adjustment of
ratings based on factors that are difficult to quantify using
automated means. It also significantly reduces the number of
vulnerabilities rated ‘high’ and ‘critical’ compared to CVSSv3 (Figure
2). We consider critical vulnerabilities to pose significant security
risks and strongly suggest that remediation steps are taken to address
them as soon as possible. We also believe that limiting ‘critical’ and
‘high’ designations helps security teams to effectively focus
attention on the most dangerous vulnerabilities. For instance, from
2016-2019 Mandiant only rated two vulnerabilities as critical, while
NVD assigned 3,651 vulnerabilities a ‘critical’ rating (Figure 3).
Figure 2: Criticality of US National
Vulnerability Database (NVD) CVSSv3 ratings 2016-2019 compared to
Mandiant vulnerability ratings for the same vulnerabilities
Figure 3: Numbers of ratings at various
criticality tiers from NVD CVSSv3 scores compared to Mandiant
ratings for the same vulnerabilities
Mandiant Vulnerability Ratings Defined
Our rating system includes both an exploitation rating and a risk rating:
The Exploitation Rating is an in indication of what is
occurring in the wild.
Figure 4: Mandiant Exploitation Rating definitions
The Risk Rating is our expert assessment of what impact an
attacker could have on a targeted organization, if they were to
exploit a vulnerability.
Figure 5: Mandiant Risk Rating definitions
We intentionally use the critical rating sparingly, typically in
cases where exploitation has serious impact, exploitation is trivial
with often no real mitigating factors, and the attack surface is large
and remotely accessible. When Mandiant uses the critical rating, it is
an indication that remediation should be a top priority for an
organization due to the potential impacts and ease of exploitation.
For example, Mandiant Threat Intelligence rated CVE-2019-19781 as
critical due to the confluence of widespread exploitation—including by
APT41—the public release of proof-of-concept (PoC) code that
facilitated automated exploitation, the potentially acute outcomes of
exploitation, and the ubiquity of the software in enterprise environments.
CVE-2019-19781 is a path traversal vulnerability of the Citrix
Application Delivery Controller (ADC) 13.0 that when exploited, allows
an attacker to remotely execute arbitrary code. Due to the nature of
these systems, successful exploitation could lead to further
compromises of a victim’s network through lateral movement or the
discovery of Active Directory (AD) and/or LDAP credentials. Though
these credentials are often stored in hashes, they have been proven to
be vulnerable to password cracking. Depending on the environment, the
potential second order effects of exploitation of this vulnerability
could be severe.
We described widespread exploitation of CVE-2019-19781 in our blog
post earlier this year, including a timeline from disclosure on
Dec. 17, 2019, to the patch releases, which began a little over a
month later on Jan. 20, 2020. Significantly, within hours of the
release of PoC code on Jan. 10, 2020, we detected reconnaissance for
this vulnerability in FireEye telemetry data. Within days, we observed
weaponized exploits used to gain footholds in victim environments. On
the same day the first patches were released, Jan. 20, 2020, we observed
APT41, one of the most prolific Chinese groups we track, kick off an
expansive campaign exploiting CVE-2019-19781 and other vulnerabilities
against numerous targets.
Factors Considered in Ratings
Our vulnerability analysts consider a wide variety of
impact-intensifying and mitigating factors when rating a
vulnerability. Factors such as actor interest, availability of exploit
or PoC code, or exploitation in the wild can inform our analysis, but
are not primary elements in rating.
Impact considerations help determine what impact exploitation
of the vulnerability can have on a targeted system.
|
Impact Type |
Impact Consideration |
|
Exploitation Consequence |
The result of successful |
|
Confidentiality Impact |
The extent to which exploitation |
|
Integrity Impact |
The extent to which exploitation |
|
Availability Impact |
The extent to which exploitation |
Mitigating factors affect an attacker’s likelihood of
successful exploitation.
|
Mitigating Factor |
Mitigating Consideration |
|
Exploitation Vector |
What methods can be used to exploit |
|
Attacking Ease |
How difficult is the exploit to use |
|
Exploit Reliability |
How consistently can the exploit |
|
Access Vector |
What type of access (i.e. local, |
|
Access Complexity |
How difficult is it to gain access |
|
Authentication Requirements |
Does the exploitation |
|
Vulnerable Product Ubiquity |
How commonly is the |
|
Product’s Targeting Value |
How attractive is the |
|
Vulnerable Configurations |
Does exploitation require |
Mandiant Vulnerability Rating System Applied
The following are examples of cases in which Mandiant Threat
Intelligence rated vulnerabilities differently than NVD by considering
additional factors and incorporating information that either was not
reported to NVD or is not easily quantified in an algorithm.
|
Vulnerability |
Vulnerability Description |
NVD Rating |
Mandiant Rating |
Explanation |
|
CVE-2019-12650 |
A command injection vulnerability in |
High |
Low |
This vulnerability was rated high by NVD, but |
|
CVE-2019-5786 |
A use after free vulnerability
|
Medium |
High |
NVD rated CVE-2019-5786 as medium, |
As demonstrated, factors such as the assessed ease of exploitation
and the observance of exploitation in the wild may result a different
priority rating than the one issued by NVD. In the case of
CVE-2019-12650, we ultimately rated this vulnerability lower than NVD
due to the required privileges needed to execute the vulnerability as
well as the lack of observed exploitation. On the other hand, we rated
the CVE-2019-5786 as high risk due to the assessed severity, ubiquity
of the software, and confirmed exploitation.
In early 2019, Google reported
two zero-day vulnerabilities were being used together in the wild:
CVE-2019-5786 (Chrome zero-day vulnerability) and CVE-2019-0808 (a
Microsoft privilege escalation vulnerability). Google quickly released
a patch for the Chrome vulnerability pushed it to users through
Chrome’s auto-update feature on March 1. CVE-2019-5786 is significant
because it can impact all major operating systems, Windows, Mac OS,
and Linux, and requires only minimal user interaction, such as
navigating or following a link to a website hosting exploit code, to
achieve remote code execution. The severity is further compounded by a
public blog
post and proof of concept exploit code that was released a few
weeks later and subsequently incorporated into a Metasploit module.
The Future of Vulnerability Analysis Requires Algorithms and
Human Intelligence
We expect that the volume of vulnerabilities to continue to increase
in coming years, emphasizing the need for a rating system that
accurately identifies the most significant vulnerabilities and
provides enough nuance to allow security teams to tackle patching in a
focused manner. As the quantity of vulnerabilities grows,
incorporating assessments of malicious actor use, that is, observed
exploitation as well as the feasibility and relative ease of using a
particular vulnerability, will become an even more important factor in
making meaningful prioritization decisions.
Mandiant Threat Intelligence believes that the future of
vulnerability analysis will involve a combination of machine
(structured or algorithmic) and human analysis to assess the potential
impact of a vulnerability and the true threat that it poses to
organizations. Use of structured algorithmic techniques, which are
common in many models, allows for consistent and transparent rating
levels, while the addition of human analysis allows experts to
integrate factors that are difficult to quantify, and adjust ratings
based on real-world experience regarding the actual risk posed by
various types of vulnerabilities.
Human curation and enhancement layered on top of automated rating
will provide the best of both worlds: sp
[…]
Read the original article: Separating the Signal from the Noise: How Mandiant Intelligence Rates
Vulnerabilities — Intelligence for Vulnerability Management, Part Three