Integrating Threat Intelligence: Inside the minds of modern adversaries
In our last deep dive, we unpacked the dynamics between External Attack Surface Management (EASM) and automated security testing. We examined how EASM illuminates the pathway for automated security testing and the power of multidimensional scanning facilitated by our "Orchestrator AI". Continuing the series, let's turn our focus to another crucial component of the Hadrian Platform – Threat Intelligence.
Introduction to Threat Intelligence
Threat Intelligence is a cybersecurity discipline that involves collecting, analyzing, and understanding information about potential threats and threat actors. It's like having a weather forecast for cyber threats; it helps organizations anticipate, prepare for, and mitigate potential attacks.
The disconnect between vulnerabilities and real-world threats
Research shows that 60% of breaches were due to unapplied patches, which were readily available but not deployed. Conventional security strategies often hinge on identifying and patching vulnerabilities, with priority generally given to those classified as 'high-risk' based on generic factors such as potential impact and exploitability, neglecting the business context of those risks.
Context is the key word here, as not all vulnerabilities are exploited equally by attackers in the real world. An unpatched server in an obscure corner of your network might theoretically present a high-risk vulnerability, but if it's not on the radar of actual threat actors, is it really high-risk in practice? Conversely, a low-severity vulnerability might be heavily targeted due to ease of exploitation, amplifying its real-world risk.
Threat intelligence for better risk prioritization
This is where threat intelligence steps in. Threat intelligence is one of the key improvements of CTEM over traditional vulnerability management. By integrating threat intelligence with insights about your digital infrastructure, you can see not just what could be attacked (as provided by EASM and automated security testing) but also what is likely to be attacked based on current threat landscape trends. The result is that security teams can prioritize their efforts more effectively, focusing on the activities that matter most.
For instance, if threat intelligence shows an uptick in attacks targeting a specific type of vulnerability in your industry, you can prioritize patching similar vulnerabilities in your own infrastructure. Conversely, you might deprioritize patching a high-severity vulnerability that isn't seeing much real-world exploitation.
From the hacker’s perspective
From the threat actor’s perspective, not all vulnerabilities carry the same appeal. They are selective and strategic, often choosing targets that offer the most significant gains with the least effort or risk. Hence, they might overlook a high-risk vulnerability if it's challenging to exploit and instead capitalize on a more accessible, lower-severity vulnerability that, due to its wider prevalence or the specific data it exposes, offers an enticing payoff.
By bridging the gap between the 'threat actor's choice' and 'security prioritization,' Hadrian's threat intelligence paves the way for a more responsive and real-world approach to cybersecurity. This framework allows your security teams to prioritize remediation efforts in alignment with real-world threats rather than in response to an abstract hierarchy of risks.
Case Study: Threat Intelligence in action
Recently, a WordPress plug-in vulnerability was assigned a CVSS score of 6.1, denoting it as merely having a “medium” severity, just above the average of 5.8. Hadrian often reassesses the risk of WordPress plugin vulnerabilities because WordPress is used on over 40% of all websites, enabling attacks to be launched at scale. Furthermore, WordPress has a large number of 3rd party plugins, which are often poorly maintained by site administrators, resulting in an above-average rate of successful attacks.
This particular WordPress plugin had over 2 million active installations, of which 70% were vulnerable. By incorporating this intelligence, it was assessed that there was a high likelihood that threat actors would launch attacks to exploit the vulnerability. As a result, Hadrian took immediate action, proactively scanning customer environments and alerting security teams. This response resulted in one of Hadrian’s customers becoming a victim of attacks using the vulnerability.
The bigger picture
In conclusion, threat intelligence, when combined with EASM and automated security testing, offers a far more realistic perspective on potential threats. It moves us away from a purely theoretical approach to one that reflects the actual dynamics of the threat landscape. As the cyber world continues to evolve, so must our strategies for managing it.