Vulnerability Management and CTI Basics
While cyber threat intelligence (CTI) and vulnerability management functions should work closely together, they have different objectives:
- CTI provides information about existing or emerging threats that can drive security decisions. Typical CTI functions plan, collect, process, analyze and disseminate information about threats against applications, systems or industries. The SOC team then
uses that intelligence to prioritize its day-to-day response and remediation activities. CTI helps security teams make educated decisions based on actors, active campaigns and likely targets. CTI reporting can take on many forms, depending on the
objectives and the intended audience, but the idea is to get data into an actionable format the audience will clearly understand.
- Vulnerability management focuses on identifying, classifying, prioritizing, remediating and mitigating security vulnerabilities. It focuses on triage, figuring out what gets patched first and how to best leverage its finite operational resources.
CTI provides important context that can aid in vulnerability management decisions, because final prioritization considers both the criticality of a vulnerability and the type of threat actors that may be actively exploiting these vulnerabilities in the
real world. But the two play very different roles.
CTI and Vulnerability Management Guidance
While some firms combine CTI and vulnerability management, that is not always considered a best practice. Because of vulnerability management’s limited resources, CTI analysts can get pulled into day-to-day remediation activities. This could potentially
lead to not enough attention being given to CTI activities. CTI functions should continuously monitor the threat environment, since threats can quickly go from being a routine vulnerability you’ve seen many times to something suddenly being
exploited in the wild and becoming a critical issue.
It isn’t practical to patch everything. When implemented correctly, CTI helps vulnerability management and operations teams put scan results into the context of their organization’s threat landscape. With the proper threat intelligence, it’s
easier to answer simple questions like:
- Which vulnerabilities are being actively exploited in the wild?
- Which threat actors are leveraging these vulnerabilities against our industry?
- What impact would be exploiting a given vulnerability have on our company?
The most effective organizations consider combining internal scanning data with external intelligence to understand which vulnerabilities are being actively exploited and which are not. They then focus efforts on the issues with the highest criticality
and the greatest chance of exploitation. While the two teams need to work closely together, there is little value to be gained by combining them.
How to Prioritize CTI and Vulnerability Management
Vulnerability management organizations without an effective CTI function at hand sometimes tend to make the mistake of focusing on ranking threats and then remediating by criticality. This “by the numbers” approach tends to adopt classification
systems, such as the Common Vulnerabilities and Exposures (CVE) naming and the Common Vulnerability Scoring System (CVSS) without considering whether threat actors are actively exploiting vulnerabilities or not. The focus is on technical exploitability
rather than on active exploitation. This is where CTI can add the most value.
To be effective, CTI functions should consider avoiding the following:
- Operating in complete isolation: The key to making this process work is having both teams and the SOC working in harmony. These teams need to work together to determine real-world risk and remediation priority. However, you should resist the urge to combat
communication issues by combining the two teams.
- Prioritizing speed over accuracy: CTI functions need enough time to fully understand a threat and the threat actors that may be exploiting it. While speed counts, accuracy is more important. Avoid wild speculation about an issue and get the facts correct.
Allowing CTI to focus on context, the SOC to focus on security monitoring and vulnerability management to focus on the mechanics of security remediation provides the most value for an organization.
READ: How to Formalize Your Vulnerability Management Program
Tips for Coordinating CTI and Vulnerability Management
No matter where CTI functions report, they must keep communication clear, relevant, actionable and timely. Meaningful threat intelligence provides context, so organizations can take informed action based on risk. Consider the following:
- Vulnerability management and CTI functions are different. While the two functions need to work closely together, make sure your CTI analysts have enough time to do their job and continue monitoring the threat environment, which can change quickly. Combining
the two teams into a single team may not bring strong benefits and could undermine your CTI function if analysts are pulled into operational remediation activities.
- Avoid prioritizing only by criticality. While the criticality of a risk has its place in determining prioritization, CTI provides the context required to zero in on the most meaningful and impactful problems.
The SOC, vulnerability management and CTI functions need to work in harmony to provide the most value to an organization. Each function has a separate responsibility, but when they communicate and work together, they can provide a tremendous amount of
value by helping an organization focus on the most critical and likely-to-be-exploited issues.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.