An ongoing concern for enterprise security teams has been addressing known vulnerabilities before they can be exploited by threat groups, a challenge that is getting increasingly difficult as hackers accelerate their capabilities thanks in part to the growing use of such tools as AI and automation.
“There are two things happening with exploitable vulnerabilities right now,” Thomas Bain, chief marketing officer for VulnCheck, which works to help organizations understand attack vectors and address threats before attacks occur, told MSSP Alert. “First, threat actors don’t need a zero day anymore. … Those are still valuable, but realistically they are cherry-picking vulnerabilities from disclosure sites, building exploit POCs (proofs of concept) and then making them available for broader use. It’s the easy button for them.”
Secondly, this generates a volume of security flaws that are unmanageable for any enterprise or security team, Bain said. Research by the Lexington, Massachusetts-based company has found that bad actors now
exploit 28.3% of vulnerabilities within a day after their CVEs are disclosed. Sometimes it’s even faster.
“About one-quarter of exploited vulnerabilities in our VulnCheck KEV [Known Exploited Vulnerabilities] are exploited on or before they are publicly disclosed,” he said. This “means sometimes they don’t have a CVE yet. The second aspect is that vulnerabilities are exploited much faster with automated tooling that’s pre-built with AI capabilities, enabling them to move more quickly when identifying vulnerabilities they intend to exploit.”
Keeping Pace with Vulnerabilities
VulnCheck and its competitors continue to roll out tools aimed at ensuring that organizations can keep up the accelerating pace of hackers’ efforts. For VulnCheck, that includes its Community Data Feed (CDF), a free vulnerability intelligence feed that can be integrated into security workflows and products.
Last month, the company
launched two apps, VulnCheck for Vulnerability Response and VulnCheck for SBOM (Software Bill of Materials) Response that are integrated into the ServiceNow Store and unveiled its KEV Alerts feature to deliver instant notifications of vulnerabilities that have been exploited in the wild.
Integrating with ThreatQuotient
This week, the company said it is putting its CDF into the ThreatQuotient Marketplace, a move that integrates its API into ThreatQuotient’s ThreatQ Platform. It’s another step by VulnCheck to expand the access security teams get to its vulnerability intelligence.
VulnCheck, which
raised $12 million in Series A funding in March released its CDF early last year, with the aim of addressing such issues as other freely available solutions not being quick enough to publish CVEs and the lack of significant context and other crucial information when CVEs were released, Bain said. It sometimes took more than a month for exploited vulnerabilities to be added to CISA’s KEV. Now ThreatQuotient users can take the information in VulnCheck CDF and act on it.
“We have just launched our new capability to alert any VulnCheck KEV user, when we identify and validate known exploited vulnerabilities, directly in your inbox or on Slack,” he said. “ThreatQuotient customers can now build automations that alert to other cyber telemetry, creating response workflows in real-time.”
Critical Exploit Information
That will be important at a time when the future of CVEs being published by
the likes of MITRE and
CISA is uncertain even as the number of threats and vulnerabilities grow. VulnCheck in May said its KEV catalog was tracking more than
3,600 known exploited vulnerabilities and that the number of users had grown to more than 10,000. VulnCheck’s catalog is tracking 173% more flaws than CISA’s and is publishing them an average of 27 days faster, the company said.
MSSPs, as the key cybersecurity providers for many organizations, can take advantage of VulnCheck’s vulnerability intelligence, Bain said.
“They are tasked with responding to any threats that can be eliminated quickly,” he said. “ThreatQuotient has a large installed base of users globally, so the more VulnCheck intelligence they use, the more they can trust the data.”
Exploitation and Weaponization
Bain added that VulnCheck doesn’t score security flaws. Instead, it gates everything in its intelligence solutions based on weaponization or exploitations, giving security teams and MSSPs another means of measuring vulnerabilities.
“This means we can still surface existing scoring from CVSS (Common Vulnerability Scoring System) and EPSS [Exploit Prediction Scoring System], but when we find evidence of exploitation, it indicates that the issue is worthy of a response,” he said. “It’s binary, because it’s either exploited or it isn’t. And if it’s weaponized, then it’s likely to be exploited.”
MSSPs are key parts of VulnCheck’s strategy, according to Bain. The company works every day with MSSPs and security teams alike and “our data is suited specifically to align with what MSSPs need – timely, actionable, and reliable intelligence that helps narrow and prioritize from volume to the 2 to 3% of vulnerabilities that are material and must be addressed to protect an organization from emerging threats.”
He added that VulnCheck acts as a “real-time, early warning system for MSSPs to layer into their offerings that is delivered as machine-consumable intelligence, not a report that requires human analysis or interpretation.”
