CVE exploitation data check

Background, terms and dynamics of the field:

Software is being used as part of appliances (hardware), stand alone solutions (also known as commercial off-the-shelf, or COTS like ms office), operating system extensions (driver for the printer) or as building blocks (libraries, modules) for other software (like the driver of your printer will have generic library to connect over bluetooth)

All these software will have coding or configuration mistakes in them. Some of these mistakes allow the malicious abuse of the functionality. These are called security vulnerabilities.

Security vulnerabilities are found by the original developer of the software, some users of the software, security researchers doing research on it or malicious actors trying to abuse the software.

The current understanding is that to help people using software to keep it safe it is beneficial to disclose some information about these vulnerabilities. There are multiple systems to keep track of these vulnerabilities to help circulate the information but the most established one is the CVE register. It is so common that people often refer to publicly disclosed vulnerabilities as CVE much like Xeroxing for photo copying. That said it is not complete, some vulnerabilities will not have CVEs or will not be disclosed widely at all.

The downside of circulating vulnerability information is that it will also be known to the bad guys, so they can try to find out how they can misuse (by looking at the patches rolled out to fix them or just the old version itself) them and start misusing them.

However they follow an economic incentive as well, so most vulnerabilities will not be interesting (useful, necessary) for them to abuse.

Exploits are programs that aim to abuse a vulnerability to achieve the negative impact that the faulty program allows. A Proof of concept (PoC) is a demonstration that a certain issue exists and potentially exploitable but not necessary fully using it, for example the program will get into a faulty state but not completely controllable by the attacker.

Exploitation is the act of running and exploit on a system to actually realise the impact of the vulnerability on a live system. A vulnerability is said to be “exploited in the wild” if there is evidence that malicious actors are actively abusing the vulnerability.

 

Software developers will fix issues and add functionality to the software using updates/upgrades. Some of the update will be aimed solely to fix issues these are patches. Some of the issues that updates fix are going to be security issues (vulnerabilities). An update will not necessarily include security fixes. Updating the software is not the only way to deal with security issues often there are ways to make it impossible to exploit a vulnerability that is unrelated to the software itself or comes down to its use, these are called mitigations.

 

If a vulnerability is exploited before defenders could even know about it (mitigate it or update it) it is called a zero-day. It is not a clear term and it also often used interchangeable to refer to the exploit or the vulnerability.

Often times attackers reverse engineer patches to find out what specific security issue it fixes and write an exploit because applying patches usually takes weeks. These are called 1-days.

In some cases the providers do not actually create an update at all or by the time the vulnerability information is disclosed. This sometimes is also referred to as 0 or 1-day.

In some cases if vulnerabilities are identified by and disclosed to providers by security researchers they will put pressure on the provider to fix the issue by disclosing the vulnerability (and potentially even PoC or exploit) to thus force the vendor to create an update.

 

inthewild.io is meant to help vulnerability management (identification and handling of vulnerabilities) and patch management (the prioritisation and rollout of patches).

The number of CVEs are growing fast there were 50+k vulnerabilities disclosed in 2021. Maybe 300 of these will ever be exploited. Even more a good percentage (50%+) are exploited as 0-days (hence patching and vulnerability management will not address them). Applying updates is not trivial hence the default approach of sysadmins and developers (the ones applying updates) is to only update if necessary. If we could tell them what vulnerabilities will be (or at least are) exploited they can focus work much better. This is hindsight only, if somebody wants to know what vulnerabilities will be exploited it is reasonable to assume that ones with known exploits will more likely to be exploited.

On the other hand even for security-wise sophisticated companies time between a vulnerability disclosure or update issuance and the  application of the update is more than 2 weeks. This makes is as good as nothing in case the vulnerability is actively exploited. So these companies need the exploitation to do what is called emergency patching.

 

Based on the level of sophistication different channels of inthewild.io will be useful for different people:

 

1, Small companies with unsophisticated security could subscribe to the RSS feed or follow the Twitter account and anytime there is an alert they can ask themselves “do we have this software” in a reactive, ad-hoc manner.

2, Companies that are more sophisticated will do what is called vulnerability scanning (active identification of vulnerabilities). But currently most companies don’t apply all patches rather reactive triage which vulnerabilities need to be fixed. This is a very complicated task but it is obvious that anything that is actively exploited need to be fixed ASAP and likely issues with exploits should be prioritised. These people would use the data directly from the open sourced database on GitHub to enrich the results of their scans to help prioritisation. In some cases this prioritisation is done not by security people but developers/sysadmins and for each vulnerability they have to do research inthewild.io would help them in this.

3, There are companies/projects that build vulnerability scanners, they could build the data in to make sure people working in vulnerability management do not have to do it.

4, There is a field of security (threat intelligence) that is usually separate from vulnerability management for sophisticated companies. They are (partly) working on identifying possible risks for the companies. They could consume the RSS feed to learn about vulnerability exploitation to know possible vulnerabilities that could be relevant to them. Much like the developers in the first group. Information like this is usually provided in feeds called TI/Threat Intel/Threat Intelligence feeds.

 

There is another part of security called incident response, these people are either investigating hacking cases or proactively putting vulnerable machines online (called honeypots) to see who would attack them. Usually these are the people who provide the source information for threat intel feeds. Most of the related research is published on twitter or blogs of incident response companies.

 

Existing options:

inthewild.io itself collects public information, however the sources it uses are not trivial to collect and easy to query. Most of the gain is user-friendliness

There are similar projects like attackerkb but there the information is somewhat freely available but not open source and limited by the fact that it is owned by a vendor. They are also focusing on helping the triage of vulnerability by crowdsourcing analysis and exploitation information is only a facet of this.

There are sources that are vetted, open source and somewhat accessible in format (CISA exploited vulnerabilities list) but it usually takes days for things to get added (they focus on verification) which might be too late

There are TI feeds by incident response companies that would include this information but these are either paid or connected to a product that you need to buy. Often these are only targeted towards TI people and not  easily ingestible for developers.

 

USPs:

Open source

Focused on single aspect

User friendly access to data

Easy to report (but still vetted)

https://inthewild.io/

 

Keywords:

Exploitation, exploits, vulnerabilities, CVEs, patching, vulnerability management, threat intelligence, incident response, updates, vulnerability scanning, vulnerability triage, hacking, exploitation, in the wild

Learn about newstechrim