More Than Three Quarters of Vulnerabilities Are Disclosed on Dark Web and Security Sources Before National Vulnerability Database Publication
BOSTON, June 7, 2017 /PRNewswire/ -- Recorded Future, the threat intelligence company, has today revealed new research uncovering that from over 12,500 disclosed Common Vulnerabilities and Exposures (CVEs), more than 75% were publicly reported online before they were published to the NIST's centralized National Vulnerability Database (NVD). Sources reporting include easily accessible sites such as news media, blogs, and social media pages as well as more remote areas of the web including the dark web, paste sites, and criminal forums. This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them unknowingly open to potential exploits and unable to make strategic and informed decisions on their security strategy. Additionally, the vulnerability content available on the dark web illustrates that the adversary community is actively monitoring and acting on the broad set of sources initially releasing vulnerability information.
The data, taken from the beginning of 2016, showed that the median lag was seven days between a CVE being revealed to ultimately being published on the NIST's NVD. This time lag also significantly differed between vendor announcements and NVD publishing, with the fastest on average one day later and the slowest published with a 172 day average delay.
Additional key findings from the research revealed:
As demonstrated with the recent global WannaCry ransomware attack, many organizations, particularly when a CVE is first publicized in media outlets, hit the panic button to issue a patch based on a reported number of systems affected by any given CVE. The recommended best practices for organizations are to adopt a proactive and risk-based approach to addressing vulnerabilities, and to utilize intelligence from sites that are more difficult to access, such as the dark web, but that are the first to see chatter on new threats and potential zero-days. Security teams need to look at whether the CVE could affect them, assess their appetite for risk, and then only focus on the CVEs that have the highest risk of being exploited. By building a more comprehensive set of risk rules, based on applied intelligence from both friendly and adversary sources, organizations can make infinitely more informed strategic security decisions.
"These findings demonstrate the need for organizations to look beyond the official channels of vulnerability disclosure, such as the NVD, and take a proactive view of vulnerability management that focuses on risk," says Bill Ladd, chief data scientist at Recorded Future. "Security teams can no longer do vulnerability management by numbers. By accessing, aggregating, and applying the available intelligence from a wealth of additional sources, including the dark web, social media, news outlets, and forums, organizations will have a better understanding of their risk and can make informed, strategic decisions that positively impact the business."
For more detail on the research visit www.recordedfuture.com/vulnerability-disclosure-delay.
About Recorded Future
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/more-than-three-quarters-of-vulnerabilities-are-disclosed-on-dark-web-and-security-sources-before-national-vulnerability-database-publication-300470021.html
SOURCE Recorded Future
Keynote Presentation TBA
IDEA Showcase Startup Pitch Event & Reception
Session Details Coming Soon