Intel-Driven Vulnerability Management

Extracts CVE's from threat intel reports, assess vulnerability to those threats through scanning, identifies exploit attempts, and prioritizes patches based on the risk they pose to the organization.

Comment

Inspiration

Vulnerability Management teams are swamped with vulnerabilities, and have a hard time actually improving an organization's risk posture.

What it does

The Intel-Driven Vulnerability Management content pack enables organizations to connect vulnerability information to actual threats that have the intent and capability to do harm. Take the specter and meltdown vulnerabilities, for example. They're high vulnerabilities because theoretically they could lead to RCE, but in practice no one has the capability to exploit them--no proof of concept or in the wild attack has been demonstrated. Similarly, nation states that may have the capability to exploit such vulnerabilities may not have the intent to harm an organizations particular country or industry.

This content pack helps close the Window of Opportunity by prioritizing patches for vulnerabilities that are actively being exploited by motivated and capable threat actors. It also retroactively identifies incidents that involved that CVE so they can be prioritized appropriately, and lastly, it identifies any new exploit attempts as being part of a campaign that must be given a high priority.

How I built it

Cortex XSOAR's robust and flexible Case Management capabilities allowed us to build a Threat Intel Campaign case type and layout to organize threat intel. The indicators enrichment and database were extended to improve CVE and Internal Host handling. And we put everything together with heavy use of Incident and Indicator linking mechanisms.

What's next for Intel-Driven Vulnerability Management

Other vulnerability scanning tools can be easily added to the skeleton provided. We focused primarily on NMAP because it's free and easy to deploy, but also created a playbook for Tenable. Other scanning tools like Qualys could easily be added.

Built With

  • xsoar
Share this project:

Updates