Automating Vulnerability Investigation with SOAR

Back to all articles

vulnerability investigation 1

Vulnerability management is a complex, but a critical process, which must be carefully planned and implemented to reduce undue risk caused by unpatched vulnerabilities. Many recent high profile breaches can be directly tied to the exploitation of vulnerabilities which were both known and could have been mitigated. While phishing is (rightly) seen as one of the greatest current threats to an organization’s security, it is important to remember that although phishing is the means of gaining initial access to an organization, it is the exploitation of a vulnerability which often leads to compromise after a successful phish.

Our goal today is not to discuss how to design and implement a proper vulnerability management program; this topic has been very well covered by many who are much more qualified to discuss the topic than I am. Instead, I would like to discuss any aspect of vulnerability investigation which many organizations may be missing, and how a Security Orchestration, Automation and Response (SOAR) solution such as IncMan can bolster an organization’s vulnerability investigation process.

If you have not seen the presentation by Jay Jacobs of the Cyentia Institute and Michael Roytman of Kenna Security titled "The Etiology of Vulnerability Exploitation" given at RSA Conference 2019, do you’re a favor and spend the hour to check it out. They provide some very interesting research into vulnerability exploitation and how we can improve our security by better focusing our resources. For our purposes today, only one small finding from their research is important; most exploits are publicly released very close to the time that the CVE is published. This means that IF a vulnerability can be exploited, chances are that organizations will have little time to patch this vulnerability before an exploit is publicly available if an exploit was not already publicly released soon before the CVE was published.

Once a CVE is published and an exploit available, a vulnerability can be classified and a detection signature can be developed. The gap between exploit and signature remains a gaping blind spot for most organizations. This blind spot may exist for several days or even several weeks; the critical time when new exploits are most likely to be used as attackers know the highest number of users are likely to be vulnerable. Sure, until the vulnerability is fully patched, an organization is still vulnerable, but at least once an attack signature has been developed you KNOW you’ve been attacked, and you can at least respond.

As exploits start to appear in the wild, threat intelligence vendors begin collecting indicators tied to certain exploits, vulnerabilities, and threat actors. This data can include IP addresses, domains, file hashes and other indicators that may be known to exploit a certain vulnerability. Many threat intelligence vendors permit customers to query based on a CVE or other vulnerability identifier. As organizations identify new vulnerabilities within their infrastructure, this vulnerability intelligence can be used to search historical SIEM, EDR, network and other logs for indicators of previous vulnerability exploitation.

“Great! I’ll have one of my SecOps analysts start doing this since they have plenty of extra time” said no one who read that last paragraph. That’s where SOAR comes in. By automating this process, newly discovered vulnerabilities, including the host they were discovered on and the vulnerability identifier, can be automatically sent to a SOAR solution to begin an automatic investigation. This automatic investigation can begin by searching for threat indicators known to be associated with the exploitation of a vulnerability, then searching available logs for the presence of these indicators correlated with known-vulnerable hosts. If a correlation is found, this information can be automatically fed back to the security team and additional enrichment or containment action could be automatically initiated.

By managing this vulnerability investigation process automatically through a SOAR solution, organizations are able to go back in time and detect previous exploitations of vulnerabilities that may have otherwise gone unnoticed for weeks, months or years, without adding a significant workload to the security team.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo