Post Archive

Using Threat data in your vulnerability management strategy with MISP

Published September 3, 2019

How organizations can use MISP threat sharing and Metasploit CVE data to prioritize vulnerability patching based on real-world exploit activity rather than CVSS scores alone.

Ensuring a good patch management strategy in any company often poses some big issues, pointing back to coverage vs risk vs cost.

Some companies expect to be 100% patched no matter the critical level of the patch, meaning it can be fixing anything from a button that does not work, to a critical vulnerability that are being abused in the wild.

This blog post will be focusing on patches that are related to vulnerabilities, and how organizations can optimize the cost and minimize the risk, through the usage of the MISP Threat Sharing Platform.

Using CVSS

Common Vulnerability Scoring System (CVSS — https://www.first.org/cvss/v3-1/) is one approach that some companies has started to adopt, this is a metric system that scores a vulnerability from 1–10 based on various vectors.

Base Score is the static version of the vulnerability, where the Temporal Score will have the potential to change over time.

CVSS 3.1 scoring breakdown showing Base Score, Temporal Score, and Environmental Score vectors

A CVSS score of 10 is seen as the most critical and should be patched as soon as possible. As an example, CVE-2019-0708 also known as BlueKeep is a vulnerability that has the CVSS score of between 9.8 and 10 depending on what version of CVSS being used.

CVSS Metrics for CVE-2019-0708 (BlueKeep) showing score of 9.8–10 — *CVSS Metrics for CVE-2019-0708*

Now in some cases this is good to ensure that what at first looks as the most critical vulnerabilities are fixed first, however this is based on that you see one vulnerability as one threat.

It does not take into context that there can be 2 or 3 vulnerabilities if chained together poses an even bigger threat. Think of it this way: if you do not expose any RDP services to the internet, however important the patch is, it might not be as critical as a WordPress RCE vulnerability (CVE-2019-8943) which has a CVSS Base score of 6.5 and is exposed to the internet.

CVSS Metrics for CVE-2019-8943 (WordPress RCE) showing score of 6.5 — *CVSS Metrics for CVE-2019-8943*

So the overall conclusion of using CVSS is that it is good to give an overall metric score to a vulnerability, however it is not optimal for prioritizing vulnerabilities and how your patch strategy should be run, as it does not take into consideration both the location of the device with the vulnerability and whether it is being exploited.

If it is exploitable — Prioritize in your vulnerability management

The point of prioritizing vulnerabilities was also presented at this year's Blackhat in Las Vegas at the talk "Predictive Vulnerability Scoring System" where they covered that you need to choose how to get the biggest threat coverage for the lowest cost (money and time).

What you should do is to look for vulnerabilities where an exploit is being mentioned or is publicly available, and start by prioritizing these.

A simple example would be to extract CVEs from Metasploit and other open sources.

Chart showing coverage vs effectiveness trade-off in vulnerability patching strategy — Source: Predictive Vulnerability Scoring

Extracting CVEs from Metasploit

The reason for extracting CVEs from Metasploit is to use these in order to prioritize your patch strategy and this is rather trivial to get and to use.

As an example here is how you could setup a continuous feed.

In this example we are using https://github.com/rapid7/metasploit-framework which is the community edition.

cd /opt/
git clone https://github.com/rapid7/metasploit-framework.git

Example of a bash script to extract CVEs from Metasploit modules — Example of a bash script to extract CVEs from Metasploit

Create a bash script that can be executed every 12 hours, as an example, filtering the CVEs from the source code and storing into a website.

MISP — Real-time updates from shared threats

The extraction of CVEs from Metasploit is really good, but by using the MISP Platform the gain is extended even further as you will have the context around a given vulnerability being exploited, based on the sharing capabilities in MISP.

As an example this is information pulled from an article on ZDNET — "US Cyber Command issues alert about hackers exploiting Outlook vulnerabilities" and converted into a MISP event.

MISP event view for CVE-2017-11774 showing enriched vulnerability context including threat actor information

This gives information about both the vulnerability being used and in what context, which can help prioritize.

Adding Metasploit into MISP as a custom Feed

At the same time, taking the information from Metasploit created earlier and converting it into a feed will centralize your threat visibility into what known CVEs are being mentioned, used, or seen publicly used.

Screenshot of Metasploit CVE data imported as a custom feed in MISP

The Metasploit CVE feed can be pulled from https://feeds.ecrimelabs.net/data/metasploit-cve — the feed is updated twice a day.

From MISP to the Vulnerability/Patch Management team

So we have now collected the data from Metasploit, and combined it with a large data set from our MISP threat sharing — #SharingIsCaring — it is now a trivial task to get the correlated information to your Patch or Vulnerability Management team to make use of it.

In MISP you can access this directly from the export function or through the REST API search.

eCrimeLabs customers that are using the Cratos API will have this capability out of the box with the possibilities to get the vulnerability information based on time, e.g. what have been seen the latest week, month or years.

Conclusion

"If there is an exploit mentioned or publicly available, you should prioritize patching this; No matter what CVSS score or Risk level it is marked with."

Back to Posts