WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Note: This blog is part of a three-blog series on Vulnerability Intelligence that accompanies the release of Digital Shadows (now ReliaQuest)’ latest whitepaper titled Vulnerability Intelligence: Do You Know Where Your Flaws Are?
Managing vulnerabilities is a daunting task for security teams that are constantly busy with keeping up with the vulnerability threat landscape. New security flaws are discovered every day; consequently, security teams are often pushed into patching without adequate planning and missing bugs that continue to represent a significant risk. The result? Cybercriminals and state-sponsored threat actors can often leverage unpatched vulnerabilities to get access to a target’s environment and conduct further malicious activity.
In an ideal world, these vulnerabilities are responsibly disclosed, giving vendors time to respond publicly and roll out timely patches. Even better, critical software vulnerabilities would get patched automatically! In this utopian environment, patches wouldn’t cause everything to break in production and conflicting interdependencies could be easily fixed. Doesn’t this sound dreamy? Sadly, this is not a very plausible scenario for most security teams out there.
The current information technology (IT) landscape is a highly complex environment of old and new technologies that have significantly expanded the attack surface. When new vulnerabilities are disclosed, security teams often need to scramble to figure out how these would impact their systems and what to patch first. Adopting an efficient vulnerability management program can offset some of the traditional challenges associated with triaging threats and asset management, and significantly improve your organization’s security posture.
For this reason, Digital Shadows (now ReliaQuest) has just published its latest research piece titled Vulnerability Intelligence: Do you know where your flaws are?, where we have explored the cybercriminal forums rabbit hole to understand how threat actors are continually exploiting security teams’ weaknesses. The picture we obtained has convinced us that the traditional – and sometimes chaotic – approach to vulnerability patching is not sustainable anymore and that we need a new paradigm to stay one step ahead of malicious actors.
As part of our investigation, we gathered extensive primary source evidence from cybercriminal markets and forums to better comprehend how the vulnerability criminal industry looks. This environment is bursting with a variety of widespread actors who boast a whole range of technical expertise and motives. The technical discussions of this eclectic underground cohort have actually contributed to a pretty cohesive, crowd-sourced body of knowledge about vulnerabilities and exploits.
The top of the cybercriminal pyramid is represented by the market for zero-days. This market is an extremely expensive and competitive one, and it’s usually been a prerogative of state-sponsored threat groups. However, certain high-profile cybercriminal groups (read: ransomware gangs) have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits.
This is probably why zero-day sellers have moved their auctions to cybercriminal forums: to fish in this large and wealthy pool. Zero-day exploits are incredibly pricey and we’ve observed threat actors claiming that they could go away for up to $10,000,000. These prices may look jaw-dropping but there’s a key aspect to keep in mind. Whatever legitimate bug bounty programs offer, cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering).
Is it clear now why this has traditionally been a state-sponsor-exclusive club? Very few cybercriminals have that kind of money to splash on a vulnerability. And even fewer of them will be actually motivated to invest that sum when organizations still have public-facing remote desktop protocol (RDP) appliances in their networks (and yes, there are a lot of them). But an espionage campaign of a state-sponsored APT group can easily justify sinking funds into an exclusive zero-day, if it reels in invaluable information.
Feel like a multi-million dollar price tag may be a bit too much for your pockets? No worries, the cybercriminal community doesn’t leave anyone behind to miss out on all the zero-day fun! During our investigation for this research piece we’ve noticed cybercriminals discussing ideas for an Exploit-as-a-Service business model that would inevitably lower the barrier for accessing sophisticated exploits.
This model would allow capable threat actors to “lease” zero-day exploits to other cybercriminals to conduct their attacks. In fact, while a developer can generate large profits when selling a zero-day exploit, it often takes them a significant amount of time to complete such a sale. However, this model would enable zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer. Additionally, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis.
Zero-day exploit developers can certainly generate large profits by selling to government-backed threat actors, but this process can eat up time and drive the developers to seek alternative revenue sources. And that’s when exploit-as-a-service becomes viable―generating their desired income from various interested parties. The result? More and more financially motivated threat actors with their hands on dangerous tools.
Zero-days and high-profile threat actors can certainly make up for great insights into the cybercriminal world but they do only represent a tiny fraction of this complex ecosystem. The wide majority of the cybercriminal community is in fact busy discussing and sharing knowledge on older vulnerabilities that security teams haven’t properly patched yet.
Apart from a few exceptions, the cybercriminal community is known for being opportunistic and targeting the low-hanging fruit rather than mounting highly-sophisticated offensive campaigns. Overlooked security flaws in software and hardware may well provide cybercriminals with valuable initial access to a victim’s environment and cause some serious harm from there.
The user base for older vulnerabilities is broad. For starters, many low-skilled cybercriminals need some time before they can exploit a new vulnerability, and maybe even need support from the cybercriminal community, like tutorials or guides on how to use the latest exploit. Then there are the penny-pinchers. Despite the high payouts associated with cybercrime, we’re all now aware that the best (zero-day) exploits don’t come cheap. It can be worthwhile to wait for a vulnerability to become more mainstream, with corresponding PoCs or exploits released for free or at a lower price.
Ok, maybe the ideal world described at the beginning of this blog is still far away from our radar. However, security teams can still significantly improve their security posture with a few changes to their habits. For example, incorporating a risk-based approach to vulnerability management can go a long way in helping security teams navigate this sea of vulnerabilities. A framework based on the impact and likelihood of vulnerability exploitation can certainly help mitigate some of the triaging and asset management challenges mentioned above.
However, making informed decisions requires a good dose of contextual knowledge around the latest vulnerabilities disclosed. Identifying intelligence needs based on your threat model is therefore crucial to improve triaging and patching processes. Incorporating vulnerability intelligence will help you prevent and quickly mitigate the most relevant threats for your specific organization. And once fused into your organization’s threat model, vulnerability intelligence can be used across a variety of internal functions to improve security planning, such as triaging threats, communicating them across the board, and mitigating them in a timely and accurate manner.
Want to hear more about it? Download our free Vulnerability Intelligence report here!