From over 12,500 disclosed Common Vulnerabilities and Exposures (CVEs), more than 75% were publicly reported online before they were published to the NIST’s centralized National Vulnerability Database (NVD), Recorded Future researchers have found.
The data, taken from the beginning of 2016, showed that the median lag was seven days between a CVE being revealed to ultimately being published on the NIST’s NVD. This time lag also significantly differed between vendor announcements and NVD publishing, with the fastest on average one day later and the slowest published with a 172 day average delay.
Sources of CVE online reporting include easily accessible sites such as news media, blogs, and social media pages as well as more remote areas of the web including the dark web, paste sites, and criminal forums. Additionally, the vulnerability content available on the dark web illustrates that the adversary community is actively monitoring and acting on the broad set of sources initially releasing vulnerability information.
Additional key findings from the research revealed:
- More than 1,500 sources reported on vulnerabilities prior to release, including information security sources like blogs or social feeds and adversary sources on the dark web.
- 5% of vulnerabilities are detailed in dark web prior to NVD release and these have higher severity levels than expected.
- 30% of vulnerabilities published to the dark web were in foreign languages.
- In the case of the Dirty-Cow vulnerability (CVE-2016-5195), the proof-of-concept (POC) was posted to Pastebin 15 days before NVD publication. The original security report was translated to Russian and posted on an exploit forum two days after the report was first released.
- Over 500 CVEs first reported online in 2016 are still awaiting NVD publication.
- Adversaries (exploit writers) aren’t shy about explicitly using the CVE identifier as they are doing their work.
As demonstrated with the recent global WannaCry ransomware attack, many organizations, particularly when a CVE is first publicized in media outlets, hit the panic button to issue a patch based on a reported number of systems affected by any given CVE.
The recommended best practices for organizations are to adopt a proactive and risk-based approach to addressing vulnerabilities, and to utilize intelligence from sites that are more difficult to access, such as the dark web, but that are the first to see chatter on new threats and potential zero-days.
Security teams need to look at whether the CVE could affect them, assess their appetite for risk, and then only focus on the CVEs that have the highest risk of being exploited. By building a more comprehensive set of risk rules, based on applied intelligence from both friendly and adversary sources, organizations can make infinitely more informed strategic security decisions.