Cybersecurity Threats, Malware Trends, and Strategies: Discover risk mitigation strategies for modern threats to your organization, 2nd Edition

Product Information

Figure 2.25: The number of CVEs, critical and high rated severity CVEs and low complexity CVEs in Microsoft Windows 10 (2015–2018)

CVE Details. (n.d.). Top 50 Products By Total Number Of "Distinct" Vulnerabilities. Retrieved from CVE Details: https://www.cvedetails.com/top-50-products.php NIST. (n.d.). Vulnerability Metrics. Retrieved from National Vulnerability Database: https://nvd.nist.gov/vuln-metrics/cvss This approach helps the CTI program optimize the resources it has and prevents it from drowning in CTI. Figure 2.36: The number of CVEs, critical and high severity CVEs and low complexity CVEs in Microsoft Edge (2015–2018) CVE Details. (n.d.). Mozilla Firefox vulnerability statistics. Retrieved from CVE Details: https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452Figure 2.4: Vulnerabilities in the 25 products with the most CVEs categorized by product type (1999–2019) Microsoft Corporation. (n.d.). Microsoft Edge: Making the web better through more open source collaboration. Retrieved from Microsoft: https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#53oueSHZ9BtuhB1G.97 Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within aCNA's scope byresearchers who request a CVE ID from them." TLP:AMBER specifies “limited disclosure, restricted to participants’ organizations” ( FIRST, n.d.). Receivers are only permitted to share TLP:AMBER information within their own organization and with customers with a need to know. The sender can also specify more restrictions and limitations that it expects the receivers to honor. Before we dig into the vulnerability disclosure data, let me tell you where the data comes from and provide some caveats regarding the validity and reliability of the data. There are two primary sources of data that I used for this chapter:

Badger, L.; Johnson, C.; Skorupka, C.; Snyder, J.; Watermire, D. (October 2016). “NIST Special Publication 800-150”. NIST. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf. Figure 2.37: The number of CVEs, critical and high severity CVEs and low complexity CVEs in Google Chrome (2008–2018) Windows XP no longer received support as of April 2014, but there were 3 CVEs disclosed in 2017 and 1 in 2019, which is why the graph in figure 2.19 has a long tail (CVE Details, n.d.). Although the number of critical and high severity CVEs in Windows XP did drop from their highs in 2011 by the time support ended in early 2014, the number of CVEs with low access complexity remained relatively high. I don't think we can apply our vulnerability improvement framework to the last few years of Windows XP's life since the last year, in particular, was distorted by a gold rush to find and keep new zero-day vulnerabilities that Microsoft would presumably never fix. These vulnerabilities would be very valuable as long as they were keptsecret.The Traffic Light Protocol ( TLP) has become a popular protocol for sharing CTI and other types of information. The “traffic light” analogy in this case has four colors: red, amber, green, and clear. The colors are used to communicate different information-sharing boundaries, as specified by the sender. Elastic log monitoring for large data sets. Massive data sets and decentralized logs resulting from advances such as big data and IoT complicate the challenge of monitoring activity. Elastic log monitoring is a solution based on several open-source platforms that, when combined, allow companies to pull log data from anywhere in the organization into a single location and then to search, analyze, and visualize the data in real time. Native log-sampling features in core tools can ease an organization’s log management burden and clarify potential compromises. Barry van Wyk, “ China’s cyber crime problem is growing”, The China Project, August 23, 2022. View in Article Figure 2.27: The number of CVEs, critical and high rated severity CVEs and low complexity CVEs in Linux Kernel (1999­–2018)

CVE Details. (n.d.). Windows Server 2016 Vulnerability Details. Retrieved from CVE Details: https://www.cvedetails.com/product/34965/Microsoft-Windows-Server-2016.html?vendor_id=26 Figure 2.20: Critical and high severity rated CVEs and low complexity CVEs in Microsoft Windows XP as a percentage of all Microsoft Windows XP CVEs (2000–2019) Windows 7 Vulnerability Trends TLP:GREEN permits “limited disclosure, restricted to the community” ( FIRST, n.d.). Senders that specify TLP:GREEN are allowing receivers to share the information with organizations within their community or industry, but not by using channels that are open to the general public. Senders do not want the information shared outside of the receiver’s industry or community. This is used when information can be used to protect the broader community or industry. Let's look at Android, a mobile operating system manufactured by Google. Android's initial release date was in September 2008 and CVEs for Android start showing up in the NVD in 2009. On average, there were 215 CVEs filed for Android per year, with 129 CVEs per year rated critical or high severity; Android only had 43 CVEs in the 6 years spanning 2009 and 2014 (CVE Details, n.d.). The volume of CVEs in Android started to increase significantly in 2015 and has increased since then.Vulnerability management professionals can further refine the base scores for vulnerabilities by using metrics in a temporal metric group and an environmentalgroup. Rounding out the top five vendors with the most CVEs is Google. Google is different from the other vendors on the top 5 list. The first year that a vulnerability was published in the NVD for a Google product was 2002, not 1999 like the rest of them. Google is a younger company than the others on the list. Threats described using STIX are not required to be shared via TAXII – any protocol can be used to do this as long as the sender and receiver both understand and support it.

During this period, 5,560 CVEs were assigned, of which 1,062 were rated as critical or high and 3,190 CVEs had low access complexity. There were 489 CVEs disclosed in 2019, making a grand total of 6,112 CVEs in Oracle products between 1999 and 2019 (CVE Details, n.d.). STIX Version 2.1. (10 June 2021). OASIS Standard. https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html. Latest stage: https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html. Some CTI vendors differentiate themselves not necessarily by scale, but by the quality of their data and analysis. They are able to correlate data they have to specific industries and to specific customers within those industries and provide more actionable insights than high-level, anonymized, global trends will typically enable. even if users have access to the data environment, they may not have access to sensitive data. Organizations should tailor the adoption of zero-trust capabilities to the threat and risk landscape they actually face and to their business objectives. They should also consider standing up red-team testing to validate the effectiveness and coverage of their zero-trust capabilities. Matt Miller, M. (February 14, 2019). BlueHat IL 2019 - Matt Miller. Retrieved from YouTube: https://www.youtube.com/watch?v=PjbGojjnBZQLastly, using TLP:CLEAR means the “disclosure is not limited” ( FIRST, n.d.). In other words, there are no sharing restrictions on information that is disclosed using TLP:CLEAR. Receivers are free to share this information as broadly as they like.