7 places to find threat intel beyond vulnerability databases

National Vulnerability Databases (NVDs) can be slow and miss things. Use these sources to supplement your threat and vulnerability intelligence efforts.

The purpose of National Vulnerability Databases (NVDs) is to create a centralized list of security-related software flaws and enable a more automated approach to vulnerability management. The US, China, and Russia all run their own NVDs.

However, there are distinct flaws with all three, meaning there could be major gaps within an organization’s vulnerability management strategy. The US NVD is slow; the media gap between a vulnerability becoming public and appearing on the list is seven days. China’s NVD is quicker to upload public vulnerabilities, but has been accused of altering data to hide government influences. The Russian NVD, run by the country’s Federal Service for Technical and Export Control of Russia, misses many vulnerabilities and is slow with what it does publish.

Good threat intelligence is more than a list of vulnerabilities. Instead of relying on NVDs alone to power your vulnerability scanning, companies should look to other sources to supplement their threat intelligence operations. According to a study by Tenable, over a third of vulnerabilities have a working exploit available on the same day of disclosure, giving hackers days or more of unfettered opportunity to attack. By broadening the scope of your intelligence gathering, you can close the window of opportunity for cybercriminals and gain a richer set of data with which to defend yourself.

1 threat intelligence feeds hand swiping tablet mobile device
Getty Images

1. Threat intelligence feeds

These technical feeds provide streams of threat indicators, They can be paid or unpaid, general or specialized, and they can vary in their quality and usefulness. They are the easiest and most common way of gaining threat intel, and any company serious about security is probably already aggregating and monitoring multiple feeds. Shadowserver is an example of a non-profit feed. FS-ISAC is run by an industry group.

2 dark web
Getty Images

2. Dark web search tools

What better place to get intel on what cybercriminals are up to than where they sell their wares and talk amongst themselves? A host of companies including Webhose, RepKnight and Terbium Labs are creating ways that make the dark web as easy to search and monitor as using Google. Searching the dark web can turn up valuable intel, such as new exploits for sale, or mentions of your company in criminal forums that may indicate you are being targeted.

3 security vendors
Getty Images

3. Security vendors

Most security vendors are constantly investigating new threats and publish findings on their own sites before they reach the public databases. McAfee, for example, was first to discover and publish a Windows vulnerability that allowed browser navigation through Cortana without logging in. Beyond merely following the security vendors you use, keeping up to date with any company that researches technology you use – for example containers or severless computing – could prove valuable.

4 .social media
Getty Images

4. Social media

You can not only follow the latest news and disclosures from companies and individual researchers, but actively track what they’re working on and get up-to-the-minute updates on their latest projects.  You can also track threat actors themselves. An increasing number of criminals use different social media networks to share information, and following them can help you better prepare against incoming attacks

Cyextera recently demoed how it managed to identify a group of hackers by monitoring and processing the habits of one known threat actor, and from there were able to track what they were talking about.

5 blogs and media
Getty Images

5. Security researcher blogs

Aside from the regular cybersecurity press, many security researchers run their own personal blogs. These can be good places to get up to date intel and research on niche areas that may affect you. They might not always provide you with specific vulnerabilities but may provide interesting information on certain threat actors or new exploit methods.

6 web forums
Getty Images

6. Web forums and code repositories

Wilders Security, Security Focus, Anti Online, Hack Forums and even Reddit can be useful sources. The information there often provides in-the-trenches experiences of vulnerabilities being used in the wild, or just rumors that might be worth paying attention to.

Similarly, many security researchers will share their research and projects on repository sharing sites such as Github and Gitlab, giving you access to proof of concept code and exploits. This gives you a chance to drill down into vulnerabilities and assess their severity yourself.

7 threat hunters and honey pots
Getty Images

7. Threat hunting and honey pots

As well as ingesting threat intel from elsewhere, why not create your own? Setting up honeypots within your own networks can provide valuable intel around attack methodology and toolset. Proactive threat hunting can help an organization detect threats quicker, and possibly find new ones other detection systems are unable to spot.