QSC 2022: Qualys’ Threat Research Unit (TRU) – Our Shield Is Your Shield
Last updated on: November 16, 2022
Day two of QSC profiled the special launch of the Qualys Threat Research Unit, TRU. Taking the audience through a madcap tour of what the threat research unit is doing to provide intelligence and actionable insights into its census was Travis Smith, VP of Qualys Threat Research Unit.
He dove deep into the group’s manifesto around how advanced technologies are revolutionizing lives and economies around the world, all while cyber threats are growing at a similar pace – endangering access to the services that improve lives everywhere. Smith detailed the thousands of threats that appear across Qualys’ sensor network and how the company empowers others with the research into these insights. Essentially, TRU works to secure and defend the digital world from bad actors who create chaos and erode trust.
From building vulnerability signatures, writing detection rules, researching and finding zero days, finding and reversing custom malware, reducing attack surface exposure and other advanced threat research activities – TRU works day and night to protect the digital world.
Smith reviewed the 2022 threat landscape, highlighting the latest vulnerabilities discovered (21,825 so far this year, on track to surpass previous year totals), and mentioned that 132 of them have weaponized exploits. This includes vulnerabilities that are leveraged by malware, ransomware, threat actors and known exploits that have been reported to CISA. He compared two of the vulnerabilities, one that made use of manual patching methods to take an average of 70 days to remediate, and one that made use of automated methods and took only 28 days on average to fix. Clearly emphasizing how leveraging automation to reduce time to remediation (MTTR) is effective and necessary in reducing your exposure.
TRU has been busy finding failing cloud service configurations and poor endpoint password hygiene (both are some of the common causes of ransomware attacks), among other issues. They have also been participating in a wide variety of industry outreach and threat sharing, including providing more than 150 open-source scripts that were published to GitHub as well as contributing to the MITRE ATT&CK project. TRU also produces a series of webinars once around each monthly Microsoft Patch Tuesday announcement that discusses all kinds of vulnerabilities – not just the ones that Microsoft disclosed – and another that is called Threat Thursdays.
The team conducts and executes innovative research, discovery and responsible disclosure of new and critical vulnerabilities in popular software applications. The discovery of these vulnerabilities is always exceedingly difficult and results from thorough audits over a period of multiple months – which often result in industry awards and recognition like the internet-shaking vulnerability, PwnKit that was dormant for many years before its discovery.
Smith showcased a typical vulnerability discovery timeline and outlined how adversaries have the advantage, especially if it takes defenders longer than 35 days to remediate and remove the malware. That coupled with lags in refreshing hardware and software along with manual patching methods ultimately means trouble … especially when an enterprise tolerates risky configurations. He noted that there has been exponential growth in vulnerabilities, but also suggested ways to make the playing field more advantageous for defenders. This includes timely remediation, eliminating software misconfigurations and removing old hardware and software. It also helps to “know thy enemy and understand their top attack techniques and tools, such as how they deploy remote access, perform network and asset reconnaissance, employ hacking kits and password stealers and ransomware.”
So, what’s next? Well, TRU has big plans. The team is looking to build a live threat dashboard and improve their threat intelligence product so that threats are cross-referenced with various insights and sightings about the malware using each threat. In a world where bad actors are becoming increasingly sophisticated, and almost weekly, discover and exploit vulnerabilities in widely used programs – research teams like TRU serve an incredibly vital purpose in protecting IT infrastructure and critical data.
Is there a video available?