New at Secure: Enhanced Vulnerability Profiles and CVE Search within MDTI

The Microsoft Threat Intelligence (MDTI) team revamped vulnerability profiles to improve customers' ability to access world-class intelligence on vulnerabilities and exposures within the XDR portal.

These exciting updates include:

  • A new layout that mirrors the design of our Threat Actor and Tool intel profiles for a more consistent experience
  • Vulnerability profiles sorted by published date by default in list view to display a steady feed of new, high importance CVEs
  • The decoupling of Vulnerability Profiles from open-source Common Vulnerabilities and Exposures (CVEs) so customers can access all available information on vulnerabilities
  • An enhanced CVE search experience: searches will return all content related to a vulnerability instead of directing a user to a CVE information page.

These enhancements will provide a more intuitive experience for surfacing content related to CVEs, offering critical context on threats and information within alerts and incidents.

What are Vulnerability Profiles?

Vulnerability Profiles are MDTI's newest intel profile type, launched at Microsoft Ignite in November. Building off our work to introduce intel profiles to MDTI, which has become the definitive source of Microsoft's shareable knowledge on over 200 threat actors and 70 tools, MDTI now also contains over 75 extensive profiles of the CVEs deemed most critical and relevant by our dedicated security researchers.

Amid the many vulnerabilities teams must keep track of — old and new, with varying degrees of prominence and impact as threat actors adjust their techniques, tactics, and procedures (TTPs) — Vulnerability Profiles tilt the advantage back in favor of defenders by delivering focused, actionable insights and recommendations on protect against the most critical CVEs, based on information garnered from Microsoft's 65 trillion threat signals per day.

By routinely visiting the “Vulnerabilities” tab on the Intel Profiles page in XDR, customers will see a steady stream of new profiles, sorted by published date, indicating CVEs that are considered pressing by Microsoft's security researchers. This enables CISOs, Vulnerability Managers, SOC Analysts and Cyber Threat Intelligence Analysts alike to remain informed on these CVEs to prioritize detections and implement patching on endpoints and other recommendations in their environment for the vulnerabilities which are most relevant to their organization.

Vulnerability Profiles are accessible from the “Intel profiles” page within the “Threat intelligence” blade in the left navigation. See these profiles by clicking on the “Vulnerabilities” tab:

Vulnerability Profiles are accessible from the “Vulnerabilities” tab on the Intel Profiles page, which is contained under the threat intelligence blade in the left navigation.Vulnerability Profiles are accessible from the “Vulnerabilities” tab on the Intel Profiles page, which is contained under the threat intelligence blade in the left navigation.

On the Vulnerability Profiles list view, the “Profile” column displays the CVE number, title, and summary of the profile, whereas the right-most column displays the published date, indicating how recently Microsoft wrote about the vulnerability. Under the “Intelligence” column in the Vulnerability Profiles list view, customers will see priority and CVSS scores as well as indications of active exploitation (“Active exploitation observed”), dark web chatter (“Chatter Observed”), and available public proof of concept exploits (“POC Available”, “1 Published POC”) for these vulnerabilities.

Vulnerability Profiles are decorated with proprietary information from Microsoft's own research and telemetry that can only be found in our intel profiles. This includes original research such as observations of active exploitation in the wild; detailed analysis of the methods used to exploit these CVEs by malicious actors; detections and Advanced Hunting queries that will indicate or alert on related activity in an organization's ; and recommendations to protect against the threat.

MDTI Premium customers can experience this feature today from the Intel Profiles page within Defender XDR. Unlicensed users can view free previews of all Vulnerability Profiles from the same page, as well as the full details for select profiles.

Improved Layout and Decoupling from Open-Source CVEs

Users familiar with our Vulnerability Profiles will notice a sleek new look which resembles our other intel profiles:

Vulnerability profiles now feature a new layout that mirrors the design of our Threat Actor and Tool intel profiles for a more consistent experience.Vulnerability profiles now feature a new layout that mirrors the design of our Threat Actor and Tool intel profiles for a more consistent experience.

On the new Vulnerability Profile page, you will still see the same context about the CVE as before, including Priority and CVSS (Common Vulnerability Scoring System) scores, published POCs, related articles, indicators and more. Yet our Vulnerability Profiles now exist on a separate page from our open-source CVEs from the National Vulnerability Database (NVD), giving you multiple options to find high-quality information on these CVEs within MDTI.

To support this decoupling and alert you of additional information elsewhere in MDTI, you will now see a pop-up box informing you of a linked Vulnerability Profile when viewing the open-source information for the same CVE:

A new pop-up box on our open-source CVE page will indicate when a Vulnerability Profile is available for the same CVE.A new pop-up box on our open-source CVE page will indicate when a Vulnerability Profile is available for the same CVE.

Enhanced CVE search

MDTI users have long enjoyed the ability to search for any CVE within MDTI to view details from NVD. Now, to accommodate the rapid expansion of content across the platform, CVE searches executed from both the Defender XDR global search and Intel Explorer search will also return results for matching Intel Profiles and Articles.

With this new approach, upon searching for an exact CVE-ID users will not be sent directly to the NVD information page for the CVE, but rather see a search results page containing this open-source CVE link and more:

Searches for CVEs in Intel Explorer now will return Vulnerability Profiles within the Intel Profiles section and the link to NVD information in the Open-Source CVE section. Other related intel profiles and articles will also appear.Searches for CVEs in Intel Explorer now will return Vulnerability Profiles within the Intel Profiles section and the link to NVD information in the Open-Source CVE section. Other related intel profiles and articles will also appear.

As an example, a search for CVE-2023-47246 on the Intel Explorer page (as shown above) surfaces both a Vulnerability Profile and the open-source CVE containing information from NVD, which is the page users previously were sent directly to. Additionally, the search results show that this vulnerability is also referenced on the Lace Tempest intel profile and within an article pertaining to this threat actor's exploitation of the vulnerability. This represents a more comprehensive approach to CVE searches, enabling you to easily discover and traverse through the breadth of content related to your CVEs of interest within MDTI.

We want to hear from you!

Learn more about what else is rolling out at Microsoft Secure 2024, and be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI and learn access the MDTI standard version at no cost.

 

This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.