Mitigation and remediation are two words that are used a lot in cybersecurity. Most times they are used interchangeably. Although there is a stark contrast between them, both play a major role in security service providers’ risk-related decisions. In this post, we will take a closer look at both strategies and how threat intelligence contributes to each.
Mitigation Versus Remediation: Knowing the Differences
Remediation and mitigation are both a direct result of risk assessment, following the discovery of a new or advanced persistent threat (APT). Remediation involves the removal of threat when it can be eliminated. On the other hand, mitigation involves creating tactics to reduce a threat’s negative impact when it cannot be eliminated.
Remediation is straightforward because it ascertains attack patterns using indicators of compromise (IoCs). For instance, when a scan catches a vulnerability, it has to be patched effectively in order to prevent malicious individuals from exploiting it. The immediate objective of vulnerability remediation is to stop threats from entering the network by closing security holes.
In mitigation, removing the threat is non-negotiable, as it may lead to service disruption. Mitigation involves conducting risk assessments in order to measure the risk profile of a specific threat and ensure that the remaining risks are acceptable. Unlike remediation, a vulnerability can be left unaddressed for the time being provided it does not present offensive risks or threats.
Once a vulnerability has been discovered, the best solution is to remediate it. In other words, allow IT professionals or IT administrators to fix or patch the vulnerability before it can become a security threat. Generally, it’s the organization’s IT security team, system administrators and system owners who come together to know which actions are suitable.
Remediation can be as complex as replacing a fleet of physical servers across an organization’s network or as simple as applying a readily available software patch. When remediation activities are finalized, it’s best to always run another vulnerability scan to confirm that the vulnerability has been fully resolved.
Nevertheless, sometimes remediation is not possible, for many reasons. Firstly, not all vulnerabilities need to be fixed. For instance, if the vulnerability is identified in Adobe Flash Player but the use of Flash Player is already disabled in all applications and web browsers company-wide, there is no need for action. Also, sometimes you may be prevented from taking remediation action by a technology issue, where a patch is not yet available for the vulnerability in question.
Other times, you may experience setbacks from your own organization. This often occurs when a vulnerability is on a customer-facing system and your company wants to avoid the downtime needed to patch a vulnerability.
In those cases, the concept of mitigation will come into play. That’s a process that reduces the likelihood of a vulnerability being exploited. For instance, distributed denial-of-service (DDoS) mitigation can route suspicious traffic to a centralized location where it is filtered.
Generally, mitigation is not the final step in dealing with a vulnerability. It’s more of a way to buy time for the company to either wait for the technology to be released or find a more suitable time to schedule downtime in the system. In the long run, fixing a network security issue is better than blocking the port that could expose it.
How Mitigation and Remediation Figure in the Kill Chain
Nowadays, organizations know better. Rather than assume their applications are impenetrable, they are searching for proactive ways to uncover ongoing attacks through computer forensics, penetration testing or threat intelligence.
Therefore, many IT security experts understand that they need to go beyond the kill chain model to more effectively address attacks. Their solution is through mitigation and remediation techniques guided by the fact that attacks do not stop with interruption.
Let’s take a closer look at the steps in a kill chain:
- Reconnaissance: Attackers research the target by looking at public Internet records for expired domains or certificates they can use for attacks.
- Weaponization: Once weaknesses are spotted in the target’s network, cyber attackers create the payload they will use to infiltrate defenses.
- Delivery: This is the actual act of delivering a malicious payload. Links embedded in spam, phishing emails or malware-laced email attachments are normally used.
- Exploitation: This only occurs when attackers choose to enter a network by abusing a vulnerability in a system or connected device.
- Installation: Attackers install malware on a vulnerable system in the network to elevate access privileges, steal data or gain control.
- Command and Control: This involves the use of a command and control server to communicate with infected hosts within the target’s network.
- Actions on Objectives: Attackers deliver the final blow to the target network, often by exfiltrating data or shutting down operations.
Knowing the elements that make up the kill chain allows cybersecurity professionals to take the right action to prevent attacks. Incident responders can redirect bad traffic to black holes during an ongoing DDoS attack. Additionally, if a similar incident occurs in the future, the best practices they followed in the past can be reapplied, reducing damage and downtime.
How Threat Intelligence Improves Both Processes
IT security experts depend on threat feeds to offer actionable intelligence for their mitigation or vulnerability remediation techniques. Threats are often documented in publicly available databases. To make sense of innumerable datasets, they can use aggregated threat intelligence for faster mitigation and remediation. External data feeds give cybersecurity specialists access to accurate and real-time information which include the following:
- Secure Sockets Layer (SSL) vulnerabilities and misconfigurations that could be signs of malicious connections.
- Domain infrastructure data that reveals registrants, organization data, email addresses and other information, which may be tied to ongoing publicized attacks.
- Reputation scores to know how safe or unsafe accessing a particular domain is.
- A list of domains that resolve to a particular IP address and could reveal ties between both known and unknown malicious hosts.
Threat intelligence empowers security experts by giving them access to structured data to support their remediation and mitigation processes. While policy exceptions and other controls may hold them back from implementing remediation methods, threat intelligence enables them to gain better visibility into all potential attack vectors.
If you need a cybersecurity tool for vulnerability remediation, vulnerability mitigation and protecting your data against cyber threats, choose Vicarius. Vicarius is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market.
Photo by Alice Yamamura on Unsplash