By Ling Cheng (Senior Product Marketing Manager)
What is threat intelligence, and why is it so crucial? Let’s break it down with an example. Picture a company that manages a significant volume of sensitive customer data using a specific operating system. Suddenly, a new strain of malware emerges, specifically targeting vulnerabilities in the company’s chosen system. Complicating matters, this vulnerability hasn’t received widespread attention or made its way into common vulnerability databases. As a result, the company is left exposed and “unaware” of the potential threat.
In situations like this, having access to threat intelligence becomes vital. It provides the company with an opportunity to proactively strengthen its defense mechanisms. Alternatively, in the event of an attack, it facilitates a rapid incident response, effectively minimizing the potential risks associated with data breaches, system disruptions, or other security incidents. Thus, threat intelligence acts as a critical informant, offering valuable insights for organizations to respond promptly and effectively to the constantly evolving landscape of cyberthreats.
This demand is progressively catching the attention of the automotive industry. Currently, prevalent forms of automotive threat intelligence originate from the following data sources:
- Known vulnerabilities: National Vulnerability Database (NVD), Japan Vulnerability Notes (JVN), Project Zero, MITRE CWE, bug reports, etc.
- Open-source intelligence: automotive cybersecurity news, forums, social media, researchers’ public blogs/posts, code-sharing websites, etc.
- Deep web crawling: private social media groups, private forums, etc.
- Dark web crawling: malicious paste sites, closed hacking forums, illegal marketplaces, etc.
- Anti-cybercrime groups: collaborations with Interpol or the FBI.
- Automotive security community: information from groups such as Automotive Security Research Group (ASRG), Automotive Information Sharing and Analysis Center (Auto-ISAC), and Open-Source Security Foundation (OpenSSF).
The missing piece
There’s an important element that should be included in automotive threat intelligence: zero-day vulnerabilities. These refer to flaws in software, firmware, or hardware that are publicly known but remain unpatched by the affected vendors; even if threat researchers have disclosed the issues, the official fixes are still pending.
A zero-day vulnerability is alarming for two main reasons: First, there is currently no solution, and second, it has already been verified as exploitable. For example, two zero-day vulnerabilities were uncovered by Synacktiv at Pwn2Own Vancouver 2023, posing a threat that could enable malicious actors to remotely control a Tesla vehicle. The entire process unfolded in about four minutes.
It’s no wonder that not only do zero-day vulnerabilities command substantial rewards in legitimate bug bounty programs but they’re also highly coveted in underground markets.
Figure 1. VicOne, backed by complete automotive threat intelligence
In response to this growing challenge, VicOne collaborated with Trend Micro’s Zero Day Initiative (ZDI), known for its industry integrity and leadership position in vulnerability disclosure since 2007, to host the first-ever Pwn2Own Automotive. This competition, specifically designed for the automotive industry, aims to uncover hidden, hard-to-detect zero-day vulnerabilities in connected cars.
After three days of competition, VicOne and the ZDI concluded the inaugural edition of Pwn2Own Automotive with the discovery of 49 unique zero-day vulnerabilities. These included vulnerabilities that enabled the NCC Group EDG team to play the popular first-person shooter game Doom on an in-vehicle infotainment (IVI) system. They also included ones that enabled the Synacktiv team to execute successful attacks on the Tesla modem and the Tesla IVI system, ultimately earning them the title of Master of Pwn as the overall winner of the competition.
Protection beyond others’: Unmatched zero-day vulnerability threat intelligence
Thanks to the ZDI’s well-established vulnerability management process developed over the past decade, any zero-day vulnerabilities discovered during Pwn2Own Automotive are duly reported to the respective vendors. The ZDI team can collaborate with these vendors to develop effective patches. As a valued partner, VicOne gains early access to all new vulnerabilities and attack scenarios through the Pwn2Own Automotive event. This collaborative effort allows us to work closely with both vendors and the ZDI team, contributing our expertise in automotive cybersecurity. Together, we work to prepare virtual patches, ensuring that a proactive defense is in place before the official vendor patch release.
Figure 2. The vulnerability management process
One and only: Detection of zero-day vulnerabilities in ECU software package
In collaboration with the ZDI and through strategic initiatives like Pwn2Own Automotive, our mission to explore zero-day vulnerabilities not only adds extra vulnerability intelligence to our automotive threat intelligence but also enables us to collectively safeguard our customers. With VicOne’s superior vulnerability and software bill of materials (SBOM) management system, xZETA, our customers can proactively identify zero-day vulnerabilities in the firmware or binary of their electronic control units (ECUs). This enables product security incident response teams (PSIRTs) or engineering teams to receive early warnings, facilitating early assessments. Once a zero-day vulnerability is publicly disclosed, virtual patching is ready. This empowers customers to harness our unique virtual patching technology for effective mitigation before vendor patch release.
Figure 3. VicOne’s xZETA covers zero-day vulnerability intelligence from the ZDI and strategic initiatives like Pwn2Own Automotive.
Earliest cyberattack detection
Our unique automotive threat intelligence also benefits the VSOC team. After accessing this threat intelligence, our automotive threat experts can analyze suspicious behaviors and map them to tactics, techniques, and procedures (TTPs) outlined in Automotive Attack Mapping (inspired by MITRE ATT&CK®). This process aids in creating corresponding threat expert rules, empowering our xNexus next-gen VSOC platform to detect similar attacks. With one click, the VSOC team can gain quick insights into real-world incidents, evaluating whether the systems in use might be susceptible to exploitable zero-day vulnerabilities. The VSOC team can access detailed information on important factors such as attack vectors, paths, and TTPs for comprehensive automotive cybersecurity insights.
Our achievement is underscored by our recent recognition as the winner of the Best Threat Intelligence Technology award at the SC Awards Europe 2023. Judges have lauded VicOne as a “great automotive solution.”
As the threat landscape undergoes continuous changes, the significance of VicOne’s automotive threat intelligence only escalates. With the strong backing of the ZDI and initiatives like Pwn2Own Automotive, VicOne is dedicated to providing organizations with only the best automotive threat intelligence necessary to safeguard their systems against cyberattacks.