BG Rock-Paper-Haxors

ThreatConnect crushes adversaries, covers mistakes, and cuts time with new Qualys integration

Making decisions is hard. Having taken quite a few graduate courses on the subject and incorporating decision support systems into my dissertation research, I feel like I can say that with a high degree of confidence. Which is why I’m all about making them easier. And as everyone – except those decision theory troublemakers – knows, there’s no easier way to make decisions than coin tosses or a game of rock-paper-scissors (RPS). I prefer the latter because it involves strategy, while the former is so…random.

You all know how it works: 1-2-3-Show. Rock crushes scissors; paper covers rock; scissors cuts paper. Decision made, and nobody argues. It seems simplistic on the outside, but there’s actually quite a bit going on there for those who wish to elevate their game (sorry; requires Flash…Booo!). Imagine if you had had access to that info as a kid – you’d own the world by now!


RPS and Cybersecurity
threatconnect-cuts-time-qualys-integrationSo what does RPS have to do with ThreatConnect, threat intelligence, or even cybersecurity at large? I’m glad you asked – plenty!

You see, RPS is essentially a game of interrelated threats and vulnerabilities. The rock, paper, and scissors all represent threats, but they are not all equally vulnerable. Scissors will never beat rock because the rock has no vulnerability that scissors can exploit. That’s why poor Edward is getting crushed in this picture.

It would be overly simplistic to say that the complexities of cybersecurity management boil down to a game of threat and vulnerability pairings, but it’s not that far off either. Every person I’ve ever known who’s responsible for the security of their organization has asked the question “Are we at risk?” Answering that question requires asking (and answering) a bunch of others, including:

  • Does a credible threat exist?
  • Who is behind it?
  • Would they target us?
  • How would they attack us?
  • Are we vulnerable to those attacks?
  • Can we mitigate that vulnerability?
  • What would be the impact if we can’t?

The ability to answer even one of these questions with confidence can make the whole process much easier. ThreatConnect has built a reputation for helping our customers research and answer threat-related questions like those at the top of that list. Tracking who the adversaries are, what they do, how they do it, why they do it, and to whom they do it is, well, what we do. With a recent release, however, I’m very happy to announce that we help answer the all-important “are we vulnerable?” and “can we mitigate?” questions too.

The ThreatConnect-Qualys integration

Through our new integration with Qualys VM, a leading vulnerability scanning product, ThreatConnect customers can now match known threat capabilities with known vulnerabilities in their environment. I’m personally very excited about it because it’s something that I sincerely believe helps defenders negate the significant knowledge advantage attackers tend to have in cybersecurity.


Think about it; to be successful, defenders need to track all their assets, the configuration of those assets, when those configurations change, how those changes impact a myriad of other assets and functions, what’s currently happening to/within/around those assets, and a host of other things about their environment. Making things infinitely more difficult, they also need to keep  abreast of all the stuff happening outside the enterprise in the broader threat landscape. And then, by some mystical alignment of the stars, they need to fuse that internal and external knowledge together in order to know that a given threat now has the capability of exploiting one of their assets. Attackers, on the other hand, just need to possess a capability, find a single vulnerable target (this often occurs automatically and indiscriminately), and attack it in order to be successful. On the defense side, all of this is understandably error-prone and one of the main reasons why security is so hard. Any opportunity that helps defenders level that playing field is a win in my book.

And this integration is all win for ThreatConnect customers.

Here’s a general overview of how it works. Many sources of intelligence within ThreatConnect, be they public feeds, paid services, sharing communities, etc, contain vulnerability-related information. This is often in the form of CVEs that various actors, malware, etc have exploited in the past. This is helpful information to be sure, but matching it with information about internal assets has been a separate process to this point. With this integration, however, ThreatConnect regularly takes all CVEs from all intelligence sources and cross-references that list with the latest Qualys scan results to determine if any of those vulnerabilities exist across the environment. If there’s a match, ThreatConnect creates a task that includes relevant information about the threat, the vulnerability, and the asset, and alerts the appropriate staff to prioritize and handle remediation efforts.  With intelligence constantly changing on both the threat side and the asset side, this function truly does cover a multitude of mistakes and cut a huge amount of time.
Just to make sure that’s clear: If any of your intel sources/feeds/communities adds vulnerability info, ThreatConnect will automagically compare that to your Qualys scan results and let you know if you need to do something.





And that’s not all! Combined with other ThreatConnect features and integrations, you can take additional steps to reduce risk. For instance, consider a situation in which you’re now aware that a vulnerability exists that can be exploited by an active threat but you can’t (for whatever reason) patch affected systems immediately. You could task analysts to gather additional intelligence on that threat, push associated indicators to your SIEM to monitor for any signs of related activity, go hunting across endpoints for malicious files and processes, block outbound connections to hosts controlled by that adversary, etc. All of this is possible via current integrations and demonstrates why we’ve worked so hard to make ThreatConnect a platform rather than a standalone product.

Oh – and next time you’re playing rock-paper-scissors – throw ThreatConnect. It’s a sure win 😉











I want me some of that!

If you already have an account with ThreatConnect, contact your Customer Success Engineer for information on how to integrate with Qualys. If you wish to obtain the ThreatConnect and Qualys integration, please contact or 800.965.2708. For more information, please contact your sales representative or click ‘Send Inquiry’ from within the ThreatConnect TC Exchange.


Wade Baker
About the Author
Wade Baker

Wade Baker is the Vice President, Strategy and Risk Analytics at ThreatConnect. He believes improving information security starts with improving security information. In keeping with this belief, he’s working to complete his doctoral thesis, “Toward a Decision Support System for Managing Information Risk in Supply Chains”. Previously, he served as Director of Cybersecurity Strategy and Research at Verizon Security Solutions where he led the overall direction of security services, technology capabilities, intelligence operations, and research programs. Baker spearheaded Verizon’s annual Data Breach Investigations Report (DBIR), the Vocabulary for Event Recording and Incident Sharing (VERIS), and the VERIS Community Database. Wade holds a B.S. and M.S. from the University of Southern Mississippi, and a PhD from Virginia Tech. He currently lives in Virginia with his incredible wife and 4 awesome kids.