Aqua Security findings become significantly more actionable when enriched with external threat intelligence feeds.
Let’s see this in action. Imagine Aqua Security flags a high severity vulnerability in log4j version 2.14.1 within your container image. This is a known critical vulnerability, but without threat intel, it’s just a CVE ID.
Now, let’s add threat intelligence. Suppose a reputable feed (like Recorded Future, CrowdStrike, or Mandiant) provides context for this specific CVE: "Actively exploited in the wild by ransomware groups targeting unpatched Java applications." This immediately elevates the urgency.
Here’s how Aqua integrates this:
{
"findingId": "aqua-vuln-12345",
"resource": "my-docker-registry.com/my-app:latest",
"vulnerability": {
"cveId": "CVE-2021-44228",
"name": "Log4Shell",
"severity": "critical",
"description": "A remote code execution vulnerability in Apache Log4j 2.x.",
"package": "log4j-core",
"version": "2.14.1"
},
"threatIntelligence": {
"source": "Recorded Future",
"exploitability": "Actively Exploited",
"attackVectors": ["Network"],
"threatActors": ["Ransomware Groups", "APT3"],
"malwareAssociated": ["Conti", "REvil"],
"confidenceScore": 0.95
}
}
This JSON snippet, representing a finding enriched with threat intelligence, tells a much richer story. The threatIntelligence block is where the magic happens.
The Problem Aqua Solves:
Vulnerability scanners, by themselves, generate a lot of noise. They find thousands of CVEs. Prioritizing which ones to fix is a massive challenge. A CVE might be technically critical but rarely exploited, or a high severity vulnerability might be actively targeted by sophisticated actors right now. Threat intelligence provides the context to distinguish between theoretical risk and actual, imminent danger.
How it Works Internally:
Aqua Security’s platform continuously scans your environment for vulnerabilities. When a vulnerability is detected, Aqua queries configured external threat intelligence platforms (TIPs) using the CVE ID. The TIP aggregates data from various sources:
- Honeypots: Networks designed to attract attackers.
- Dark Web monitoring: Tracking discussions and sales of exploits.
- Security vendor telemetry: Data from endpoint protection, network sensors, etc.
- Publicly available exploit databases: Tracking newly released exploit code.
The TIP analyzes this data and returns a score or classification indicating the current threat level associated with that CVE. Aqua then associates this intelligence with the finding, making it visible in its dashboard and reports.
Levers You Control:
- Threat Intelligence Feeds: Aqua supports integration with multiple TIPs. You choose which feeds to enable and configure their access credentials (API keys, endpoints). The quality and breadth of your chosen feeds directly impact the richness of the enrichment.
- Enrichment Policies: You can define policies within Aqua to determine how threat intelligence should influence your risk scoring and prioritization. For instance, you might configure Aqua to automatically elevate the severity of any finding that is "actively exploited in the wild" by two levels, or trigger an automated response (like blocking a deployment) if a vulnerability is associated with a specific high-priority threat actor.
- Reporting and Dashboards: How the enriched data is displayed is configurable. You can filter findings based on threat intelligence indicators (e.g., "show me all critical vulnerabilities currently being exploited").
The most impactful threat intelligence often relates to exploitability. A CVE might have a CVSS score of 9.8 (critical), but if no public exploits exist, and it’s not being actively used in attacks, its immediate risk to your organization is lower than a CVE with a CVSS of 7.5 that is being widely exploited by ransomware. The threat intelligence feeds bridge this gap, providing the real-world context that makes vulnerability management effective.
Once you’ve integrated threat intelligence, the next logical step is to automate remediation workflows based on these enriched findings.