PatrowlHears — Open-Source Vulnerability Intelligence Center

Real-time vulnerability and threat intelligence platform, on steroids.

Nicolas Mattiocco
6 min readDec 25, 2020

Intelligence-driven Security or ‘Vulnerability Intelligence’ is an approach to manage cyber-threats as efficiently as possible. It helps to analyze vulnerabilities and prioritize remediation steps.

TL;DR

PatrowlHears — Global design, data feeds and integrations

Go to https://github.com/Patrowl/PatrowlHears. Installation notes here.

Global overview

The Patrowl.io community provides scalable, free and open-source solutions for orchestrating Security Operations and providing Threat Intelligence feeds.

Vulnerability and exploit search engine

PatrowlHears provides a unified source of vulnerability, exploit and threat Intelligence feeds. Users accesses a comprehensive and continuously updated vulnerability database scored and enriched with exploit and threat news information. These metadata are collected from public OSINT and private feeds. As today, it’s one of the most extended database.

This platform tracks vulnerabilities, security bulletins, exploits, blog posts, conference slides & videos, article and threat data related to your assets. All data are cross-referenced and collected from public OSINT (NVD, PacketStorm, Tenable Nessus DB, Metasploit, Exploit-DB, Seebug, HackerOne, RubySec, Huntr, NPMJS, GHSA, Google Project Zero, ZDI, FriendsOfPHP, Github repositories, Twitter infosec feeds, …).

Vulnerability attributes are compliant with standard references including CVE, CWE, CPE, CVSSv2/v3, Mitre ATT&CK techniques, Vendor Bulletins & Advisories, …

All features and correlated data are available using the WEB UI or the REST API. This enabling an easy integration with your vulnerability scanners, CTI and SOC tools, CI/CD pipelines, Compliance & Risk Management tools or own scripts.

Main features

  • Vulnerability and metadata DB: CVE/CPE/CWE definitions from NVD, CVE-less vulnerabilities on software frameworks and package managers (pip, rubygems, nuget, wordpress, npmjs, composer, maven, …), Exploits (PoC, script, detailed blog post, paper, slidedeck, mail, tweet, demo video, notes,…), Threat news (Article, Blog post, Tweet, …) and Vendor security advisories
  • Vendors, products and vulnerabilities could be monitored. New data or changes are then identified and reported to users
  • Collaboration: Share monitoring lists, vulnerabilities and metadata with team
  • Vulnerability scoring system based on adjusted CVSS
  • Alerting: Email and Slack notifications, Daily/Weekly/Monthly reports
  • Responsive WEB + REST-API interfaces
PatrowlHears screenshots

OSINT Feeds

At today, several feeds are continuously tracked:

  • NVD (CVE, CPE, CWE, CAPEC)
  • CIRCL (VIA4CVE)
  • Mainstream advisory and exploit providers: Exploit-DB, PacketStorm, SeeBug, Nessus KB, HackerOne reports, ZDI, Google Project Zero
  • Package vulnerability, advisory and exploit providers: Github Security Advisories (GHSA), GitLab Security Advisories (Gemnasium), RubySec, NPMJS Advisories, Mozilla Bugzilla, Huntr Project and FriendsOfPHP
  • Patrowl CERT team semi-automatically monitoring over Github repos and Gists, GitLab repos, Tweets, Reddit posts, Pastebin and multiple blogs of security teams

Exploits-oriented search engine

Because PatrowlHears tracks exploits from various sources, we are proud to provide security teams (one of ?) the most extended database of exploit references.

Tackle the ‘vulnerability prioritization challenge’

Security teams have the know-how and technical capabilities to identify vulnerabilities on their assets. Many great vulnerability management tools, including Patrowl, help a lot.

With hundreds of vulnerabilities with critical or high severity to deal with, the daily security reports look like a shining Christmas tree. We already known there is no way to fix them all because of budget, talent shortage, time to fix, etc. Prioritization is the corner stone in an efficient threat management process. It requires an easy and updated access to exposure and contextualized intelligence to answer these triage questions:

  • Is a reliable exploit for this vulnerability? Is there a logo-name-website patented already ?
  • Are there any likelihood catalysts: Exploited in the Wild? Media hypeness? Exploited by relevant threat actors?
  • Is there any known/reliable fix or compensation measures?
  • Is the vulnerability exploitable from Internet?
  • Are we vulnerable or already under-attack??
  • What are the risk levels on vulnerable assets ?

The idea of PatrowlHears is to provide a continuously updated database of vulnerability metrics to help SOC, DevOps, NetOps, Developers and IT Risk management teams to be alerted on relevant threats and making decisions.

Risk-based Scoring

Prioritization is an essential success factor for improving efficiency and continue to provide the highest quality and relevant service in security incident response and vulnerability management.

Scoring metrics

Our scoring algorithm is not IA-powered and does not rely on Machine Learning tricks. It’s based on relevant metrics from intrinsic vulnerability characteristics (impact/exposure), threat topicality and your asset context as exposure, distribution and criticality. Yes, it’s mostly based on the CVSS metrics but using cleaned, trusted, updated and contextualized data. That’s make all the difference.

PatrowlHears prioritization scoring (1 to 100)

Deployment

Installation and updates

PatrowlHears could be deployed using provided Docker images, Ansible scripts or from sources using step-by-step guidelines. We recommend the last one for developers only. Vulnerabilities and metadata are managed in the PatrowlHearsData project. You can update raw data yourself or regularly pull the repository updates (weekly process).

See installation notes here.

Hosting your own vulnerability monitoring system offers various benefits:

  • Provide an internal platform for all your IT and business departments. Share private vulnerabilities and notes with restricted users and partners
  • Do not share asset inventories and vulnerabilities with untrusted third-parties
  • Easily connect with your internal IT ecosystem and potential air gap networks

REST-API Integration

PatrowlHears provides an extended, correlated and enriched vulnerability KB. All data can be queried using the REST-API. For example:

  • List new vulnerability changes on monitored vendors or products
  • Get all metadata (CVE, CPE, CWE, advisories, patches, exploits, threat news, metrics, …) of a vulnerability
  • List all vulnerabilities related to a vendor, a product or a product version
  • Create/update/delete/list exploits related to a vulnerability
  • List Mitre ATT&CK techniques related to a vulnerability

See OpenAPI extended descriptions (JSON and YAML) here.

Released tools

  • PatrowlHears: Main repository containing the Python/Django back-end and the Vue.JS front-end applications + the Ansible/Docker deployment scripts.
  • PatrowlHearsData: Contains data-scrapper scripts collecting CVE, CPE, CWE and exploit references (see CVE-SEARCH / VIA4CVE projects) + raw data as JSON files. Data are updated weekly.
  • PatrowlHears4py: Python library and CLI for PatrowlHears API.

Commercial products and services

Patrowl core team offers several commercial for sustaining the project:

  • SaaS edition: 4 plans are available with feature, support, data freshness and API ratio variations. A Free tiers subscription is possible with limited but awesome features ;) The SaaS edition includes access to the Patrowl private CTI feeds, manually qualified by security experts and trusted partners. These metadata are collected using continuous searches on various public feeds (vendor advisories, security researches, bug and vulnerability reports, exploit repositories, …) and private channels ;
  • On-Premise Enterprise Edition: including Patrowl private feeds, unlimited users and API ratios, SSO authentication (ADFS, OAuth, LDAP) and ticketing connectors (JIRA, ServiceNow, GLPI, …) ;
  • Professional services including advanced support, training, integration assistance, custom developments and dual-licensing

Contact us at getsupport@patrowl.io

Roadmap

[ ] To be defined :)

--

--