Prioritizing Vulnerabilities Through Knowledge and Automation
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Jacob Baines of VulnCheck examines how automation and shared knowledge can aid teams in prioritizing vulnerabilities.
CISOs and security teams are at a real disadvantage these days in dealing with the exponentially growing list of software vulnerabilities. Teams are inundated every month with new lists of weaknesses via Patch Tuesdays, threat research from cybersecurity organizations, and other vendor resources. The challenge, however, is knowing which vulnerability to fix first, which is an increasingly complex problem as workloads continue to increase. It can leave teams working to address minor or low-priority threats while letting more critical ones linger for months or longer.
The need to prioritize the most severe vulnerabilities and fix them quickly is urgent, as research shows they can be exploited in a matter of days. But while the information on new vulnerabilities that organizations regularly receive is helpful, it doesn’t offer much assistance in identifying which poses the most significant risk to them.
In this new threat environment, the need to establish a process for assessing the risks posed by a vulnerability is just as critical as identifying them in the first place.
[box style=”3″]
Looking for MDR solutions? Check out our free Buyer’s Guide!
[/box]
Prioritizing Vulnerabilities Through Automation
Teams Don’t Have Enough Time or Information to React
The time it takes for threat actors to exploit a vulnerability has been shortened extremely over the past five years. In 2018, the average time to weaponize a vulnerability was about a year. Today, serious threat actors can weaponize a new vulnerability in just eight days. Security teams trying to defend against the latest threats no longer have a lot of time to analyze most of the vulnerability information they receive.
That might not be such a problem if they could identify the most serious threats, because only about 2.25 percent of vulnerabilities developed in the wild are used in active attacks and weaponized threats. But security teams don’t have that insight. Organizations have a lot of threat intelligence available to them, from sources such as the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), MITRE’s CVE database, and the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) Catalog. However, the time it takes for vulnerabilities to show up on those lists is far too long. In fact, advisories from vendors and security researchers, government alerts, and exploits in the wild often pre-date a vulnerability’s appearance on NIST’s NVD by 50 or more days. Nor do these databases necessarily cover all vulnerabilities. CISA’s KEV Catalog, for example, is a valuable resource and is widely seen as an authoritative source. But in a year-long analysis of KEV, we found that it did not include 42 actively exploited vulnerabilities that had already been assigned CVEs.
Even relying on Common Vulnerability Scoring System (CVSS) ratings doesn’t help prioritize vulnerabilities because, as NIST points out, CVSS scores measure severity, but not actual risk. A vulnerability may be critical according to its CVSS, but only high or even medium in terms of the risk to a specific organization. Teams spending their time remediating that vulnerability could be missing a more severe threat to their unique environment.
The information in those resources is undoubtedly valuable for standards-based vulnerability management. Still, it doesn’t provide a way to identify and prioritize the 2.25 percent of vulnerabilities that pose the most serious risks. As such, organizations need to rethink their own approaches to managing vulnerabilities.
4 Key Questions About Vulnerabilities
Security teams can start by asking — and answering — a few questions, including:
- Is there a public exploit? Is there code in the wild that would allow a threat actor to exploit a vulnerability so that they could attack an application, service, or device? Whether exploit code exists can help determine where the vulnerability sits on your priority list.
- Has the vulnerability been exploited in the wild? If another organization has been attacked or exposed by the vulnerability, the game is afoot. The attacker is likely looking for other susceptible organizations, so moving forward with remediation should be a priority.
- Is the vulnerability being used in ransomware or APTs? Threat actors involved with ransomware or advanced persistent threat (APT) campaigns often have more skill and resources than some other hackers, making them very capable of wreaking havoc for financial gain. If a hacker or group is leveraging the vulnerability, quick remediation is a must.
- Is this vulnerability likely to be internet-exposed? If a vulnerability can affect anything that connects to the internet, from APIs to authentication processes, it could make it easier for hackers to access your network.
Automation Can Provide Real-Time Answers
Asking these questions is one thing, but finding answers to them takes time and resources that security teams don’t often have. Organizations may need to look for a solution that provides automated threat intelligence and exploit activity monitoring drawn from a variety of sources to help prioritize responses at machine speed. Such a platform can be extremely valuable if it allows teams to take immediate action to mitigate the most critical vulnerabilities before threat actors can attack.
Being able to autonomously search for, synthesize and unify threat, vulnerability, and exploit intelligence into one unified database, and prioritizing vulnerabilities according to how much of a threat they are to the organization can make a huge difference in being able to protect networks from the latest exploits.
Given today’s threat landscape and how rapidly it’s evolving, such an asset is quickly becoming a requirement for any effective cybersecurity team’s defensive toolkit.
Jacob Baines
Jacob Baines is the lead vulnerability researcher at VulnCheck. With more than a decade of experience, he's conducted research for a wide array of organizations, including VulnCheck, Rapid7, Tenable, Lockheed Martin, and Dragos. His research focuses on discovering and exploiting initial access vulnerabilities. He's credited with over 100 CVEs, and has presented his research at BlackHat, DEF CON, Infosecurity Europe, and several BSides events. He's an active member of the open-source exploit development community and a contributor to Metasploit.
