29.7 C
Selangor
Wednesday, January 15, 2025
HomeBlockchainLeveraging CISA Known Exploited Vulnerabilities: Why attack surface vulnerability validation is your...

Leveraging CISA Known Exploited Vulnerabilities: Why attack surface vulnerability validation is your strongest defenseĀ 


With over 20,000 Common Vulnerabilities and Exposures (CVEs) being published each year1, the challenge of finding and fixing software with known vulnerabilities continues to stretch vulnerability management teams thin. These teams are given the impossible task of driving down risk by patching software across their organization, with the hope that their efforts will help to prevent a cybersecurity breach. Because it is impossible to patch all systems, most teams focus on remediating vulnerabilities that score highly in the Common Vulnerability Scoring System (CVSS)ā€”a standardized and repeatable scoring system that ranks reported vulnerabilities from most to least critical.Ā Ā 

However, how do these organizations know that focusing on software with the highest scoring CVEs is the right approach? While itā€™s nice to be able to report to executives about the number or percentage of critical severity CVEs that have been patched, does that metric actually tell us anything about the improved resiliency of their organization? Does reducing the number of critical CVEs significantly reduce the risk of a breach? The answer is that, in theory, the organization is reducing the risk of a breachā€”but, in practice, itā€™s impossible to know for sure. Ā 

CISA Known Exploited Vulnerabilities to strengthen cybersecurity resilienceĀ 

The Cybersecurity and Infrastructure Security Agencyā€™s (CISA) Known Exploited Vulnerabilities (KEV) program was formed as a result of the desire to shift efforts away from focusing on theoretical risk and toward reducing breaches. CISA strongly advises that organizations should regularly review and monitor the Known Exploited Vulnerabilities catalog and prioritize remediation.2 By maintaining an updated list, CISA aims to provide an ā€œauthoritative source of vulnerabilities that have been exploited in the wildā€ and empower organizations to mitigate potential risks effectively in order to stay one step ahead in the battle against cyberattacks.Ā 

CISA has managed to find needles in a haystack by narrowing the list of CVEs that security teams should focus on remediating, down from tens-of-thousands to just over 1,000 by focusing on vulnerabilities that:Ā Ā 

  • Have been assigned a CVE ID
  • Have been actively exploited in the wild
  • Have a clear remediation action, such as a vendor-provided update

This reduction in scope allows overwhelmed vulnerability management teams to deeply evaluate software running in their environment that has been reported to contain actively exploitable vulnerabilities because they are proven attack vectorsā€”and therefore, the most likely sources of a breach.Ā Ā 

Shifting from traditional vulnerability management to risk prioritizationĀ 

With a smaller list of vulnerabilities from CISA KEV driving their workflows, it has been observed that security teams are spending less time on patching software (a laborious and low-value activity) and more time understanding their organizationā€™s resiliency against these proven attack vectors. In fact, many vulnerability management teams have swapped patching for testing to determine if:Ā Ā 

  • These vulnerabilities from CISA KEV can be exploited in software in their environment.
  • The compensating controls they have put in place are effective at detecting and blocking breaches. This allows teams to understand the real risk facing their organization while simultaneously assessing if the investments they have made in security defense solutions are worthwhile.Ā 

This shift toward testing the exploitability of vulnerabilities from the CISA KEV catalog is a sign that organizations are maturing from traditional vulnerability management programs into Continuous Threat Exposure Management (CTEM)ā€”a term coined by Gartnerā€”programs which ā€œsurface and actively prioritize whatever most threatens your business.ā€ This focus on validated risk instead of theoretical risk means that teams are acquiring new skills and new solutions to help support the execution of exploits across their organization.Ā Ā Ā 

The importance of ASM in gathering continuous vulnerability intelligenceĀ Ā Ā 

An attack surface management (ASM) solution provides a comprehensive view of an organizationā€™s attack surface and helps you clarify your cyber risk with continuous asset discovery and risk prioritization.Ā 

Continuous testing, a key pillar of CTEM, states that programs must ā€œvalidate how attacks might work and how systems might reactā€ with a goal of ensuring that security resources are focusing their time and energy on the threats that matter most. In fact, Gartner asserts that ā€œorganizations that prioritize based on a continuous threat exposure management program will be three times less likely to suffer a breach.ā€3Ā 

Maturing our cybersecurity defense mindset to CTEM programs represents a significant improvement over traditional vulnerability management programs because it gets defenders tackling the issues that are most likely to lead to a breach. And stopping breaches should be the goal because the average cost of a breach keeps rising. The costs increased by 15% over the last three years to USD 4.45 million according to the Cost of a Data Breach report by IBM. So, as qualified resources continue to be hard to find and security budgets become tighter, consider giving your teams a narrower focus, such as vulnerabilities in the CISA KEV, and then arm them with tools to validate exploitability and assess the resiliency of your cybersecurity defenses.Ā 

Verifying exploitable vulnerabilities with the IBM Security RandoriĀ 

IBM SecurityĀ® Randori is an attack surface management solution that is designed to uncover your external exposures through the lens of an adversary. It performs continuous vulnerability validation across an organizationā€™s external attack surface and reports on any vulnerabilities that can be exploited.

Figure 1. Randoriā€™s risk-based priority algorithm helps prioritize top targets and shares adversarial insights you need to determine impact and riskĀ 

In December 2019, Armellini Logistics was the target of a sophisticated ransomware attack. While the company quickly and successfully recovered from the attack, it was determined to adopt a more proactive approach to prevention moving forward. With Randori Recon, Armellini has been able to gain deeper visibility into external risk and ensure that the companyā€™s asset and vulnerability management systems are updated as new cloud and SaaS applications come online. Increasingly, Armellini has been using Randori Reconā€™s target temptation analysis to triage and prioritize which vulnerabilities to patch. With this insight, the Armellini team has helped to reduce the companyā€™s risk without impacting business operations.Ā 

Figure 2: Randori helps confirm whether CVEs exist on your external attack surface and are exploitableĀ 

The vulnerability validation feature goes beyond typical vulnerability management tools and programs by verifying the exploitability of a CVE, such as CVE-2023-7992, a zero-day vulnerability in Zyxel NAS devices that was discovered and reported by the IBM X-Force Applied Research team. This verification helps reduce noise and allows customers to act on realā€”not theoreticalā€”risks and determine if mitigation or remediation efforts were successful by re-testing.Ā Ā 

Get started with IBM Security RandoriĀ 

You can get a free, 7-day trial of IBM Security Randori, or request a live demo to review your attack surface.

Learn more about IBM Security Randori ReconĀ 


1 Published CVE Records.

2 Known Exploited Vulnerabilities Catalog.

3 Panetta, Kasey (2023, August 21), How to Manage Cybersecurity Threats, Not Episodes.



Source link

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments