Leveraging CISA’s Known Exploits: Why Validating Attack Surface Vulnerabilities Is Your Most Powerful Defense
More than 20,000 common vulnerabilities and exposures (CVEs) are published every year.One, vulnerability management teams continue to be challenged by the challenge of finding and fixing software with known vulnerabilities. These teams are given the impossible task of patching software across the organization to reduce risk, with the hope that these efforts will help prevent cybersecurity breaches. Because it is impossible to patch every system, most teams focus on resolving vulnerabilities that score highly on the Common Vulnerability Scoring System (CVSS). CVSS is a standardized, repeatable scoring system that ranks reported vulnerabilities from most severe to least severe.
But how do these organizations know that focusing on software with the highest CVE scores is the right approach? It’s great to be able to report to management on the number or percentage of critical severity CVEs that have been patched, but does that metric actually tell you anything about your organization’s improved resilience? Does reducing the number of critical CVEs significantly reduce the risk of a breach? The answer is that, in theory, organizations are reducing their risk of a breach. But in reality, it’s impossible to know for sure.
CISA announces known exploit vulnerabilities to strengthen cybersecurity resilience.
The Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploit Vulnerabilities (KEV) Program was formed as a result of an effort to shift efforts from focusing on theoretical risks to reducing breaches. CISA strongly recommends that organizations regularly review and monitor their catalog of known exploit vulnerabilities and prioritize remediation.2 CISA aims to provide “a trusted source for vulnerabilities exploited in the wild” by maintaining an updated list. Empower your organization to effectively mitigate potential risks to combat cyberattacks.
CISA found a needle in a haystack by narrowing the list of CVEs that security teams should focus on resolving from tens of thousands to just over 1,000 by focusing on the following vulnerabilities:
- A CVE ID has been assigned.
- It has been actively exploited in the wild.
- Take clear remedial action, including vendor-provided updates.
This scope reduction allows overwhelmed vulnerability management teams to deeply evaluate software running in environments that are reported to contain actively exploitable vulnerabilities because they are proven attack vectors and the most likely source of a breach.
Shift from traditional vulnerability management to risk prioritization
CISA KEV Drives Workflow With a smaller list of vulnerabilities, security teams spend less time patching software (a laborious, low-value activity) and more time understanding their organization’s resilience to these proven attack vectors. It was found that it does. In fact, many vulnerability management teams have turned patching into testing to ensure:
- This vulnerability in CISA KEV could be exploited by software in that environment.
- The compensatory controls they put in place are effective in detecting and blocking violations. This allows your team to understand the real risks facing your organization while also assessing whether investing in a security defense solution is worth it.
This shift to test for exploitability of vulnerabilities in the CISA KEV catalog is helping organizations mature from traditional vulnerability management programs to continuous threat exposure management (CTEM) programs, a term coined by Gartner that “surfaces and actively prioritizes all of the most threatening threats.” It’s a sign that you are doing your business.” Focusing on proven risks instead of theoretical risks means your team is acquiring new skills and new solutions to help support attack execution across the organization.
The Importance of ASM for Continuous Vulnerability Intelligence Gathering
Attack Surface Management (ASM) solutions provide a comprehensive view of an organization’s attack surface and help clarify cyber risks through continuous asset discovery and risk prioritization.
Continuous testing, a core element of CTEM, states that the program must “validate how attacks work and systems can respond” to ensure security resources can focus their time and energy on the threats that matter most. In fact, Gartner claims that “organizations that base their priorities on a continuous threat exposure management program will be three times less likely to suffer a breach.”three
The maturation of cybersecurity defense thinking for CTEM programs represents a significant improvement over traditional vulnerability management programs because it allows defenders to address the issues most likely to lead to a breach. And as the average cost of a breach continues to increase, preventing breaches should be your goal. Costs have increased 15% over the past three years to $4.45 million, according to IBM’s Cost of a Data Breach report. So, as qualified resources continue to be difficult to find and security budgets become tighter, it’s important to arm your teams with tools to focus more narrowly on vulnerabilities, such as CISA KEV’s Vulnerabilities, and then validate the potential for exploits and assess the resilience of your cybersecurity defenses. Please consider this. .
Identify exploitable vulnerabilities using IBM Security Randori
IBM Security® Randori is an attack surface management solution designed to uncover external exposures through an adversary’s lens. Perform continuous vulnerability validation across your organization’s external attack surface and report on any vulnerabilities that may be exploited.
In December 2019, Armellini Logistics was targeted by a sophisticated ransomware attack. The company decided to quickly and successfully recover from the attack while also adopting a more proactive approach to prevention. Randori Recon enabled Armellini to gain deeper visibility into external risks and ensure the company’s asset and vulnerability management systems are updated as new cloud and SaaS applications come online. Armellini has increasingly used Randori Recon’s target lure analysis to classify and prioritize vulnerabilities to patch. These insights helped the Armellini team reduce the company’s risk without impacting business operations.
Vulnerability verification capabilities go beyond typical vulnerability management tools and programs by checking for exploitability of CVEs such as CVE-2023-7992, a zero-day vulnerability in Zyxel NAS devices discovered and reported by IBM X-Force Applied Research. team. This validation helps cut through the noise and allows customers to take action on real, rather than theoretical, risks and retest to ensure that mitigation or remediation efforts were successful.
Getting started with IBM Security Randori
Get a 7-day free trial of IBM Security Randori or request a live demo to review your attack surface.
Learn more about IBM Security Randori Recon
1 Revealed CVE records.
2 Catalog of known exploit vulnerabilities.
3 Panetta, Kasey (2023, August 21), How to Manage Non-Episodic Cybersecurity Threats.