Leveraging CISA Known Exploited Vulnerabilities: Why attack surface vulnerability validation is your strongest defense

With over 20,000 Common Vulnerabilities and Exposures (CVEs) being published each year¹, the challenge of finding and fixing software with known vulnerabilities continues to stretch vulnerability management teams thin. These teams are given the impossible task of driving down risk by patching software across their organization, with the hope that their efforts will help to prevent a cybersecurity breach. Because it is impossible to patch all systems, most teams focus on remediating vulnerabilities that score highly in the Common Vulnerability Scoring System (CVSS)—a standardized and repeatable scoring system that ranks reported vulnerabilities from most to least critical.

However, how do these organizations know that focusing on software with the highest scoring CVEs is the right approach? While it’s nice to be able to report to executives about the number or percentage of critical severity CVEs that have been patched, does that metric actually tell us anything about the improved resiliency of their organization? Does reducing the number of critical CVEs significantly reduce the risk of a breach? The answer is that, in theory, the organization is reducing the risk of a breach—but, in practice, it’s impossible to know for sure.

The Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) program was formed as a result of the desire to shift efforts away from focusing on theoretical risk and toward reducing breaches. CISA strongly advises that organizations should regularly review and monitor the Known Exploited Vulnerabilities catalog and prioritize remediation.² By maintaining an updated list, CISA aims to provide an “authoritative source of vulnerabilities that have been exploited in the wild” and empower organizations to mitigate potential risks effectively in order to stay one step ahead in the battle against cyberattacks.

CISA has managed to find needles in a haystack by narrowing the list of CVEs that security teams should focus on remediating, down from tens-of-thousands to just over 1,000 by focusing on vulnerabilities that:

• Have been assigned a CVE ID
• Have been actively exploited in the wild
• Have a clear remediation action, such as a vendor-provided update

This reduction in scope allows overwhelmed vulnerability management teams to deeply evaluate software running in their environment that has been reported to contain actively exploitable vulnerabilities because they are proven attack vectors—and therefore, the most likely sources of a breach.

With a smaller list of vulnerabilities from CISA KEV driving their workflows, it has been observed that security teams are spending less time on patching software (a laborious and low-value activity) and more time understanding their organization’s resiliency against these proven attack vectors. In fact, many vulnerability management teams have swapped patching for testing to determine if:

• These vulnerabilities from CISA KEV can be exploited in software in their environment.
• The compensating controls they have put in place are effective at detecting and blocking breaches. This allows teams to understand the real risk facing their organization while simultaneously assessing if the investments they have made in security defense solutions are worthwhile.

This shift toward testing the exploitability of vulnerabilities from the CISA KEV catalog is a sign that organizations are maturing from traditional vulnerability management programs into Continuous Threat Exposure Management (CTEM)—a term coined by Gartner—programs which “surface and actively prioritize whatever most threatens your business.” This focus on validated risk instead of theoretical risk means that teams are acquiring new skills and new solutions to help support the execution of exploits across their organization.

An attack surface management (ASM) solution provides a comprehensive view of an organization’s attack surface and helps you clarify your cyber risk with continuous asset discovery and risk prioritization.

Continuous testing, a key pillar of CTEM, states that programs must “validate how attacks might work and how systems might react” with a goal of ensuring that security resources are focusing their time and energy on the threats that matter most. In fact, Gartner asserts that “organizations that prioritize based on a continuous threat exposure management program will be three times less likely to suffer a breach.”³

Maturing our cybersecurity defense mindset to CTEM programs represents a significant improvement over traditional vulnerability management programs because it gets defenders tackling the issues that are most likely to lead to a breach. And stopping breaches should be the goal because the average cost of a breach keeps rising. The costs increased by 15% over the last three years to USD 4.45 million according to the Cost of a Data Breach report by IBM. So, as qualified resources continue to be hard to find and security budgets become tighter, consider giving your teams a narrower focus, such as vulnerabilities in the CISA KEV, and then arm them with tools to validate exploitability and assess the resiliency of your cybersecurity defenses.

IBM Security® Randori is an attack surface management solution that is designed to uncover your external exposures through the lens of an adversary. It performs continuous vulnerability validation across an organization’s external attack surface and reports on any vulnerabilities that can be exploited.

In December 2019, Armellini Logistics was the target of a sophisticated ransomware attack. While the company quickly and successfully recovered from the attack, it was determined to adopt a more proactive approach to prevention moving forward. With Randori Recon, Armellini has been able to gain deeper visibility into external risk and ensure that the company’s asset and vulnerability management systems are updated as new cloud and SaaS applications come online. Increasingly, Armellini has been using Randori Recon’s target temptation analysis to triage and prioritize which vulnerabilities to patch. With this insight, the Armellini team has helped to reduce the company’s risk without impacting business operations.

The vulnerability validation feature goes beyond typical vulnerability management tools and programs by verifying the exploitability of a CVE, such as CVE-2023-7992, a zero-day vulnerability in Zyxel NAS devices (link resides outside ibm.com) that was discovered and reported by the IBM X-Force Applied Research team. This verification helps reduce noise and allows customers to act on real—not theoretical—risks and determine if mitigation or remediation efforts were successful by re-testing.