Vulnerabilities and exploits are strange bedfellows. While vulnerabilities are unintended and often unavoidable, exploits are deliberately created to feast on these vulnerabilities.
Their coexistence can lead to serious consequences. Vulnerabilities can be discovered and disclosed. They might even lie dormant for exploits to be developed and distributed by external forces. This relationship invariably shapes the balance of power between IT & SEC teams (defenders) and adversaries. Understanding this relationship is paramount for defenders to stay ahead of the curve.
Here is how it plays out: Vulnerabilities represent weaknesses within a system, and exploits are the means by which attackers capitalize on these weaknesses.
Vulnerabilities are potential entry points for exploits. There is another category of vulnerabilities that amplifies this risk further. Known Exploitable Vulnerabilities (KEVs). These vulnerabilities are already present in systems worldwide, and exploits are publicly available for attackers to launch a devasting attack anytime. Companies cannot languish on them as the dithering can lead to them getting pummelled by attackers.
Cybersecurity and Infrastructure Security Agency (CISA) saw this real risk and the razor-thin chances companies might take to maneuver this threat. So, they created a pivotal, authoritative resource, the CISA KEV catalog, to aid the global security community’s efforts in strengthening security posture.
CISA KEV catalog – A strategic asset
The catalog offers a curated, actionable list of actively exploited vulnerabilities. This helps enterprises to focus on critical vulnerabilities, streamline patching efforts, and enhance overall cyber resilience. Moreover, it also provides insights to help IT teams reinforce their incidence response strategies by better preparing them for any breaches. The catalog offers higher levels of efficiency when compared to traditional vulnerability prioritization approaches. When compared to this catalog, traditional prioritization approaches cannot prioritize accurately based on the likelihood of exploitation. It might also not cover the entire list of exploitable vulnerabilities and remediation timelines may not be clearly defined. CISA KEV catalog offers a due date for remediation and is a more targeted list. It also helps IT teams focus their limited time and resources on the most critical vulnerabilities that are actively exploited.
It is a reliable repository of vulnerability information, which must be fundamental to any organization’s vulnerability prioritization efforts.
Here is how the catalog classifies KEVs:
| Criteria | Description |
|---|---|
|
Assigned CVE ID |
The vulnerability must have an assigned Common Vulnerabilities and Exposures (CVE) ID. |
|
Active Exploitation |
There must be reliable evidence that the vulnerability has been actively exploited in the wild. |
|
Clear Remediation Action |
A clear remediation action, such as a vendor-provided update, should be available for the vulnerability. |
CISA KEV Details
No doubt, they can create angst and turmoil if not addressed in the right manner. Amid their hounding, here are some technical intricacies of CISA KEVs to inform your opinion and get a bigger picture. It refers to exploitable vulnerabilities’ technical details, characteristics, and attributes.
CVE Identification: Track, refer and identify CISA KEVs by their Common Vulnerabilities and Exposures (CVE) IDs. These are unique and assigned to specific vulnerabilities.
Vulnerability Description: Each CISA KEV has a detailed description. It includes information about the affected software or systems and the impact of exploitation. These details are needed to assess the risk associated with the vulnerability.
Attack Vectors: Each KEV details the attack vectors used by attackers to exploit them. It includes details about how attackers gain unauthorized access to systems, manipulate data, or disrupt operations using the vulnerability. This understanding helps to know the entry points for attackers.
Exploitation Techniques: Get insights into the specific techniques used by attackers to exploit the vulnerability. This includes code execution methods, payload delivery mechanisms, and evasion tactics. By analyzing these exploitation techniques, security teams can anticipate and defend against attacks targeting the vulnerability.
Mitigation Strategies: KEVs can include recommendations and best practices for mitigating the risk associated with the vulnerability. This could involve applying security patches, implementing compensating controls, or configuring security settings.
Threat Intelligence Integration: KEVs can also be integrated into threat intelligence platforms, security information and event management (SIEM) systems, and vulnerability management platforms This enables the automatic correlation of KEVs with their existing threat intelligence feeds and vulnerability scan results, enabling more proactive and efficient vulnerability management.
Historical Context: Clear mention of when the vulnerability was first discovered, when it was publicly disclosed, and when it was added to the KEV catalog. This helps in assessing the maturity of available patches and prioritize the application of patches.
Affected Systems and Versions: Details of specific software, systems, or versions affected by the vulnerability to identify assets at risk and prioritize remediation efforts based on the criticality and prevalence.
Gaining control of CISA KEVs
To gain control over CISA KEVs, as a good rule of thumb, it is also cognizant to know about the ones that are getting exploited, which pose an immediate threat and must be addressed first. This understanding helps to accurately assess a vulnerability’s severity and impact. This can help in prioritising vulnerability remediation efforts based on the level of risk. It also helps in effective patch management by identifying applicable patches and focusing on exploitable vulnerabilities, reducing exposure to known threats. Though the odds are against vulnerabilities, it is valuable to know the root causes behind them. This helps in knowing how to remediate these vulnerabilities by implementing best practices and policies.
Mapping CISA KEV with CWE to enhance vulnerability management
The root cause of the weakness that introduced the vulnerability can be understood by correlating each vulnerability to its CVE identifier. CWE provides a dictionary of common software security weaknesses, categorizing and describing them. It provides a universal way of mentioning and discussing vulnerabilities, facilitating a better understanding to mitigate security risks. If KEV is about vulnerabilities likely to be exploited, CWE categorizes the type of weakness that makes the exploit possible. Perceiving the CISA KEV catalog with the help of CWE helps in understanding the underlying causes of each vulnerability.
The mapping was done in 2023, when, along with CWE’s vulnerabilities, the KEV catalog was also analyzed, and the list was published. Known as 2023 CWE top KEV vulnerabilities, it was done by mapping CWE root causes with KEV listed vulnerabilities to know the weakness patterns that led to exploitation. The CWE root cause mappings can be examined to find the vulnerabilities exploited and gain better insights into the type of weaknesses exploited by attackers. The analysis score is a numerical assessment assigned to each CWE entry. The higher the score, the greater the risk associated with vulnerability.
The pie chart shows the exploitation activity and its occurrences in percentage. The treemap (displayed below) shows the CWE categories in ascending order, with the most exploited vulnerabilities taking the top spot. The top three categories (CWE – 416, CWE – 122, CWE-787) are occupied by memory safety vulnerabilities, followed by input validation (CWE – 20).
CWE showcases vulnerability categories, and CISA KEV mentions their exploitability. By combining both, a comprehensive view of attack vectors can be derived to evaluate the severity and impact of every vulnerability, including insights into futuristic threats. It also focuses on those vulnerabilities that need to be addressed immediately.
CVEM – A specialized approach of SanerNow in managing KEVs
Vulnerability management is an interdisciplinary approach and requires effective strategy, governance and management to monitor the risks continuously. SanerNow can conduct vulnerability management at the utility-scale and is able to perform multiple activities of utility-scale workloads. This includes asset exposure, vulnerability management, posture anomaly management, risk prioritization, patch management, and compliance management. Before we delve into these, here is a quick look at what drives SanerNow. SanerNow introduces a paradigm shift on how IT infrastructure security should be perceived. Named Continuous Vulnerability and Exposure Management (CVEM), it looks at security from a weakness perspective. SanerNow, with its integrated platform comprising seven modules (as mentioned above), offers a continuous, automated approach enabling a proactive approach to remediate vulnerabilities, including CISA KEVs.
To grow, thrive, and manage risk, organizations must incorporate SanerNow into their security strategies and operations. The platform can radically reduce and remediate CISA KEVs and their negative impact. It enables the transition from a periodic to a continuous vulnerability management model and optimizes outcomes through multiple modules to establish more efficient workflows.
Here is a case of how CWE category KEVs have found their match on SanerNow.
| CISA KEV CWE | Vulnerability | How the vulnerability is exploited | How SanerNow remediates them |
|---|---|---|---|
|
CWE-416 |
Use After Free |
Manipulate program memory to Execute malicious code or gain unauthorized access to the system |
Identify vulnerable systems, prioritize & automate deployment of patches across Win, macoS & Linux operating systems and fix misconfigurations. |
|
CWE-122 |
Heap-based buffer overflow |
Inject malicious scripts into web apps/sites for malicious actions |
Detect susceptible vulnerabilities in web apps & sites, deploy patches, block malicious requests/processes/software/devices, and fix security control settings. |
|
CWE-787 |
Out-of-bounds write |
Write data beyond the boundaries of allocated memory buffers for corrupting memory, denial of service & remote code execution |
Detects out-of-bounds write vulnerabilities in software & systems, patches them, & implements system hardening measures. |
|
CWE-20 |
Improper input validation |
Manipulate input data so that the software fails to validate or sanitize properly; this includes special characters, escape sequences, or malformed data formats. |
Continuous scanning to detect improper input validation & apply patches to vulnerable systems, block malicious connections/processes/apps/devices. |
|
CWE-78 |
Improper neutralization of special elements used in an OS command |
Execute arbitrary commands on target systems |
Detect instances of irregular user input before passing to system command, deploy patches or updates to address the specific OS command injection vulnerabilities, and ensure only those characters or commands to restrict user inputs |
|
CWE-502 |
Deserialization of Untrusted Data |
Deserialize data from external sources leading to remote code execution or DoS attacks |
Implements proper input validation mechanisms to prevent untrusted data from being processed |
|
CWE-918 |
Server-Side Request Forgery |
Manipulate a vulnerable server into making unauthorized requests to internal or external resources |
Fix misconfiguration of web servers, applications, and network devices, implement user validations, block malicious processes, restrict external access of IP/URL, & stop unwanted service requests, |
|
CWE – 918 |
Access of resource using incompatible type |
Leverage memory corruption issues to execute arbitrary code or gain unauthorized access to the system. |
Validate protocols, host, port and path to implement proper path validation, limit app ability to internal or external requests, allow only specific protocols, discover and remediate attack vectors |
|
CWE – 22 |
Improper limitation of a path name to a restricted directory |
Identify inputs in apps that accept file paths or filenames without proper validation, submit malicious input, gain access to files/directories beyond scope, & steal data |
Identifies and disables any unused functionality that allows file access, Regularly review app functionality & remove path traversal attack vectors, validate user input and limit access and privileges to apps |
|
CWE – 306 |
Missing authentication for critical function |
Access functions/ operations not having proper authentication credentials to control user accounts, accessing confidential information, or compromise systems |
Encryption of hard drives, files & databases, limit permissions and privileges to apps, and disable unused functionalities |
CISA KEVs make them a high priority for remediation and pose an immediate threat. SanerNow can offer a distinct, purposeful platform and a standardized approach to track, reference, and remediate CISA KEVs and misconfigurations across software, hardware, networks, and systems. By diligently addressing vulnerability management challenges, SanerNow demonstrates its commitment to continuous, proactive vulnerability management and mitigating risks of a potential attack.
SanerNow & CISA KEVs
Here is how SanerNow modules work its might against CISA KEVs.
| Reasons for CISA KEV emergence | SanerNow Modules | The Pitch for SanerNow | The Bottom Line Impact |
|---|---|---|---|
|
Emerges due to lack of visibility of attack surface, this can lead to underestimation of risk exposure, leading to breach |
Asset
Exposure |
Ensure complete visibility of attack surface through automated scans |
Comprehensive understanding of attack surface, identifies assets having CISA KEVs & describes those vulnerabilities |
|
Unwanted software, malicious devices, outdated software, and operating systems |
Posture
Anomaly |
Automated scans to discover software/hardware anomaly, allow or deny software/hardware, ensure instant remediation |
Sanitize IT infrastructure, eliminate unnecessary assets and applications & quickly discover & remediate CISA KEVs |
|
Lack of agent-based high-speed, continuous, automated scanning and detection using vulnerability database |
Vulnerability Management |
Scan & discover CISA KEVs in 5 minutes within a cloud console, ensuring near-zero false positives |
Leverage the world’s largest vulnerability database to ensure accurate scan and detection of CISA KEVs |
|
Poor prioritization of vulnerabilities and lack of knowledge of the impact & outcomes of vulnerability exploits |
Risk Prioritization |
Decision tree-based SSVCrisk prioritization to rank millions of vulnerabilities on every device rapidly |
Customize, automate, & simplify risk prioritization in real-time, gain insights on CISA KEVs, and remediate them quickly |
|
Slow, manual patch deployment cycles across OS, firmware, servers, endpoints & applications due to lack of automation |
Patch Management |
Automation for faster patching, deploy patches across Win, macOS & Linux, including 450+ apps, test & approve patches, roll back patches in case of failure |
Patch CISA KEVs faster to prevent attacks, approve patches before deployment, assess & prioritize patches based on severity to reduce risks |
|
Inability to monitor endpoint system health & security controls, poor device control, lack of visibility of security risks |
Endpoint Management |
Automate & monitor endpoint settings & configurations, uninstall malicious software, identify CISA KEV affected systems & eliminate system misconfigurations |
Keep endpoint promptly remediated to prevent CISA KEV exposure, target remediation efforts, fine-tune system health, apply security controls & protect from attacks |
|
Failure to automate & demonstrate global compliance standards, inability to monitor IT Infrastructure for non-compliant endpoints |
Compliance Management |
Run compliance scans to address configuration drift or deviations in OS, apps & devices and remediate them quickly to meet industry compliance mandates |
Fix faulty configurations, achieve optimal cyber hygiene, execute compliance actions from a cloud console and remediate CISA KEVs in minutes |
It’s time to intensify the campaign against KEVs using SanerNow before attackers launch new offensives through them. There is no need for a bewildering array of silos of tools to manage the complexities posed by these vulnerabilities. SanerNow would alone do the job. It can secure and protect IT infrastructure, scaling to cover the exploding growth of assets for its entire lifecycle. The platform offers a broad, unified and continual approach across IT estate to prevent attacks and ensure the guard is not down even for a moment.
