The Art of Prioritizing Vulnerabilities: Maximizing Your Defense

Written by Alex Vakulov

According to FIRST, organizations can eliminate from 5% to 20% of vulnerabilities per month. The average time to fix vulnerabilities is growing. At the same time, according to Skybox Security, there was a 3x increase in the number of vulnerabilities over the past decade.

Fixing security loopholes is influenced by several factors: availability of patches, availability of technological windows in which security updates can be installed, availability of technical and human resources for installing patches.

The challenge lies in prioritizing vulnerabilities to efficiently allocate resources and promptly address the most critical security gaps. Several approaches have been devised to tackle this issue, including utilizing Vulnerability Prioritization Technology (VPT).

Common Vulnerability Scoring System

For a long time, the prioritization of vulnerabilities was built on the basis of the Common Vulnerability Scoring System (CVSS), the first version of which was released in 2005. According to it, each vulnerability is assigned a rating on a scale from 1 to 10. The rating is calculated using a unique formula that takes into account many factors, such as the attack vector, the complexity of exploiting the vulnerability, the impact on the system, and others.

The CVSS standard has its advantages and disadvantages. One of its benefits is the ease of vulnerability ranking based on the assigned rating, which helps IT and security experts set priorities for addressing security gaps. However, the standard has several drawbacks, including its static nature, which means the rating remains unchanged regardless of the publication of new security exploits. Furthermore, the lack of contextual information makes it difficult to assess the potential danger of a vulnerability to a specific infrastructure.

Consequently, many organizations do not rely solely on the CVSS when prioritizing vulnerabilities. They consider other factors such as the impact on their specific business processes, the presence of public exploits, vendor metrics\reports, and other relevant criteria.

The Exploit Prediction Scoring System

The evaluation system based on the prediction of exploits was first presented in 2019. This methodology is based on the analysis of information about known CVEs and evidence of their use in actual real-life situations. The EPSS model, developed by First.org, gives a probability score from 0 to 1. The higher this score, the greater the probability of exploitation of vulnerabilities within the next 30 days.

The EPSS strategy can be explained as follows. Let's say that according to the results of the scan, a certain number of vulnerabilities with a rating of CVSS 7 were obtained. The actual exploitable vulnerabilities can either fall into the 6+ or 7+ rating. Therefore, to mitigate risks effectively, it is crucial to prioritize the resolution of higher-rated vulnerabilities that have been exploited in the past or represent a PoC, as well as low-rated vulnerabilities that have already been exploited. Focusing solely on higher-rated vulnerabilities that have not been exploited could result in the unnecessary waste of resources.

CISA Recommendations

In 2022, the US Federal Cybersecurity and Infrastructure Security Agency (CISA) issued recommendations for prioritizing vulnerabilities. These included information regarding the presence of an exploit and info about the actual exploitation of the vulnerability, technical consequences of exploiting the vulnerability, the complexity of automating ways to use the vulnerability, the impact on the company's business processes, and the potential harm.

Vulnerability Prioritization Technology

Vulnerability prioritization tools are constantly evolving. A few years ago, they were just scanners that allowed determining the degree of infrastructure security based only on the CVSS rating. Modern vulnerability management systems utilizing VPT empower users to choose which problem areas to fix first: with a high CVSS rating, available exploits, etc. Some solutions incorporate their own prioritization system based on AI, ML, big data processing, and other technologies.

Quite a few organizations may be hesitant to invest in additional security tools due to budget constraints. In such cases, open-source solutions or cloud-based tools may provide cost-effective options for vulnerability management. Additionally, companies can negotiate with vendors or outsource vulnerability management to managed service providers with the necessary expertise and resources. Despite the potential costs associated with implementing security measures, the cost of a security breach is often much higher.

Components of Vulnerability Prioritization Tools

Every VPT consists of two components: a detection element and an analysis element. The dissimilarities among VPT vendors and types lie in the features of these two elements. To determine if a particular vendor's product or technology satisfies your specific requirements, it is crucial to identify the necessary capabilities and assess if they are available in the intended product.

VPT tools possess various capabilities, which may include one or more of the following features:

• Asset identification: Ability to identify all active and inactive exposed assets and maintain complete visibility of all assets within a diverse network.
• Scanning: In general, there are two categories of scans:
  • Unauthenticated scan, which examines the unprivileged regions of the system.
  • Authenticated scan, which is carried out by an authorized user who possesses the highest level of credentials. It scans the entire system and leverages the credentials to access privileged areas.
• Reporting: It is vital for VPT solutions to compile a comprehensive list of all identified vulnerabilities. The method used for listing capabilities is critical in evaluating any VPT solution's effectiveness. These capabilities are presented below in a sequential manner, where the preceding capabilities should be integrated into a solution that includes the last one:
  • Enumerating vulnerabilities using the CVE number.
  • Matching each identified CVE with its location.
  • Ranking vulnerabilities based on their CVSS score.
  • Prioritizing vulnerabilities based on business context and associated risks.
  • Prioritizing vulnerabilities based on the contextual risks in the environment.

The primary objective of VPTs is to enhance the efficiency of the patching process by optimizing the effort-to-impact ratio - to minimize the patching workload while preserving security robustness. Each additional capability incorporated into VPTs can significantly reduce the patching workload by double-digit percentages. Therefore, it is essential to consider this cumulative effect. Prioritizing vulnerabilities based on the environmental context is the latest feature added to the VPT generation, and its impact on the exponential curve of prioritization capability is the most significant.

VPT Types

Detection-based

The simplest form of VPT is a vulnerability assessment (VA). VA can recognize vulnerabilities and arrange them in decreasing order of importance based on their CVSS scores. Advanced detection-based VPTs incorporate a correlation between these scores and baselines that mirror the organization's risk tolerance. This data is then utilized to create a patching schedule based on vulnerability importance.

Detection-based vulnerability management has significant shortcomings. It is restricted to conventional assets and remains oblivious to a considerable portion of the attack surface. It classifies vulnerabilities exclusively by their severity. It lacks integration between technical measurements and business impact evaluations. It is a reactive approach that perpetuates a firefighting mentality.

Risk-based

Risk-based vulnerability management (RBVM) includes:

Scanning the complete attack area and uncovering and evaluating previously unlisted exposed assets. This results in a much more exhaustive vulnerability management process.

Incorporating an exploitability index that covers a range of risk assessment models such as DREAD, as well as vendor-specific scores like Microsoft or Red Hat, or developing customized indexes that estimate the probability of a vulnerability being exploited.

Factors considered:

1. The documented presence of one or more exploits.
2. The degree of technical skill required to develop an exploit.
3. The adaptability of the exploit to different circumstances.
4. The exploit's potential to remain hidden and undetected for prolonged periods or to spread across various escalation paths.
5. The reachability of the vulnerability.
6. Intelligence gathered on the Darknet regarding potential threats.
7. The potential scope of damage and the number of components that can be impacted.
8. Ease of vulnerability discoverability and replicability.

Balancing technical and business needs by running ongoing re-evaluations of exposed assets. This involves tracking changes to the environment to keep up with evolving business priorities and updating vulnerability priorities accordingly.

The risk-based approach improves detection-based vulnerability management but still has some limitations. It only assesses detected vulnerabilities, failing to incorporate an attacker's perspective. It cannot evaluate compensating measures' effectiveness like security controls configurations, nor a vulnerability's true risk potential for lateral movement or escalation.

Attack-based

Attack-Based Vulnerability Management (ABVM) is an advanced and proactive technology for prioritizing vulnerabilities that surpasses reactive detection and risk-based approaches. ABVM employs simulated or emulated attacks to analyze results and prioritize patching based on actual exposure in the environment. It evaluates the criticality of vulnerabilities not only by using CVSS scores and DREAD-type methods but also by deprioritizing vulnerabilities that are effectively mitigated by existing security controls.

ABVM incorporates all the analytics tools of RBVM, including Attack Surface Management (ASM), and integrates various risk scoring methods. However, instead of relying on guesswork to assess the actual risk of vulnerabilities, it precisely correlates the risk with documented exposure data.

Here is how ABVM extends beyond RBVM:

1. IT proactively addresses all Tactics, Techniques, and Procedures (TTPs) identified by MITRE ATT&CK and SP 800-53 Rev. 5.
2. It prioritizes vulnerability patching by evaluating the exploitability within the local context. This approach streamlines the patching schedule by reducing the risk scores of CVSS vulnerabilities that are successfully mitigated by existing security controls.
3. ABVM documents the efficiency of security controls.
4. Provides valuable data to rationalize and optimize security tools.
5. Collects specific, comprehensive, and precise exposure data to ensure data-driven prioritization.

Conclusion

The number of vulnerabilities is growing every year. Prerequisites for this are the diversity of software and technical tools used, new technologies brought to the market by companies that do not pay attention to the safe development of software products, the consolidation of the hacker community, and other factors. The speed and efficiency of vulnerability detection and remediation are key factors in a company's ability to withstand new attack vectors. It is anticipated that the use of VPT will continue to expand, and the quality of vulnerability management systems will improve accordingly.

About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.