Blog & News

CISA’s Epiphany: Why focusing on exploitability trumps criticality

If you were in the United States in November of 2021, more than likely your focus was on how to dodge the newest COVID-19 variant while trying to find a turkey product not affected by the supply chain woes. Perhaps that was coupled with the concerns about the lack of black Friday sales due to a consumer price index that showed record inflation. Cybersecurity professionals were getting first glimpses of a log4j vulnerability that was preparing to dominate the news cycle.

What was one thing that neither you nor anyone else was focusing on? A tectonic shift by a global standard bearer for cybersecurity on how the entire cyber defender population needs to prioritize protection.

CISA’s new directive:

On November 3rd, 2021, “the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.”

The Binding Operational Directive essentially mandates that:

  • Within 60 days from issuance (in other words, by January 2nd, 2022), organizations will revise their vulnerability management practices redirecting the focus from the criticality in the National Vulnerability Database (NVD) to the Known Exploited Vulnerabilities (KEV).
  • Known Exploited Vulnerabilities must be remediated in accordance with the due dates in the KEV catalogue – with the first few due by January 24, 2022
  • Report on the status of the vulnerabilities, which includes requirements to explain why organizations are not able to remediate by the designated times if applicable.

BOD 22-01 Translated: What this means to us:

While the background provided by CISA in the directive is actually well written, some context is helpful:

The cybersecurity community has historically been obsessively focused on the CVSS score, which, while a bit complex and merits the numerous writeups on the subject in and of itself, has been incorrectly synonymized with criticality.

The Common Vulnerability Scoring System, or CVSS score, is a single score based on three weighted metrics (base, temporal, and environmental, to be exact).

While the level of exploitability is a component used in the temporal metric weighting, much more emphasis is placed on the complexity and privilege required to exploit a vulnerability. The problem is that bad actors have become more sophisticated, adopting technology and practices that make otherwise difficult vulnerabilities much easier to exploit — to the degree where ransomware is now available as a service where individuals can make a percentage of the ransom paid by simply introducing the malicious code into an environment — no skills required. SSRF attacks are achievable with the click of a button, making the method usable by novices who don’t even know what server-side request forging is — and we’re not referring to those with the know how to build a Kali Linux instance or run Metasploit.

The result: The industry has resigned itself to adopting practices to surface and patch “critical” vulnerabilities that are potentially easier to exploit, losing sight of the ground truth – they stopped asking the question of “what is being exploited, and where can this be realized in my environment?”

This directive aims to change that by adding another list into the fray, which reprioritizes vulnerabilities based on knowledge of how readily they are being exploited. Essentially, this is an admission that we weren’t focusing on the right priorities.

We had the Epiphany around exploitability:

The Epiphany Intelligence platform was created based on the fundamental principle that we were not focused on the most important factors: identifying and prioritizing all of the ways an attacker can reach the most important things in our environments. It’s clear that the list of vulnerabilities, along with the intricacies required to identify and remediate them, is untenable.

Until now, the industry has accepted the flawed principle that everything is critical and must be patched immediately. Since this is a virtual impossibility, cyber professionals have been forced to remediate on a best effort basis, without real context of whether the areas of focus represent paths where an attacker can do the most damage. To give more context, consider this example:

In October 2021, CVE-2021-42013 was published in NISTs National Vulnerability Database. This vulnerability in Apache Web Server allows unauthorized path traversal, meaning that an attacker could exploit this vulnerability and potentially access sensitive files on a server. Sound grave, right? With a CVSS score of 9.8 out of a 10, it would seem so.

What if there were 25 servers running apache in your organization, using credentials (for root) not duplicated anywhere else within the organization? And what if those servers were only hosting your company’s social events calendar and images, segregated so that there was no network access to any other assets with privilege? The potential blast radius would be relatively small.

In contrast, CVE-2021-43233 published in December 2021 had a CVSS score of only 7.5. This CVE focused on a Microsoft Remote Desktop Client remote code execution vulnerability. In the current landscape where remote workers are the new normal, the 5 person sales operations team uses remote desktop and are susceptible to this vulnerability. Sales operations has access to all sensitive customer information, corporate financial data, and even possess administrative privileges to servers used for workflow automation.

Does the CVSS score really provide the appropriate context for the vulnerability management team to determine which poses the greatest risk to the organization? Of course not. While it may seem like a no brainer in this example, add an exponent to the number of users, systems, platforms, and vulnerabilities to get a sense of how difficult it is to accurately prioritize.

Epiphany’s Intelligence Platform helps shorten the time to context in several ways. To name a few:

  • Attack paths visualize the routes malicious actors can traverse to access your critical assets. This affords you the ability to see the entire battlefield and determine how to break these paths, employ monitoring, or deploy countermeasures.
  • Remediation efforts are prioritized based on exploitability of vulnerabilities that can impact critical assets.
  • Vulnerability normalization provides a realistic context around the risks posed within the environment: If you can quantify how many of 18,000+ vulnerabilities exist in your environment, normalized by how exploitable they are and whether they can be used to attack a critical asset, your workload is focused and dramatically reduced.

In conclusion:

Critical or even “exploitable” vulnerabilities that exist in your environment may not be the area in which you need to focus. While that sounds counterintuitive, the industry is realizing this, albeit slowly. Epiphany Systems has been helping customers reduce the time to get context for the past two years. Contact us to learn how.