Part 2 discusses how Decision Intelligence aids in managing vulnerabilities effectively, reducing Known Exploited Vulnerabilities (KEVs), and enhancing cybersecurity resilience for proactive responses to potential breaches.
Decision Intelligence: The Left & Right with Securin VI
In the vast landscape of information, data is both captivating and daunting. Just as a skilled chef can be confused about what dish to plate when faced with an overstocked pantry, the sheer volume of data can bewilder decision-makers. Despite converting data into structured insights, the challenge remains—it often falls short of enhancing the decision-making process. This is where the concept of Decision Intelligence steps in, offering a beacon of guidance to help organizations navigate through the sea of information and make smart choices.
What Is Decision Intelligence?
Decision Intelligence transforms data into actionable insights, fostering informed choices and effective decision-making. It utilizes Artificial Intelligence (AI), machine learning, and data analytics to convert large datasets into contextualized information.
Why Do CISA KEVs Need Decision Intelligence?
- The ever growing list of CISA’s Known Exploited Vulnerabilities (KEVs) now stands at 983 CVEs, while organizations scramble to play catch up and patch these critical vulnerabilities in time.
- The list of CISA KEVs, first created in November 2021, has been growing at an exponential rate; CISA added 111 exploited vulnerabilities in the last 6 months alone.
- The rapid growth of this list, coupled with the escalating pace of exploitation, underscores the urgent need for strategic and informed decision-making. By harnessing the power of Decision Intelligence, organizations can prioritize actions, and bolster their defenses against the relentless activities of threat actors.
Applying Decision Intelligence: Shift Left
The Shift Left perspective takes a look at the root cause of vulnerabilities that garner the attention of attackers. It assesses vulnerabilities based on their associated weaknesses.
- What weaknesses result in dangerous and widely exploitable vulnerabilities?
- What weaknesses lead to highly automatable exploits?
KEVs’ impact can affect an organization’s DevOps, impacting the applications or pipelines due to open-source dependencies. Analyzing underlying weaknesses helps estimate vulnerability impact. Exploiting choice weaknesses can amplify attack consequences, especially in open source-driven application development where flaws can be magnified.
MITRE’s Common Weakness Enumeration (CWE) catalog standardizes vulnerability identification. By assessing impact, severity, and exploitability, MITRE prioritizes weaknesses, guiding effective risk management for organizations.
- Within the 106 weaknesses behind CISA KEVs, MITRE’s Top 25 weaknesses cover around 71.5% of all vulnerabilities.
The following 5 weaknesses account for 50% of Remote Code Execution exploits.
- CWE-20: Improper Input Validation
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-78: Improper Neutralization of Special Elements Used in an OS Command (OS Command Injection)
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
- CWE- 94: Improper Control of Generation of Code (Code Injection)
The discrepancy in weakness ranking between MITRE’s Top 25 Weaknesses and CISA’s KEV list is noticeable. This could suggest that the latter provides a more accurate portrayal of weaknesses targeted by attackers. MITRE’s ranking methodology, which leans on the Common Vulnerability Scoring System (CVSS) and frequency, might overlook the real-world threat context, evident in the presence of these data outliers below.
CWE-125: Out-of-Bounds Read
- MITRE Rank: 7, CISA KEVs List: 28
CWE-352: Cross-Site Request Forgery (CSRF)
- MITRE Rank: 9, CISA KEVs List: 42
CWE-862: Missing Authorization
- MITRE Rank: 11, CISA KEVs List: 55
Applying Decision Intelligence: Shift Right
Shifting right in cybersecurity involves adopting an attacker’s perspective, a strategy that MITRE ATT&CK Mapping facilitates. It helps organizations understand attacker motivations:
- Ease of Detection
- Ease of Exploitation
- Maximizing Impact
Considering what attackers want enables proactive defenses that can be tailored to thwart adversary tactics within the MITRE ATT&CK framework. Organizations will be able to address vulnerabilities promptly and minimize the potential fallout.
MITRE ATT&CK Mapping: Highlights
- Ease of Detection: 418 KEVs can be exploited remotely against a public web application or external remote service. This will make it easy for a threat actor to target the easy-to-identify external attack surface.
- Ease of Exploitation: 512 KEVs require no existing privileges or user interaction and have low attack complexity, allowing threat actors to easily automate exploitation in or after initial compromise.
- Maximizing Impact: 96 KEVs can allow a complete ATT&CK kill chain (from Initial Access to Impact), leading to a threat actor gaining complete control of the target organization’s systems.
The Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362) is a prime example of a vulnerability that ticks the above requirements and is most appealing to an attacker.
Securin’s MITRE ATT&CK Mapping can help organizations understand and visualize a CVE from the perspective of a threat actor.
Securin’s MITRE ATT&CK Mapping for the MOVEit Transfer Vulnerability (CVE-2023-34362)
Based on the above information, it is not surprising that the MOVEit Transfer vulnerability was exploited by the Cl0p ransomware gang, potentially affecting 160 victims.
Shift Left + Right for Decision Making
The strategy of shifting from Right to Left in the decision flow diagram (above) enables organizations to address vulnerability exposures incrementally, allowing them to handle CISA KEVs in manageable sprints rather than being overwhelmed by their sheer volume all at once.
For instance, by incorporating both Left and Right Decision Intelligence over the list of CISA KEVs, we manage to reduce the 983 vulnerabilities to the 47 most dangerous vulnerabilities, the crème de la crème of security concerns.
In short, the blend of Left and Right Decision Intelligence streamlines vulnerability management and boosts cybersecurity resilience. Equipped with valuable insights and tools, organizations can make informed choices, diminish vulnerabilities, and better face evolving cyber threats. This strategic integration empowers proactive responses to potential breaches, effectively mitigating risks and fortifying defenses against the ever-shifting cyber landscape.