Since its official launch on November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a strong emphasis on cyber vigilance by introducing the Known Exploited Vulnerability (KEV) catalog. This catalog aims to address vulnerabilities that have been exploited, with a focus on proactive measures to strengthen cybersecurity defenses.
CISA’s commitment to tackling evolving threats is commendable. Still, the rapid emergence of new cyber threats has made timely warnings challenging. CISA does not directly manage vulnerability data; vendors and Common Vulnerability and Exposure (CVE) Numbering Authorities (CNAs) handle this, sometimes leading to inconsistencies and gaps in data, impacting information security.
Securin VI, employing AI, machine learning, and a proficient threat hunting team, proactively identifies vulnerabilities at risk of exploitation ahead of CISA’s KEV list inclusion. This ensures early alerts, combining technology and expert analysis to provide comprehensive insights for enhanced information security.
In this two-part blog series, we explore CISA’s KEVs comprehensively and demonstrate the effectiveness of Securin’s predictive prioritization in identifying vulnerabilities ahead of CISA’s KEV list. We also delve into the nuances of KEVs, analyzing vendor involvement, weakness mapping, threat intelligence, and other critical aspects. This analysis aims to provide a deeper understanding of KEVs and their role in vulnerability management.
1. A Latency Analysis of CISA KEVs
In Part 1, we investigate Securin’s predictive prioritization ability to identify vulnerabilities ahead of CISA’s KEV list. We highlight the substantial time difference between Securin’s proactive alerts and CISA’s KEV list inclusion, and the importance of providing organizations with valuable lead time to safeguard against potential threats.
2. Decision Intelligence—The Left & Right with Securin VI
In Part 2, we delve into the concept of Decision Intelligence and its role in effective vulnerability management. We discuss how Decision Intelligence can empower organizations to address vulnerabilities incrementally, reduce the overwhelming volume of KEVs, and enhance cybersecurity resilience. This strategic integration allows proactive responses to potential breaches, effectively mitigating risks and fortifying defenses against the ever-shifting cyber landscape.
Part 1: A Latency Analysis of CISA KEVs
Securin’s predictive prioritization has called out almost 75% of the vulnerabilities on CISA’s KEV list before known exploitation. These alerts provide customers with an average of 454.48 days* of action before threat actors have exploited the vulnerabilities. This huge latency between a vulnerability being exploited and CISA adding it to its list has left cybersecurity defenders, who heavily rely on CISA’s KEV catalog for patching vulnerabilities, at a major disadvantage.
Notably, Securin issued predictive warnings 29 days ahead for vulnerabilities published 2022 onward. Among the 173 vulnerabilities published since then, the platform has proactively identified 106 vulnerabilities before they were exploited.
*CISA KEVs were initiated in November 2021, whereas Securin’s Predictive Intelligence has been active since 2017.
Securin’s Analysis of CISA’s KEVs
Securin extensively examines CISA’s KEVs, diving deep into their various aspects. To fully understand the impact behind these KEVs, multiple product configurations and supply-chain associations must be considered. This analysis weaves together several crucial elements: vendor and product involvement, insights from Securin’s pentesters, threat intelligence integration, meticulous weakness analysis, knowledge gaps, and scanner coverage.
Vendors & Products
- CISA’s list of KEVs comprises 161 vendors/projects and 403 products.
- Securin’s VI has 204 impacted vendors and 1,790 impacted products on its list.
- Microsoft emerges as the most heavily affected vendor among the KEVs, with a staggering count of 269 vulnerabilities. This figure is nearly four times greater than the following vendor on the list, Cisco, which registers only 66 vulnerabilities.
- The top impacted product, Microsoft Windows Server 2008, has 112 KEVs and reached end of support over 3 years ago, meaning it gets no security fixes anymore.
- The second most-impacted product, Microsoft Windows Server 2012, with 106 KEVs will reach the end of support by October 2023.
Knowledge Gaps
- 156 vulnerabilities on the KEV list do not have weaknesses mapped.
- 59 vulnerabilities are mapped to deprecated/obsolete weaknesses.
Weaknesses Analysis
The stark mismatch between the weakness rankings in MITRE’s Top 25 Weaknesses and the CISA KEVs list raises concerns about accurately representing vulnerabilities targeted by attackers. For instance, only 5 of the Top 10 MITRE Weaknesses show up in the Top 10 list of CISA KEVs.
Furthermore, MITRE’s reliance on the Common Vulnerability Scoring System (CVSS) and frequency may overlook real-world threat context, evident in these data outliers listed below.
Interesting Outliers
-
CWE-125: Out-of-Bounds Read
- MITRE Rank: 7
- CISA KEVs List: 28
-
CWE-352: Cross-Site Request Forgery (CSRF)
- MITRE Rank: 9
- CISA KEVs List: 42
-
CWE-862: Missing Authorization
- MITRE Rank: 11
- CISA KEVs List: 55
To address emerging cyber threats effectively, combining vulnerability data with insights from actual attack patterns is crucial for a more accurate understanding of vulnerabilities prone to exploitation by threat actors.
Threat Intelligence
- 225 KEVs have ransomware associations and are being exploited to extort and leak highly sensitive data.
- 276 KEVs are associated with threat actors, including state-sponsored Advanced Persistent Threat (APT) groups, financially motivated actors, and hacktivists.
The Culprits Behind Known Exploitation
- 208 ransomware groups and 147 threat actors have been behind the exploitation of 378 vulnerabilities, resulting in their addition to CISA’s KEV list.
Securin Pentesters’ Insights
- 71 CISA KEVs are part of Securin Pentesters’ Top 125 Vulnerabilities list, which is a catalog of vulnerabilities that have been exploited in real-world engagements to facilitate initial access, privilege escalation, persistence acquisition, defense evasion, and lateral movement.
- There are a further 54 vulnerabilities in Securin’s Top 125, which have been exploited by our pentesters but are as of yet unnoticed by threat actors.
Intersection of ICS & KEVs
- 39 KEVs have been part of CISA’s Industrial Control Systems (ICS) Advisories for critical infrastructure sectors.
- Energy (33), Critical Manufacturing (27, and Water and Wastewater Systems (24) constitute the top 3 ICS sectors.
Scanner Coverage
- None of the top three scanners can detect all 983 CISA KEVS. Nessus: 891, Nexpose: 746, and Qualys: 882
- 54 CISA KEVs have no scanner plugins across the top three scanners: Nessus, Nexpose, and Qualys.
The absence of scanner plugins for any CISA KEVs could lead to blind spots in vulnerability identification, potentially exposing systems to threats.
Conclusion
Securin extensively explores CISA’s KEVs, conducting an in-depth analysis of the intelligence gaps and wide-ranging impact of the KEVs on the information security landscape. Through this approach, Securin aspires to provide a thorough understanding of CISA KEVs and their vital role in vulnerability management.
The growing CISA KEVs list now spans 984 CVEs, prompting urgent attention to these critical vulnerabilities. Yet, prioritizing which vulnerabilities to tackle first can perplex many organizations. The list’s rapid expansion, escalating exploitation rates, and accompanying challenges—such as absent scanner plugins, scanner–missed vulnerabilities, knowledge gaps, and latencies—underscore the imperative of strategic decision-making or decision intelligence, particularly within vulnerability management and patching.
Leveraging Decision Intelligence empowers organizations to prioritize actions and proactively bolster their cybersecurity defenses against relentless threat actors. As organizations confront emerging cyber threats, seamlessly merging vulnerability data with insights from real attack patterns to predict vulnerability exploitation will soon become a necessity.