Headline
Large-Scale Incidents & the Art of Vulnerability Prioritization
We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.
Audra Streetman, Senior Threat Intelligence Analyst, Splunk
December 9, 2024
4 Min Read
Source: Skorzewiak via Alamy Stock Photo
COMMENTARY
The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization’s IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon “2024 Data Breach Investigations Report,” “14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year’s report.”
With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don’t have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.
Key Considerations for Vulnerability Evaluation
The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:
Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole.
What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public.
When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.
Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.
If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.
Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.
**Learning From Large-Scale Incidents****MOVEit **
A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:
Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals.
Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity.
Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor’s contractor’s subcontractor used MOVEit Transfer.
Log4j
The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:
It was remotely exploitable.
It was publicly disclosed before a fix was available.
Exploit code circulated online.
Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide.
Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren’t always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities.
Knowing the Score With Vulnerabilities
Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.
In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.
About the Author
Senior Threat Intelligence Analyst, Splunk
Audra Streetman is an active member of Splunk’s global security team and previously contributed to Splunk’s SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.