Earlier this year, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued Binding Operational directive (BOD) 22-01 under the title "Reducing the Significant Risk of Known Exploited Vulnerabilities." Per CISA, the rationale behind this BOD was to drive urgent and prioritized remediation of vulnerabilities actively exploited by adversaries.
The directive established a CISA-managed library of known exploited CVEs which carry a significant risk to the federal enterprise. It also requires federal and government agencies to remediate any new vulnerabilities included in this library in a short timeframe, sometimes as fast as only two weeks.
CISA's directive is mandatory only for the Executive Branch and federal agencies. Cyber-defense experts consider any CVE listed in CISA's Known Exploited Vulnerabilities (KEV) to be under active exploitation, which means that "there is reliable evidence that an actor performed the execution of malicious code on a system without the permission of the system owner." Therefore, the list should serve as an advisory for every organization.
A few months ago, I compared vulnerability management to a tedious game of Whack-a-Mole, with more than 1,000 vulnerabilities published monthly. Yet, according to Gartner statistics, only 6% of the vulnerabilities are exploited. CISA's KEV initiative is an essential step in identifying the "severe" CVEs that pose an imminent threat to governments and businesses. For federal and government organizations, the new directive may be enough to set clear rules of engagement. Every national and government organization by law must patch and remediate KEVs in a short time, with no room for personal judgment or opinion.
The situation is very different regarding the private sector, which has no legal obligation to patch KEVs. That means enterprises must make a critical decision once CISA publishes a new batch of Known Exploited Vulnerabilities. To patch or not to patch, that is the question. A decision to patch may seem like a no-brainer, but it sometimes entails long processes of deploying fixes while hindering day-to-day business cycles. In a manufacturing company, for example, every second is valuable.
If one knows that bad actors are exploiting a CVE, one may think that a decision to patch would be easy. Still, many organizations struggle with this dilemma given the high volume of CVEs published each month. So let's examine a CVE that CISA recently published to understand why the difficulty persists.
On July 12, CISA warned organizations to patch CVE-2022-22047 (related to Windows Client Server Run-Time Subsystem). Federal and government organizations were required to remediate it by August 2. But what should a CISO of a financial institution or the leader of a vulnerability assessment team do – patch or not patch?
Many practitioners will tackle this question by reaching the National Vulnerability Database (NVD) to check the CVSS (The Common Vulnerability Scoring System) score displayed on NVD's portal. The CVSS framework attempts to evaluate the vulnerability's potential for disruption if exploited. Unfortunately, it is also a static score by nature. Once a vulnerability receives a score, the information reflected in that score will likely remain stale without being updated for a long time -- potentially even years.
CVE-2022-22047 has a CVSS score of 7.8. In other words, its CVSS score doesn't represent what threat actors have been considering doing with this CVE since July 16 (when it was last updated) or other events during the past two weeks. For example, it doesn't consider that Microsoft's Threat Intelligence Center (MSTIC) and Microsoft's Security Response Center (MSRC) announced on July 27 that actors are using CVE-2022-22047 to attack European and Central American customers.
Furthermore, the CVSS score doesn't consider the notoriety of a vulnerability and the traction around it. Specifically for CVE-2022-22047, CVSS disregards hundreds of mentions of this CVE that have been on Twitter and other Instant Messaging Apps since July 16.
Therefore, any cybersecurity practitioner dealing with the patching dilemma will have only a limited subset of the information necessary to make the call. Cybersixgill's DVE intelligence is helpful in this scenario. As previously described, DVE Intelligence uses advanced artificial intelligence and machine learning algorithms to collect and analyze millions of underground posts and chats daily. The proprietary technology matches each intel item with known vulnerabilities and exploits to provide an accurate and real-time assessment of the immediate risks based on threat actors' intent.
Now let's go back to the patching dilemma. A CISO's team can't decide if they want to start a resource-intensive patching cycle for CVE-2022-22047 or prioritize another higher-scoring vulnerability. Instead, the team can access Cybersixgill’s DVE scoring engine and get all the information they need to make the right decision. As of July 28, CVE-2022-22047 was rated 9.95 on the DVE score. This high number indicates a strong probability that a bad actor will exploit it again in the next 90 days. The DVE Intelligence engine also allows the practitioner to double click on the threat actors discussing CVE-2022-22047, the exploit codes available on the cybercrime underground, and every datapoint that a practitioner would need to make their patching dilemma easier.
The private sector should embrace any tool CISA provides to better cope with APTs and other advanced cyber threats. But CISA's directives and advisories are only the first steps enterprises should take in stepping up their vulnerability management cycles. Integrating CISA's KEV library with real-time vulnerability intelligence is a must for any organization that wants to level up its patching cadence.
For more information on Cybersixgill’s DVE Intelligence, visit www.cybersixgill.com/dveintelligence/