Many organisations struggle to quantify the full extent of their threat landscape and attack surface. This is compounded by issues surrounding vulnerability prioritisation, which has become a problem. It causes headaches due to several factors such as cost, disruption, and time. Organisations, therefore, need to start adopting a risk-based approach to influence where effort should be invested to reduce the attack surface and the risk posed to the organisation.
Organisations need to start asking themselves what might happen if an asset were to be compromised: what information does that asset hold and what problems could that cause to the organisation if it was suddenly unavailable (or worse stolen) and in someone else’s hands? This approach helps with the plight of remediation, but it’s not enough.
Many organisations focus solely on the severity category provided to them by their vulnerability management solution (critical, high, medium, and low). This is usually calculated using a Common Vulnerability Scoring System (CVSS), and the score is then used to prioritise their remediation work. This often means that medium and low severity vulnerabilities are never remediated simply due to the large number of critical and high vulnerabilities that are being focused on, hackers will then try to exploit those un-remediated vulnerabilities. Adopting a risk-based approach will help to mitigate these issues.
Asset Criticality Ratings
Obtaining Asset Criticality Ratings (ACR) can be a long and arduous job for many organisations, and is especially hard for those who do not know what externally facing assets they have. But for those that do have the time and resources, taking the time to score assets based on whether they hold organisation-critical information is an invaluable exercise for identifying their attack surface area. The scoring should be based on what impact the exploitation of that asset would have on the organisation. This should then drive the process of what vulnerabilities the organisation should remediate first.
However, this alone is not enough. Vulnerabilities are released at such a speed that a high severity vulnerability on a highly critical asset could be insignificant by the time the fix is applied. For example, a full operating system (OS) update (usually critical in severity) is released about every four weeks, meaning that the teams responsible for patching cannot keep up with the release cycles.
Exploitability
So, maybe the focus should be on exploitability. Is the vulnerability exploited in the wild? Is there an exploit available? Is the exploit publicly available? Maybe there is no exploit? If an exploit is publicly available, then the number of possible attackers is much greater than if an attacker would have to create the exploit themselves.
Based on a recent analysis of Tenable plugins, around 40% of all critical vulnerabilities have a known exploit available. 12% of all medium severity vulnerabilities have a known exploit available. So why are we focusing on remediating the critical vulnerabilities with no exploit available, when there are medium severity vulnerabilities with known exploits available being ignored?
Sophisticated attackers exploit lower severity vulnerabilities to help them to get toward their end goal. Once a lower severity vulnerability has been exploited and attackers have been allowed access, they can use this to move laterally within your network and gain access to the critical data they really want.
648 low severity vulnerabilities that have a known exploit available
A report published by Palo Alto Networks highlights that “80% of the exploits we studied were published before the CVEs were published, meaning that attackers had exploited a vulnerability before we even knew there was a vulnerability”. Security teams will never be able to keep up with the speed at which exploits develop, so prioritising their effort is crucial to protecting the infrastructure that supports organisation operations.
Organisations spend time chasing large volumes of critical vulnerabilities when what is really needed is vital knowledge of exposure.
Exposure Analysis
By understanding your organisation’s asset exposure you can start to prioritise remediation efforts more efficiently. Is the asset directly exposed, indirectly exposed, potentially exposed, protected, or inaccessible? Vulnerabilities on exposed assets, regardless of whether they are critical or low severity, should get a higher score. By including exposure analysis in your vulnerability management prioritisation - along with CVSS, exploitability level, asset criticality and threat intelligence - you can slowly begin to get your ducks in a row.
This sounds daunting, but Tenable has done the leg work by creating Lumin. Tenable Lumin’s Asset Exposure Score (AES), Asset Criticality Rating (ACR) and Vulnerability Priority Rating (VPR) are all calculated automatically using asset attributes, threat intelligence and a machine learning algorithm which enables you to make more informed decisions.
Tenable provides an overall Cyber Exposure Score (CES), a remediation maturity score, recommended actions to reduce your CES and the ability to benchmark yourself against your peers to identify your shortcomings and strengths.
Attack Surface
Quantifying the Asset Exposure is when you know what assets you have. Tenable provides a comprehensive risk-based vulnerability management solution called Tenable.ep, which combines Tenable.io, Web Application Scanning (WAS), Cloud Security, Tenable.ad and Lumin into one centralised platform. All this combined has made it easier for organisations to continuously monitor and reduce the attack surface.
Tenable ensures that organisations focus remediation efforts in the right places Cymptom will see the Tenable portfolio becoming ‘attack path informed.’ By protecting the most exposed assets, you will reduce your overall exposure score. Cymptom can visually map out attack paths and prioritise choke points that should be remediated to reduce risk, as per the MITRE ATT&CK framework.
Bit Discovery is an external attack surface management (EASM). Renamed to Tenable.asm, you will be able to continuously map and discover your organisation’s internal and external internet-facing assets, enabling you to view and assess your entire external attack surface. Tenable.asm should be available in the third quarter of 2022.
Combining Cymptom and Tenable.asm with Tenable.ep will enable you to view your entire attack surface, showing potential attack paths from internet-facing assets to internal critical assets, and providing a full and complete overall exposure.
Short of doing the remediation work for you, Tenable has provided organisations with all the tools to combat the plight of remediation prioritisation, reducing the risk to you with minimal effort. As organisations, we need to pre-emptively disrupt attack paths.
What to do next?
Maintaining up-to-date patch levels is one of the most important activities when maintaining good cyber hygiene and reducing the likelihood of a breach. At LRQA, we are aware that it can be daunting to know where to start or where to focus effort to reduce the risk to the organisation. A lot of the time, organisations do not have the budgets or skills to be able to do this themselves. LRQA has a suite of services utilising the Tenable product suite and are proud to be a Tenable Platinum Partner.
Please get in touch if you want to know more about how LRQA can support you with Vulnerability Assessment and Management.