Vulnerability Management: Efficient Management for Maximum Security

Vulnerability Management is making waves again. Successful attacks requiring no user interaction are becoming more frequent once again. At the same time, the number of publicly known vulnerabilities is increasing from year to year. This raises the question of how these vulnerabilities can be detected and remedied as early as possible.

In this article, you will learn how you can significantly increase the efficiency of your vulnerability management program through the targeted use of suitable metrics and publicly available information. Risk-based prioritization enables you to focus on the relevant vulnerabilities, rectify them in a targeted manner and thus strengthen your organization’s IT security in the long term.

First Step: Continuous Vulnerability Scanning

Most companies start with selective or one-off vulnerability scans of their IT/OT system landscape. These have very little added value for long-term protection due to the infrequent execution and daily discovery of new vulnerabilities. For this reason, continuous and automated vulnerability scanning should be implemented.

Once the vulnerabilities have been identified, most companies are faced with a mountain of vulnerabilities. This is where the real work of vulnerability management begins: evaluating, prioritizing, and addressing the identified vulnerabilities.

Which Vulnerabilities Should be Prioritized?

Address Actively Exploited Vulnerabilities First

The Known Exploited Vulnerabilities Catalog (KEV) is a list of vulnerabilities maintained by the Cybersecurity & Infrastructure Security Agency (CISA) that are known to be exploited for malicious attacks. The KEV is therefore a list of vulnerabilities that US authorities must fix as soon as possible. You should also want to fix these immediately, especially if they are located on a system accessible via the Internet. In this case, you must act immediately – without any ifs, buts, or maybes!

Due to the nature of the vulnerabilities listed in the KEV, in addition to immediate remediation, it must be considered whether the affected system and its environment should be examined for unwanted and malicious activities. As a rule, it must be assumed that these vulnerabilities have already been exploited. There is therefore a risk that access that has already taken place will be exploited at a later date, even if there are no signs of further malicious activity. Our CSIRT will actively support you in such a situation.

VulnCheck KEV is a resource from the private company VulnCheck that is comparable to CISA KEV. It contains the vulnerabilities from the CISA KEV as well as other vulnerabilities which, according to the information available to VulnCheck, are also being or have been actively exploited. VulnCheck KEV is not associated with any official obligation and can therefore be of added value as an alternative to CISA KEV due to its broader coverage. In contrast to CISA KEV, the creation of a user account is required.

Vulnerabilities With Existing Exploits

• The number of vulnerabilities that are actually actively exploited is usually significantly lower than the number of vulnerabilities for which exploit code exists. For this reason, vulnerabilities that are actively exploited should take priority over vulnerabilities for which an exploit exists. However, the latter should not be ignored, as they are part of the cybercriminals’ toolbox and can be used against your company at any time.
• Publicly available exploits can be found in the following databases and repositories:
• Exploit Database
• Metasploit Module or in the GitHub Metasploit Repository

Use of the Exploit Prediction Scoring System EPSS

The Exploit Prediction Scoring System (EPSS) is a data-based method for estimating the probability that a software vulnerability will be exploited in the next 30 days. It is therefore a model for predicting which vulnerabilities are most likely to be exploited in the near future.

The project is developed and run by a Special Interest Group (SIG) of the global Forum of Incident Response and Security Teams (FIRST) and is another freely available resource for prioritizing vulnerabilities. The current data can be viewed on the website or queried via an API.

Vulnerabilities that have an EPSS value of over 0.1 or 10% should be fixed in the near future. This is especially true if they can be exploited remotely (via the network) as indicated by their CVSS vector or vulnerability description.

The Right Prioritization in Vulnerability Management

In order to prioritize which vulnerabilities should be worked on first, it makes sense to combine the categories of vulnerabilities described so far and prioritize them on this basis. Such a prioritization is shown in the following figure:

• The following additional properties can be used for priority 4 vulnerabilities and to assess the vulnerabilities to be remedied beforehand:
• The closer a system is to the Internet, the more urgently its vulnerabilities need to be remedied. The probability of a vulnerability being exploited from the internet (cyberattack) is significantly higher than that of the other attack vectors. For example, a system in the DMZ that is accessible from the internet is much more vulnerable and exposed than a server in the internal network.
• With the Common Vulnerability Scoring System (CVSS), it is not so much the CVSS value as the individual metrics in the CVSS vector that are decisive. For example, vulnerabilities whose Attack Vector (AV) has the value Network (N) and whose User Interaction (UI) has the value None (N) or Passive (P, from CVSS 4.0) are to be prioritized for protection against cyberattacks.
• The rating given by the vulnerability scanner (typically one of the values: Critical, High, Medium, Low or Info), should be used with caution and should only be used as the last indicator.

Comprehensive and Efficient Vulnerability Management

It is normal for the number of vulnerabilities in medium and large-sized organizations to reach a level that makes manual application of the above recommendations impossible. In such cases, the use of suitable tools is recommended. For small organizations, a project such as cvemap offers the necessary automation and scalability. Medium and large-sized companies should consider purchasing a platform specializing in vulnerability management. Such platforms enable the centralization of all vulnerability scan results and the subsequent efficient or even fully automated assessment and distribution of vulnerabilities in the form of tickets.

However, before you start continuous vulnerability management, you should ensure that your organization has a functioning and efficient patch management system. Without systematic patch management, it will be very difficult to fix vulnerabilities in a timely manner. Once such a process is established, you can address the first and most important vulnerabilities with the recommendations compiled here.

Vulnerability Management as a Service

We will be happy to assist you if the large number of vulnerabilities makes it difficult to achieve comprehensive IT security, if you are facing challenges in patch management or if you would like to find out more about suitable tools and platforms. With our Vulnerability Management as a Service, we can support you as a trusted partner in the identification, assessment, prioritization and elimination of vulnerabilities, taking the pressure off you and your team in the long term.