During February, the quantity of vulnerabilities dealt with and enhanced by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) began to decelerate. By the time May rolled around, 93.4% of fresh vulnerabilities and 50.8% of exploited vulnerabilities that were already known were still awaiting analysis, as per findings from VulnCheck.
Fast forward three months, and the issue persists. Despite NIST having a strategy to get back on course, the current status of common vulnerabilities and exposures (CVEs) is not keeping pace with the detection of new vulnerabilities. Here is an insight into the reasons behind the backlog, the potential diminishing importance of CVEs in the realm of IT security, and how security teams can proactively combat attacker maneuvers.
Unpacking the backlog
Budget cuts are one facet contributing to problems with CVE analysis. As highlighted by Security Magazine, NIST experienced a 12% reduction in funding this year, rendering it more arduous for the agency to pinpoint and dissect CVEs.
Another hurdle to analysis efforts stems from the sheer volume of reported vulnerabilities; in their study, Flashpoint discovered that NIST recorded 33,137 vulnerabilities in 2023. Partly, the escalation in figures can be attributed to enhanced detection capabilities. Companies are augmenting their security measures with cloud-based technologies and AI-fueled tools, enabling them to better identify potential threats. Consequently, heightened numbers do not always indicate elevated risk, but they do reflect an expanding array of potential avenues for attacks.
NIST does possess a strategy for resolving the backlog. According to information from USASpending.gov, the government inked an $860,000 contract with Analygence for cybersecurity analysis and email support. Analysis operations were slated to commence on June 3, with NIST aiming to be back on course by September 2024. While the contract’s endpoint is December 2024, the agency possesses the option of extending services up to July 2025.
The evolving nature of cyber threats
The concerns surrounding the NVD backlog are valid. The longer it takes NIST to analyze CVEs and suggest viable countermeasures, the greater the threat to enterprises.
As reported by Cybersecurity Dive, nonetheless, the cybersecurity landscape is evolving. During the virtual Gartner Security and Risk Management summit, principal analyst Mitchell Schneider asserted that while the total number of vulnerabilities is on the rise, critical CVEs are not surpassing their high, medium, and low-tier counterparts.
Furthermore, attackers are no longer determining compromises based on CVE severity levels. Schneider elaborated, “There is no intrinsic correlation between the vulnerability and if threat actors are exploiting them in relation to those severity ratings.” Instead, attackers are giving precedence to the most exploitable vulnerabilities, which frequently fall within the medium or low severity spectrum.
Practically, this scenario prompts a situation where the forest may be obscured by the trees: if organizations fixate on critical CVEs, they might overlook moderate exploits that grant attackers network entry, enabling them to then progress laterally into more critical systems.
The outcome? While the common vulnerability database remains a crucial component of robust security, it is not a panacea. The tactics of cyber threats are evolving, and security teams should be prepared to adapt accordingly.
Strategies for security teams to keep pace with adversaries
So, what does this transformation signify in practice?
Four aspects can aid companies in constructing stronger defenses in a post-CVE era.
1) Emphasize observability
Given the diversifying modes of attack and patterns, enterprises must prioritize IT observability. Imagine a scenario where a company utilizes on-premises storage for crucial data, public clouds for developmental testing, and private clouds for effortlessly scalable application resources.
In this transformed threat landscape, attacks could materialize from any origin at any given moment. In the event of remaining undetected, attackers could lurk, amassing data and identifying optimal routes for assault. Hence, comprehensive observability proves indispensable. The greater the insight companies possess regarding activities within their environments, the more adept they become at spotting, identifying, and mitigating attacks.
2) Concentrate on exploit potential
Per insights from Gartner, exploitability is now the predominant focus for attackers. While more severe vulnerabilities might comprise lucrative targets temporarily, vulnerabilities of medium or low severity that are exploit-prone can set the stage for sustained attacker triumphs.
For instance, suppose malicious entities manage to exploit a medium-severity vulnerability at the periphery of business networks. In that scenario, they could construct and retain illicit access points that grant perpetual entry to enterprise systems. Subsequently, they can execute surveillance and reside in wait until security teams shift their focus to other vulnerabilities.
By targeting the most exploitable vulnerabilities rather than the severest ones, security teams can diminish the probability of successful breaches.
3) Distribute the responsibility
Security is no longer the exclusive responsibility of IT teams. Operations, finance, marketing, sales, and customer service departments all contribute to upholding company safety. Although the ultimate onus for security still rests with tech professionals, sharing the responsibility across departments can enhance detection rates and reduce the lag between identification and action.
4) Utilize accessible resources
Given the backlog on CVEs, it is vital for security teams to locate and harness alternative resources. Potential security reservoirs encompass:
- CISA Vulnrichment: CISA has undertaken part of NIST’s CVE workload with its “Vulnrichment” initiative. A list of known vulnerabilities is available on GitHub, and companies can reach out to CISA at [email protected] for queries.
- The CVE Program: The CVE Program (formerly known as the Mitre CVE repository) delineates, defines, and catalogs publicly disclosed cybersecurity vulnerabilities. Currently, there are over 240,000 CVE records that security teams can procure or search through.
The future outlook for NIST
NIST aspires to clear the CVE backlog by September 2024, albeit the success of its endeavors is not guaranteed. As highlighted by The Record, Senator Mark Warner (D-VA) and Thom Tillies (R-NC) have put forward legislation aimed at restoring NIST’s funding and amplifying its concentration on emerging risks, such as AI-enabled threats; however, the bill is still in its nascent stages.
To put it succinctly, despite the acknowledgment from the agency and Federal legislators regarding the pivotal role of CVE analysis and enrichment, companies cannot depend solely on the NVD to furnish contemporaneous vulnerability data.
Instead, businesses stand to benefit more from altering their approach to align with progressing attacker schemes. By integrating tools that enhance observability and unveil exploit potential, companies can prioritize high-risk threats. By diffusing the security responsibilities across various departments and broadening their utilization of accessible security resources, companies can more efficiently counter shifting attack priorities.