How to Fix Vulnerability Prioritization Gone Wrong

With threat exposure distributed across legacy, hybrid, and cloud-native environments, patching vulnerabilities in a sensible order requires sifting through the astronomic amount of data generated by detection tools and prioritizing the patching order in line with business priorities. 

Fighting The Never-Ending War  

Vulnerabilities are the most pervasive weakness on the planet. Like a strained tendon, they slow down development and create a constant and hard-to-evaluate risk. They generate so much interest that new tools designed to detect them are sprouting up every day like mushrooms. These tools come in many shapes and are called anything from network security monitoring, web vulnerability scanning, data loss prevention, endpoint detection and response, network defense wireless solution, packet sniffers, antivirus software, Web Application Firewalls or network firewalls, Public Key Infrastructures (PKIs), managed detection services, and the list goes on. 

And detect they do. So much, in fact, that new tools are sprouting up to help filter all these detected vulnerabilities according to various ratings. 

Oh yes. Not all vulnerabilities are equal. And the judges are out to score them on basic, temporal, and environmental metrics, the most dangerous of them scoring highest on the CVSS hall of fame and jostling for visibility in NVD and MITRE CVE lists. 

So, there should be no problem, should there?  

With all those sniffing tools, cyber defenders should be able to catch those pesky vulnerabilities and filter them to let the harmless ones run free and ruthlessly eliminate the dangerous ones, shouldn’t they? 

Well, not quite.  

Despite their best efforts, these detecting and monitoring solutions generate too much data, including a sea of needlessly distracting false positives. By the time the valiant cyber defenders have gone through one batch and patched it, the environment configuration has changed, and new vulnerabilities have multiplied. 

The problem is not with the detection tools that are performing remarkably well in providing the data to calculate cyber risk exposure. It is not even with the outstanding new tools that filter through the mass of data, filter them according to their CVSS score and intuit a patching prioritization order that, at the time it is generated, makes perfect statistical sense.  

The problem is that the entire concept of prioritizing vulnerability patching based on risk scores is rooted in yesterday’s thinking. Its timeliness and relevance are challenged both from the infrastructure and from the attacker's sides. 

On the enterprise side, the near-ubiquitous adoption of continuous development results in constant changes in a configuration that render some of the scheduled patching irrelevant and introduce new vulnerabilities that are not included in the prioritized patching schedule.  

On the attacker side, the proliferation of hacking tools shopping centers flourishing on the darknet means that defenders are now contending not only with some hooded evil geniuses hidden in basements, they are facing a growing and increasingly organized industry, that also has R&D departments churning new TTPs (Tools, Tactics & Procedures) at record speed, and selling them and their automated version. 

This means that prioritizing vulnerability patching based on risk scores established through industry-wide statistical means is fighting yesterday’s war. A new thinking paradigm to prioritize vulnerability patching is needed.  

 

The Best Defense is a Good Offense 

Instead of using techniques stemming from the erstwhile “securing the perimeter” line of thinking, it is time to take a leaf or two from tried and tested military strategy summarized into cliched adages: 
 
“Know thy enemy” and “The best defense is a good offense.” 

Knowing the Enemy 

That may sound like a good idea, but unlike traditional military enemies, hackers do not operate as an army. They are faceless, motivated by any number of goals, ranging from greed to selfless hacktivistic defense of the oppressed (as defined by the hacktivist), from corporate to national spying, from information gathering to destructive abilities, and the list goes on. 

So, with such a multitudinous, multifaceted enemy, how is it possible to leverage military wisdom and get to know the enemy? 

Actually, regardless of its identity or motivations, the enemy is going to use tools to launch attacks. And, as stated by theNational Security Agency“To effectively resist attacks against information and information systems, an organization needs to characterize its adversaries, their potential motivations and classes of attack.” 

And we are in luck! 

MITRE ATT&CK  does exactly that! It collates known attacks and attackers and then maps potential attack routes in a publicly available framework. 

Switching to Offensive Tactics 

The global nature of the internet makes going against all malicious actors a pipe dream. Yes, there are initiatives to catch and jail the worst offenders, but the odds of global cooperation reaching a level that enables catching and neutralizing all offenders is next to nil. 

So, the best option is to redefine what a good offense means in the digital space is to become the enemy! 

Becoming the enemy does not mean shooting yourself in the foot. It means emulating the enemy and running production-safe attack simulations against your own environments. 

That is a long cry away from performing the annual or bi-annual pen testing exercises that placate compliance regulators. The enemy does not try once or twice a year. They keep trying, over and over again, with the most advanced tools they can lay their hands on. 

With a comprehensive Continuous Security Validation (CSV) suite - that includes BAS (Breach and Attack Simulation), CART (Continuous Automated Red Teaming,) and Advanced modules  -  any organization can continuously emulate attacks on their environment, exactly like a swarm of attackers would.  

Yet, unlike what happens under a real attack, security validation attacks yield, among other data, an optimized vulnerability patching priority schedule created by an Attack-Based Vulnerability Management (ABVM) included in each CSV suite module and based on risk scores derived from the actual risk to the validated environment. 

Patching attack-based prioritized vulnerabilities are the most efficient way to continuously improve security posture. 

------

Start simulating cyberattacks today with a  14-day free trial  of Cymulate's Extended Security Posture Management platform.

Start a Free Trial

Patricia de Hemricourt
Patricia de Hemricourt

After decades spent writing technical content for various high tech and cyber companies, Patricia joined Cymulate as a PMW. A webmaster with a BA in Journalism from Belgium ULB and a post-grad diploma in English Literature from King’s College London, UK, Patricia‘s love for the written word is serving her passion for technology.