Not All Vulnerabilities Are Created Equal: Prioritize Real-World Vulnerabilities Beyond CVSS

Vulnerability Management remains one of the most challenging parts of securing your enterprise’s critical infrastructure. The number and type of vulnerabilities grows every year, with the number of identified weaknesses in software and hardware growing to more than 20,000 per year each of the past three years

The problem with this volume of identified weaknesses is understanding which ones to prioritize. It’s impossible to actively patch all the known vulnerabilities in your systems in an appropriate amount of time. There are too many patches, on too many assets, for security teams to patch every identified weakness. 

More importantly, not all critical vulnerabilities are created equal. The modern Common Vulnerability Scoring System (CVSS) is meant to be an objective measure of how potentially damaging a particular weakness is. However, a weakness with a CVSS score of 10 on a device that isn’t connected to any critical systems is very different from the same weakness on a device tightly interwoven into your network. 

A new measure is needed to judge the true risk of a breach based on identified weaknesses. Rather than focusing on the criticality score of a particular weakness, you should emphasize exploitability – a real measure of the risk of a breach based on the identified vulnerability.   

The Problem with Traditional Vulnerability Management 

Traditionally, vulnerability management followed one of two dovetailing technical approaches: passive and active detection. Passive monitoring means continuous inspections of packets traveling over the network to identify which software is running on the network. It can then infer any vulnerable components, such as devices, software assets, and more. 

Active scanning, on the other hand, initiates network traffic and analyzes responses. The end result is the same as with passive monitoring, with the key difference being that active scanning adds net-new network traffic and can often find unmanaged or unknown assets attached to your corporate network. 

Passive and active monitoring serve different purposes at different times but can also go hand-in-hand in a more comprehensive vulnerability management strategy — as long as you understand the virtues and weak points of each. Both identify vulnerabilities in your systems, but of course passive relies on the network being set up correctly. Active scanning can discover net-new assets but may require more capacity unless the functionality is outsourced. 

Once these vulnerabilities are discovered, they need to be checked and their severity validated. That’s the value of something like the Common Vulnerability Scoring System (CVSS), which is a decent analog for determining the severity of an identified weakness. The problem is one of nuance. CVSS may not accurately capture the severity of the vulnerability in your environment. This makes running an exploit analysis that simulates the paths an attacker could use to compromise a device key to effective prioritization. This analysis should take into account the exploit vector, as well as any mitigations either on the device or on the network, that might affect its exploitability.

Why Use Exploitability Instead? 

How exploitable a vulnerability is in real-world circumstances is a more effective measure of prioritizing your security team’s time rather than raw vulnerability information. However, people use the word “exploitable” in different ways which can obscure the benefit.

Two major uses of exploitability refer to exploitability in the wild and exploitability in the context of a single target. High exploitability in the wild means that many people know an attack technique and are actively trying it. Separately from exploitability in the wild, there is also how exploitable your vulnerable target is. If a device is facing the public internet, it is much more vulnerable than the same device with the same vulnerability in a protected facility and network. Either way and at a fundamental level, exploitability means determining how likely it is for an attacker to breach your systems based on a weakness. A CVE with critical severity may not be that exploitable in your particular system architecture.

After detecting vulnerabilities, you need a solution that has a deep contextual engine to prioritize them according to their exploitability in both senses. For example, devices can have different configurations with different risk levels. The same device on a subnet with other devices has less risk than one with 10,000 neighbors to potentially infect. Risk is contextual; the public rating of a vulnerability’s severity is not. Similarly, a vulnerability that has seen a spike in usage in the wild is more exploitable than it was.

COVID-19 provides an easily understood analogy. Think of exploitability in the wild as how much virus is around you in the air. When there’s more floating around you and your community, you’re more likely to get hit with it. Exploitability in this context is specific to the potential patient – are they wearing a mask, did they just have COVID-19 a few weeks ago, did they get a booster lately?

How Asimily Helps Determine Exploitability of Vulnerabilities

Asimily leverages different data sources to analyze your network and determine the exploitability of Internet of Things (IoT) devices. These are baked into Asimily’s unique, patented technology that allows fast, accurate analysis of each new vulnerability in the complete context of the afflicted devices. Asimily also monitors threat intelligence feeds for exploitability in the wild, and incorporates that into its recommendations of which vulnerabilities are clearly, currently the most dangerous. These sources include, but are not limited to: 

  • The MITRE ATT&CK Framework is a comprehensive resource creating a common cybersecurity taxonomy and vocabulary with detailed information about tactics and techniques that adversaries may use in cyber attacks. Security teams typically use MITRE ATT&CK for threat modeling, including understanding what tactics and techniques specific threat actors are using. They also often use MITRE ATT&CK to see how many attack chains their defenses protect against. 
  • A Software Bill of Materials (SBOM) provides detailed information about the various software components that the manufacturer uses. With this information, organizations can know to seek new vulnerabilities in a software component, because that vulnerability may affect the product they operate that uses that newly vulnerable software component.
  • CVEs are also leveraged for insight into the severity of identified vulnerabilities in IOT devices. Knowing what the relative severity is of a particular weakness adds important context. These don’t show the full picture but are effective as a starting point for determining potential weaknesses. 
  • For medical devices, The Manufacturer Disclosure Statement for Medical Device Security, generally abbreviated MDS2 (or MDS²), gives healthcare providers important cybersecurity information so they can evaluate the security capabilities of their devices or compare new devices when making product selections. The MDS2 form is a manufacturer-completed document provided to healthcare organizations upon request. 

Determining the real exploitability requires all the information noted above. SBOMs are vital in this discussion to identify risky code built into devices and software assets. Similarly, MDS2 forms can showcase potential weaknesses for security professionals responsible for defending medical devices. 

Asimily analyzes multiple data sources and maps any identified vulnerabilities to the MITRE ATT&CK framework to determine the best possible, least time-consuming fix. Realistic cybersecurity should be about defending efficiently, not adding to an endlessly growing task list.

Separately, organizations can also use Asimily’s risk simulation to assess different ways to mitigate the risk from a given vulnerability on a device. Simulating a fix without going through the effort of doing it can help you determine criticality and whether the weakness is even of interest to attackers in the first place. That’s critical information when you’re deciding how best to support your security posture. For instance, you may find that certain devices or access controls are inadequate.

Asimily’s technology reduces false positives for serious weaknesses, while also speeding remediation of vulnerabilities through NAC integrations and more. Risk Simulator also empowers your security team to reduce risk 10x faster than with traditional vulnerability management. 

Final Thoughts

Organizations need a new approach to vulnerability management that accepts the truth – mitigation beats the theoretical removal of all vulnerabilities. Traditional methods of patching everything based on objective measures like CVSS don’t provide enough context for real risk reduction. Instead, companies need to focus on exploitability, and they need the right tool to do it. Asimily leverages insight from analyzing MDS2s and SBOMs, as well as CVEs, to determine the real exploitability of a weakness. Only through using a tool like Asimily to determine the true potential risk of a software or device weakness can organizations become more secure.

To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.