For anyone who has worked in or around cybersecurity, vulnerability management can feel like whack-a-mole—an endless game of chasing down vulnerabilities based on severity rating and prioritizing their remediation based on those ratings.
With the ongoing cybersecurity workforce shortage, security teams are often forced to focus on the most severe vulnerabilities, leaving low, moderate, and even sometimes high-ranked vulnerabilities to be addressed later. Too often, that means never.
Cybersecurity vulnerabilities are commonly ranked by severity, using open framework metrics such as the Common Vulnerability Scoring System (CVSS), which utilize various criteria to score vulnerabilities on a scale from zero to 10. For example, the recent Log4J was ranked 10.
Scoring systems such as CVSS help security teams prioritize their efforts. Where it becomes problematic is when teams only focus on the most severely ranked vulnerabilities, due to realities such as lack of time and resources or simply thinking lower-ranked vulnerabilities aren’t as significant. While this may seem intuitive, it is dangerous, due to the use of “vulnerability chaining.”
One Attack, Multiple Vulnerabilities
As defined by CVSS, vulnerability chaining is a situation where multiple vulnerabilities are exploited in the course of a single attack. CVSS even supports a method of scoring a chain of vulnerabilities, looking at their individual scores as well the exploitation of them in unison.
This could certainly happen with highly ranked vulnerabilities. But given the reality that defenders are largely prioritizing higher-ranked vulnerabilities, albeit with abysmal time frames (averaging 205 days), it is likely that chaining activities would have the highest success rate by targeting low hanging (pun intended) and long dwelling vulnerabilities, which tend to be neglected by cybersecurity professionals. Organizations such as the FBI, CISA, and security leader Tenable have published guidance laying out how advanced persistent threat (APT) state-sponsored groups have done these exact sort of chaining exploitation activities.
Another drawback of thinking of vulnerability severities in isolation is that it lacks context. The need for context in vulnerability management programs cannot be overstated. While a critically ranked vulnerability is a cause for concern, defenders need to be thinking about their broader enterprise architecture, mitigations, compensating controls, and the overall exploitability of a specific vulnerability. Blindly prioritizing vulnerabilities based on their severity scores alone fails to let organizations effectively address their most concerning findings, which truly may be the most exploitable and therefore post the greatest threat and risk to an organization.
As discussed above, the traditional approach to vulnerability management, which tends to focus on only addressing the most critical vulnerabilities, and often without any context of their actual exploitability, is woefully insufficient. Organizations must look to continue to mature their vulnerability management practices, something we will discuss in a subsequent article, leveraging emerging guidance from organizations such as NIST.
As malicious actors continue to mature their practices, especially when targeting specific organizations, defenders must do the same. Malicious actors are enumerating their findings when performing reconnaissance on target organizations, and are able to chain those findings together to maximize their impact and effectiveness.
Researchers such as Dr. Nikki Robinson have increasingly begun raising the conversation around vulnerability chaining, seeking to ensure organizations are aware of these threats and take the appropriate measures to address them. Organizations should strive to understand their vulnerability footprints, not in isolation but holistically and with context. You can be sure those looking to exploit them do.
Once organizations understand their vulnerability footprint they can begin to implement plans to address them based on driving down risk through practices such as enterprise patch management, which we will be discussing in an upcoming article, so stay tuned.