Security analysts are exhausted. Every new day brings another newly published vulnerability and an onslaught of alerts. Over the last few years, the security industry has published increasingly disconcerting reports about alert fatigue and its impact on security analyst mental health.
In 2021, a report found that 27% of security operation center (SOC) teams admitted to spending most of their time dealing with false positives. In 2022, a different report found that as many as 81% of security teams say that more than 20% of their alerts are false positives. Overextended security teams spend slightly more time patching vulnerabilities than they do responding to alerts.
To alleviate these overwhelming burdens, security teams need a way to prioritize and secure exploitable vulnerabilities so they can correlate those activities for high fidelity alerts.
What are vulnerabilities?
Security vulnerabilities are weaknesses in firmware, software, web applications, or operating systems that attackers can use to gain unauthorized access to systems and networks.
Digital transformation makes remediating vulnerabilities even more difficult. Your attack surface expands as you connect more Software-as-a-Service (SaaS) applications and devices. With each new connection, your risk changes, especially as researchers publish new vulnerabilities.
What is an exploit?
An exploit is when cybercriminals use a security cybersecurity vulnerability to gain unauthorized access to an organization's systems and networks.
Adversaries exploit vulnerabilities in two ways:
Zero-day attack: leveraging previously unknown vulnerabilities
Unpatched vulnerability: taking advantage of a common vulnerability and exposure (CVE)
Threat actors use exploit kits that automate threats so they can attack system vulnerabilities to distribute malware or perform unauthorized actions.
Basically, a vulnerability is the “what” used during an attack while an exploit is the “how” they use the vulnerability.
How attackers exploit vulnerabilities
Understanding how attackers exploit vulnerabilities can help you mitigate risk more effectively and efficiently.
Zero-Day Attack
A zero-day attack occurs when adversaries exploit a vulnerability before a vendor can create a security update that fixes the weakness. Usually, the attack occurs before researchers announce the vulnerability, but it can also occur during the time period between the vulnerability’s publication and the vendor’s patch that remediates the weakness.
Zero-day attacks are time-intensive, requiring sophisticated technical skills because the malicious actors need to find the vulnerability, write the exploit code, and deploy the attack before a fix exists.
Unpatched CVE
An unpatched known vulnerability poses a much larger risk. Attackers scan target networks looking for vulnerabilities using the same process and tools that security teams and vulnerability management teams use.
Some examples of common tools include:
Nmap (network mapper): network scanner that identifies hosts, devices, open ports, operating systems, and services
Shodan: a search engine indexing data from internet connected devices
Often, attackers who put the work in to find a zero-day vulnerability create an exploit kit. Since cybercrime is a business, they get a return on the time and skill investment by selling the exploit kit on the Dark Web where less experienced cybercriminals can buy it.
Unpatched known vulnerabilities remain a primary attack vector. For example, CISA published the top fifteen routinely exploited vulnerabilities of 2021, and three were also routinely exploited in 2020.
What are the top challenges security analysts face?
In modern IT environments, “patching a vulnerability,” is far more challenging than it sounds.
Complexity decreases visibility
Your environment is complex, consisting of hundreds - more likely thousands - of connections across your users, devices, storage resources, and web applications. Most security teams lack the ability to map connections so that they can gain visibility into exploitability.
Attackers simply need access to the internet to gain access to your systems. You need to know whether they can successfully use an internet-connected asset containing a vulnerability.
Further, you need to know the impact that a compromised asset would have on your business. If an exploitable vulnerability won’t impact one of your organization’s critical assets, then it’s less important to your security posture.
Applying a patch can lead to service outages
While updating a laptop might not disrupt your organization’s entire infrastructure, updating a domain server can. The highly interconnected nature of your IT environment means that you need to know whether applying an update to a single asset will impact anything else. To mitigate this risk, you need to test the update before installing it and ensure that it doesn’t compromise any other security controls.
The time consuming process means that the vulnerability remains a risk longer than you would like.
Inability to integrate vulnerability data into alerts
As part of your ongoing monitoring, you’re reviewing threat intelligence to see how attackers are exploiting vulnerabilities in the real world. Simultaneously, you’re continuously monitoring:
Network traffic
Scanner data
Endpoint data
Identity and Access Management (IAM) tools
Network logging data
Cloud logs
Problematically, even if you’re using a centralized log management or Security Information and Event Management (SIEM) tool, you’re not including internal metrics around whether attackers can exploit a vulnerability in your unique environment.
Lacking this visibility, you’re not able to determine which vulnerabilities matter most to your security posture or incorporate the data into your alerts.
Prioritizing exploitable vulnerabilities to mitigate risk
As a security analyst, you’re focused on implementing controls that mitigate data breach risk and enable rapid incident response. When you prioritize and secure exploitable vulnerabilities, you can achieve both these goals.
Gain visibility into a vulnerability’s business impact
The first step to any cybersecurity program is understanding the business impact a data breach would have. You need to know which assets contain sensitive data and which ones are critical to maintaining business operations.
To gain data-driven visibility into business impact risk, you need to correlate information that includes actuarial breach data, business impact, current configurations, and existing risk mitigation controls.
Every new vulnerability changes your risk posture. With continuously updated risk metrics that clearly align to business impact, you can focus on the vulnerabilities that matter most.
Understand exploitability to apply resources efficiently
Most security teams have limited visibility into whether vulnerabilities are expoitable in their unique environments. You might know that an asset has a critical severity vulnerability. You might know that malicious actors are exploiting that vulnerability.
A critical severity CVE may be less risky in your environment based on the risk mitigation controls you implemented. For example, you may have a workstation used for a limited purpose that never connects to the internet. Even a critical vulnerability that attackers are actively exploiting would be low risk in your environment because they can’t touch it.
When you have at-a-glance visibility into whether attackers can use a vulnerability in your environment, you can apply the security update to them first. Further, you engage in targeted threat hunting, focusing on indicators of compromise in those assets.
Create high fidelity alerts to reduce alert fatigue
Most of the security data that alerts aggregate, correlate, and analyze looks at your environment the way an attacker does. They know that you have assets with exploitable vulnerabilities and so do you. However, they don’t know what the impact will be if they compromise the asset and neither do you.
When you use business impact risk data, you can create high fidelity alerts because you understand the impacted asset’s importance to your company’s revenue and operations. When an alert fires on one of these high impact assets, you know that you need to focus on investigating it as quickly as possible.
KeyCaliber: Exploitable vulnerabilities for enhanced security operations
With KeyCaliber, security teams have the internal business risk impact data they need to make strategic decisions. We ingest internal and external risk signals, including actuarial data breach information, so that you can make informed decisions and prioritize activities.
Using our Business Impact and Loss Probability risk scores, you can create high fidelity alerts that incorporate exploitability, connected asset risk, and distance from the internet. Instead of chasing down every alert, you have the data needed to establish effective detections and efficient incident responses processes.
When you correlate empirical business impact data with attack paths, you can create a closed feedback loop across business leadership, vulnerability management, and security operations. By communicating across all internal stakeholders, you can allocate budgets and staffing to mature your security posture.