Mitigating cyber risk is the IT version of the song that never ends because the release of new vulnerabilities goes on and on, my friends. Meanwhile, threat actors can leverage a new vulnerability as part of their attacks nearly as soon as security researchers announce them. 

Security operations centers (SOCs) and security analysts struggle to keep pace with the onslaught of vulnerabilities and attacks. Although many companies have vulnerability management teams, security teams need visibility into vulnerabilities and the threats and risks associated with them. 

Risk terminology: Understanding assets, threats and vulnerabilities

To understand how vulnerabilities impact your cybersecurity risk management plan, you need to understand where vulnerability risk fits into your overarching assessment. When you understand the difference between threats, vulnerabilities, and risk, you can implement a more comprehensive mitigation strategy. 

A typical security risk matrix uses an equation that looks like this:

Risk = Likelihood x Impact of Data Breach 

Since attackers use vulnerabilities during their attacks, vulnerabilities impact the likelihood of a data breach. The more important - or critical - an asset is to your organization’s business, the greater the data breach’s impact will be.

A simplified equation for assessing vulnerability risk looks like this:

Likelihood = Vulnerability x Threat  

Now you can create a better model for understanding the security risks arising from vulnerabilities:

Risk = Likelihood x Asset Criticality

To get a true picture of actual risks, you need to define and understand assets, vulnerabilities, and threats. 

IT Asset

IT assets are infrastructure, hardware, software, networking, and cloud devices. You use them to store, manage, control, display, and transmit data within your IT environment. 

You should have an asset catalog or asset management tool that enables you to:

• Identify all assets

• Categorize asset criticality to your business

• Document hardware and software for each asset

• Document configurations for each asset

Adopting cloud technologies continuously expands your attack surface, making it hard to manage cyber threats. 

Vulnerability

A security vulnerability is a weakness or flaw in an IT system, application, policy, or procedure that increases the likelihood a threat actor’s attack will succeed. Attackers often use vulnerabilities to gain unauthorized access or perform unauthorized actions that compromise an organization’s security.

The Common Vulnerability Scoring System (CVSS) uses various metrics to define a vulnerability’s severity. The CVSS severity scores are:

• None: 0.0

• Low: 0.1 - 3.9

• Medium: 4.0 - 6.9

• High: 7.0 - 8.9

• Critical: 9.0 - 10.0

Threat

A threat is the potential for an event to adversely impact your security. While CVSS score tells you a vulnerability’s severity, it doesn’t tell you how severe it is in your environment. Threat intelligence provides security professionals with insight into how attackers are using a vulnerability. 

Generally speaking, the types of threats include:

• Unintentional threats, like a misconfiguration

• Intentional threats, like a disgruntled employee

• Natural threats, like a hurricane 

To understand a vulnerability’s potential impact to your organization, you need to understand whether it poses a threat, meaning that attackers can exploit it within your unique environment. For example, a Critical software vulnerability on a device that isn’t connected to the internet poses no risk to your environment because attackers can’t get to the device to exploit the weakness. 

Building a Risk Model Is Harder Than It Sounds

A simplified risk equation makes it seem like you can easily calculate the risk a vulnerability poses to your security posture. Ideally, you apply all security updates as soon as a company releases them. Unfortunately, most teams can’t do this which increases their cybersecurity risk. 

New Vulnerabilities

If you feel like you’re responding to a new vulnerability emergency every day, you’d be partly correct. 

According to research, security researchers published an average of 55 new software vulnerabilities per day in 2021. For security analysts, this volume becomes even more overwhelming since the research also notes:

• 87% organizations have open vulnerabilities in at least 25% of their active assets.

• 41% of organizations have open vulnerabilities in three out of four open assets. 

• 95% of assets have at least one highly exploitable vulnerability. 

That’s the bad news. The better news comes when you review whether attackers can exploit a vulnerability. According to the research:

• 62% of vulnerabilities have a 1% chance of exploitation.

• 5% of all CVEs exceed an exploitability probability of 10%.

To fully understand the risk a new vulnerability poses, you’re better off focusing on that 5%. Unfortunately, your vulnerability scanner only tells you that a vulnerability exists, giving no additional information about exploitability. 

Complexity and Exploit Chains

Focusing on vulnerabilities that are exploitable in your environment isn’t easy either. Most likely, your IT environment consists of:

• Workstations

• Mobile devices

• Network devices

• Servers

• Software-as-a-Service (SaaS) solutions

• Virtual machines and containers 

• Internet of Things (IoT) devices

With so many different potential vulnerabilities, it’s hard to determine which ones are most exploitable. 

Further, threat actors often use exploit chains, taking advantage of multiple known vulnerabilities within an organization’s system. Consider this example:

• Attackers send a malicious request to a server with Vulnerability A, authenticating them as the server.

• Using Vulnerability B, they write a malicious file that enables them to run commands in the system. 

By installing the security patches for these vulnerabilities, attackers wouldn’t be able to use them. Unfortunately, most organizations have complex environments that lead to more than just two vulnerabilities. Many times, attackers will find multiple vulnerabilities that they can exploit once they gain that initial access. 

In this case, if the security and vulnerability management teams were sharing information, they could prioritize Vulnerability A, meaning the attackers won’t even get to Vulnerability B or any others that exist in the environment.

Once you start to go down the road of looking into exploit chains, you can understand risk more effectively. 

Attacker Speed

Attackers are fast. While they might not always be sophisticated, they actively start scanning networks when a new vulnerability is announced. 

Research over the last year noted:

• Attackers start scanning within 15 minutes of a vulnerability announcement

• Researchers detected attacks leveraging the Log4j vulnerability within 11 days.

• Other researchers detailed an attack leveraging Log4j only 5 days after the vulnerability’s announcement.

They’re ability to rapidly turn potential risks arising from vulnerabilities into security threats means that you need to continuously monitor your environment. 

How to Reduce Risk from IT Infrastructure Vulnerabilities

As a security analyst, you want to ensure that you take proactive steps to reduce risk. You don’t want to wait for an alert to fire. You need weaknesses remediated before attackers can use them. 

Vulnerability and Threat Assessment

Conducting a vulnerability assessment gives you visibility into weakness across your environment that can lead to a data breach. Many security teams struggle implementing robust vulnerability assessment strategies because:

• Penetration tests are expensive.

• Limited staffing and budgets reduce their ability to engage in red teaming.

• Disconnected tools make monitoring time-consuming.

To adequately assess and prioritize vulnerabilities that increase risks to sensitive data, you need to:

• Define your critical assets

• Locate vulnerabilities

• Understand exploitability

When researchers publish new vulnerabilities, having at-a-glance visibility into whether they ar potential threats can help you secure your environment more effectively. 

Upgrade Recommendations

Continuous monitoring gives you visibility into the impact a vulnerability has on your risk levels. However, new vulnerabilities immediately impact your security posture and data breach risk. As you monitor, you need to suggest countermeasure upgrades that respond to specific threats and mitigate risks. 

To do this, you need to incorporate business impact into your monitoring. If you’ve miscategorized your company’s critical assets, you won’t be able to adequately respond to the evolving risk landscape. 

Additionally, you need to align your risk recommendations to your alerts so that you can more rapidly detect and respond to a security incident. You need to eliminate the data silos within your cybersecurity technology stack and apply internal risk metrics that enhance your alerts. 

When you include data about attackers’ ability to exploit a vulnerability in your environment, you can create high-fidelity alerts that enable faster detection and response times. 

Re-Evaluation of Risks

Whenever you remediate a weakness or add another risk mitigation control, you need to re-evaluate your risk posture. You need to show that your response reduces risk by changing the vulnerability’s potential impact on your environment. 

KeyCaliber: Internal and External Risk Signals for Enhanced Security Operations

KeyCaliber gives security teams the information they need to make strategic decisions. We ingest internal and external risk signals, enabling you to look deep within your company’s networks and systems. 

Our Business Impact risk scores incorporate open-source actuarial data from cyber insurers, industry vertical, and company size so that you can more precisely identify critical assets and quantify risk. Simultaneously, our Loss Probability risk scores analyze exploitability, connected asset risk, and distance from the internet so that you can prioritize your security activities more efficiently and effectively. 

With KeyCaliber, you can create a closed feedback loop across business leadership, vulnerability management, and security operations teams using empirical business impact data correlated to attack paths. 

For more information about how KeyCaliber can improve your security posture, contact us today.