VULNERABILITY MANAGEMENT LIFECYCLE
Here we will see one of the many ways to represent the lifecycle of a vulnerability. As is often the case, there are several models available for this purpose.
DISCOVER
It is essential to inventory each asset (hardware, software, versions, contracts, certificates, etc.) in your infrastructure.
Explore your infrastructure thoroughly, considering not only what you know about your assets but also what you may not be aware of, such as VPNs set up by administrators to access Project X infrastructure without going through the corporate VPN, or publicly exposed RDP bounces "just in case."
To achieve this, consider conducting periodic scans of your infrastructure.
If you believe you are immune to Shadow IT, ask yourself if you are better than NASA?
PRIORITIZE
Now that you have listed all your equipment, you must group them by their criticality for your company and by their role.
For instance, your network equipment can be grouped under the "Network Infrastructure" category and each device assigned a criticality level (for example, the backbone will be rated as critical, while the hub used for MDT deployments may have a lower impact on your operations if lost).
You will not protect the PC used for displaying the canteen menu with the same intensity (in terms of time, financial resources, and human efforts) as you would protect your Citrix farm used for production purposes.
ASSESS
Using vulnerability detection tools is essential in managing the security of your systems. While you can perform manual checks when you are at home or dealing with a small setup, in an enterprise, maintaining reliable controls without software assistance becomes impractical.
Imagine having to manually verify each month that your Windows servers have received and installed every necessary security update (KB). Then, add the task of updating third-party software (.NET, Office, Java, internet browsers, etc.). Finally, include audits on configurations such as checking for active TLS 1.0, proper HSTS configuration, etc. The sheer magnitude of these tasks makes it humanly impossible to manage efficiently.
In an enterprise environment, utilizing specialized vulnerability scanning tools is crucial. These tools automate the process of detecting and assessing vulnerabilities across your network, applications, and systems. They not only help identify missing patches but also highlight potential misconfigurations and weak points in your infrastructure. By using such tools, you can proactively manage security risks and ensure a more robust defense against potential threats.
REPORT
Once vulnerability detection is completed, the next step is to compile a comprehensive detection report. This report should serve as a guide for the technical teams to implement the necessary corrections (if available), mitigation methods (if available), and even the method of detecting compromises (if applicable). Additionally, the report should provide crucial insights for the management teams to prioritize actions and understand the significance of the issues at hand.
REMEDIATE
The section regarding the prioritization of corrective actions is based on the information gathered from various sources, including asset groups, asset criticality, and vulnerability descriptions. The conventional approach for prioritizing vulnerabilities relies solely on the CVSS score, which can sometimes yield seemingly unusual outcomes, such as prioritizing the patching of Keepass with a CVSS score of 9.8/10 over a Windows system with four pending updates and scores of 9.1/10.
A method that I prefer is to prioritize vulnerabilities by combining the CVSS score with the probability of exploitation obtained from EPSS. By doing so, only critical vulnerabilities with a high probability of exploitation will undergo an urgent upgrade procedure.
This approach ensures that the prioritization of actions aligns more closely with the real-world risks faced by the organization. It addresses the limitations of the CVSS score, which focuses solely on the inherent severity of a vulnerability but doesn't consider its likelihood of exploitation in the wild. By incorporating EPSS data, which estimates the probability of exploitation, organizations can better allocate their resources and focus on addressing the most pressing security risks first.
By adopting this combined approach, security teams can efficiently manage their efforts, effectively address critical vulnerabilities, and mitigate the potential impact of cyber threats on the organization's systems and data. It provides a more comprehensive view of the actual risk posed by vulnerabilities, helping organizations make well-informed decisions to enhance their overall security posture.
Example (you can adapt it to your needs):
EPSS 0.111% to 30%
Low
Medium -
Medium
Medium
EPSS 40% to 69.999%
Medium -
Medium
Medium +
High
EPSS 70% to 89.999%
Medium
Medium +
High
High
EPSS 90%+
Medium
High
High
Critical
In this example, we have a matrix that combines the CVSS score range and the EPSS probability of exploitation range to prioritize vulnerabilities. Each cell in the matrix represents the priority level based on these combined factors.
CVSS Score Range:
0.1 to 3.9: Low severity
4 to 6.9: Medium severity
7 to 8.9: High severity
9+: Critical severity
EPSS Probability of Exploitation Range:
0.111% to 30%: Low probability
40% to 69.999%: Medium probability
70% to 89.999%: High probability
90%+: Critical probability
Based on the intersection of the CVSS score and EPSS probability, each vulnerability is assigned a priority level ranging from Low to Critical. This approach helps in determining the urgency of addressing vulnerabilities by considering both their inherent severity (CVSS score) and the likelihood of exploitation (EPSS probability). Vulnerabilities with a higher combined risk receive higher priority for remediation to mitigate potential threats effectively.
In this specific case, the CVE "CVE-2023-20867" has a CVSS score of 3.9/10, which might have made it seem less critical. However, the EPSS probability of exploitation is 79.661%, indicating a relatively high likelihood of the vulnerability being exploited in case of compromise. This information raises concerns about the potential risk associated with this vulnerability.
The description of the CVE states that "A fully compromised ESXi host can force VMware Tools to not authenticate operations between hosts, impacting the confidentiality and integrity of the guest virtual machine." Given the potential impact on confidentiality and integrity, it is reasonable to consider raising the priority for applying the patch or mitigation.
In this scenario, the combination of CVSS score and EPSS probability reveals that while the inherent severity of the vulnerability might not seem very high, the probability of it being exploited is significant. Consequently, it is essential to give serious consideration to addressing this vulnerability promptly to minimize the risk of potential attacks and protect the confidentiality and integrity of the affected virtual machines.
RISK MANAGEMENT
Once the risk is identified, several solutions are available to address the vulnerability. Each of these solutions is feasible for either all or part of your IT infrastructure.
RISK ACCEPTANCE
Risk acceptance involves acknowledging the existence of a risk but choosing not to implement corrective measures to address it. This decision is made when the cost or potential impact of security measures to mitigate the risk is disproportionate to the severity of the risk itself.
In the presented scenario, the PC hosting the application for self-reservation at your company has an unpatchable vulnerability due to the end of support for the operating system. Replacing the equipment with a new one would require re-development of the non-priority tool. However, the PC is isolated within a dedicated VLAN with strict flow management policies, and it has no internet access.
Given these circumstances, your organization's management decides to accept the risk and continue operating the obsolete PC.
RISK REFUSAL
Risk refusal involves taking measures to eliminate or significantly reduce the risk by avoiding the activity or situation that gives rise to the risk. For example, it may involve abandoning or discontinuing certain activities that pose an unacceptable level of risk.
In the given scenario, your company has been using a document-sharing tool for sensitive data for a long time. During an audit, you discover a vulnerability that could compromise the confidentiality of the data. After obtaining approval from your supervisor, you provide a report to your management explaining the vulnerability, its impact, and the methodology used to demonstrate the vulnerability.
To avoid this vulnerability, your company decides to stop using the current document-sharing tool and migrate to another solution.
RISK DEFERRAL
Risk deferral or postponement occurs when additional information is needed to properly assess the vulnerability, or when current resources do not allow for immediate action to correct the issue.
In the given scenario, your company uses a software tool like Keepass. During your monitoring activities, you discover that the tool is affected by a CVE, but the patch is not yet available.
After conducting further research, you learn that the patch will only be released in the next version, scheduled for release in one month. Additionally, there is no technical information available about the vulnerability during this period.
You inform your management about the situation, and based on the available information, they decide to defer the final decision-making process. In the meantime, the company can continue to use the software tool.
RISK CANCELLATION
"Risk cancellation" means that a preventive measure has been implemented to completely eliminate the identified risk. This involves taking specific actions to eliminate or reduce the probability of the risk occurring or its consequences.
Concrete Case: Every month, you write a report on the vulnerabilities present in your Windows computer park.
You inform your manager that these types of alerts recur regularly, especially during the Patch Tuesday, and that the manual corrective actions take a significant amount of time to plan and control.
As a result, your management decides to implement a server with the WSUS role to manage updates and deployment reports. They also decide to configure Group Policy Objects (GPOs) to automate the deployment and restart of computers and set up supervision to monitor the patching status of the systems.
VERIFY
Indeed, once a remediation is chosen, it is controlled and documented in a system that allows for review and tracking of each vulnerability.
As an administrator, you will need to provide evidence of correction (modified code, deployed patch and its installation proof, etc.). As a manager or responsible individual, you will sign off on the report submitted by your colleagues, indicating the acceptance or deferral of the risk. In the case of risk acceptance or deferral, you will define the initial date and the review date of the vulnerability.
Having such documentation and tracking system is essential for maintaining accountability and ensuring that the necessary actions are taken to address vulnerabilities effectively. It also helps in maintaining a comprehensive record of remediation efforts and the status of vulnerabilities, facilitating continuous improvement and security enhancements in the organization's IT infrastructure.
Last updated