Beyond Disclosure: Transforming Vulnerability Data Into Actionable Security

Written by

Vulnerabilities are lurking everywhere, like hidden landmines in the digital landscape waiting to be stepped on. As technology advances, so does the rate of vulnerability disclosures and the speed with which they are exploited.

Meanwhile, the National Vulnerability Database (NVD), the US-National Institute of Standards of Technology-run (NIST) leading vulnerability repository worldwide, is slowly recovering from a major internal crisis that disrupted its service in February 2024.

Lindsey Cerkovnik, brand chief of vulnerability response and coordination at the US Cybersecurity and Infrastructure Security Agency (CISA), believes that to successfully address the rise in vulnerability disclosures and exploits, global vulnerability management programs, like the CVE program, run by US non-profit MITRE and sponsored by CISA, and the NVD program, should now adopt a data-driven approach.

“For a long time, at the CVE program, we have focused on federating the different public-facing vulnerability intelligence resources. I think it’s now time to operationalize vulnerability management by focusing on improving the quality of the vulnerability data we offer to organizations,” she said during the Fall 2024 Infosecurity Magazine Online Summit.

An Ever-Growing Vulnerability Landscape

Rising Vulnerability Exploits

Several recent reports have shown that vulnerability exploits have substantially increased over the past few years.

Research conducted by Verizon in the January 2024 Data Breach Investigations Report found that vulnerability exploitation increased overall by 180%.

According to Mandiant’s M-Trends report, published in April 2024, attackers exploited vulnerabilities to gain initial access in 38% of intrusions in 2023, a 6% increase from the previous year.

Analysis by VulnCheck showed that common vulnerabilities and exposures (CVEs) with known exploitation grew at a 19.7% annual growth rate over the past 10 years.

Tom Alrich, co-founder of the Software Bill of Materials (SBOM) Forum at the OWASP Foundation, also on Infosecurity’s Online Summit panel, said the cyber adversaries are getting much smarter at both finding unknown vulnerabilities (aka zero-days) and exploiting them, or finding ways to exploit known – and sometimes patched – ones.

“I think an episode like the SolarWinds supply chain attack in 2019 made many people, from the good and the bad sides, realize there was big potential for damage involved with vulnerability exploits,” he added.

Today, the risk of vulnerability exploits has become “the number one issue in security,” according to third panelist Rose Gupta, the lead for threat and vulnerability management at AssuredPartners.

“However, that threat actors usually exploit other weaknesses, like a lack of or misconfigured multifactor authentication (MFA), in conjunction with exploiting CVEs,” she added.

Rising Vulnerability Disclosures

Meanwhile, vulnerability disclosures are also rising. Cerkovnik said that the CVE program should issue an estimated 35,000 CVES by the end of the year, compared to 29,000 in 2023 and 24,000 in 2022.

“That’s an incredible growth that can be daunting for someone in an organization running a vulnerability management program,” she said.

However, while a rising number of disclosures makes the vulnerability management job harder within organizations, Cerkovnik believes such a rise is also due to improved vulnerability reporting processes across the board, which shows better transparency from software providers, security researchers and users.

Coordinated vulnerability disclosure (CVD) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. Credit: Dave Hoeek/Shutterstock
Coordinated vulnerability disclosure (CVD) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. Credit: Dave Hoeek/Shutterstock

“We also have a better taxonomy to track them and better systems to handle them,” she continued.

Read more: Navigating the Vulnerability Maze: Understanding CVE, CWE, and CVSS

Addressing the Vulnerability Alert Explosion

Shifting the Vulnerability Disclosure Burden Back to the Owner

To address the ever-mounting challenge of rising vulnerability disclosures, Alrich said that organizations should move away from a patch-all-vulnerabilities principle to an approach focused on prioritization.

“Organizations may not need to always fix all vulnerabilities,” he added.

AssuredPartners’ Gupta agreed, adding that over-reliance on vulnerability scanners and other detection tools and, more generally, “vulnerability fatigue,” were becoming major problems within security teams.

"We should shift the burden of providing vulnerability data from the consumer and the user back to the product’s original manufacturer."Lindsey Cerkovnik, Brand Chief, Vulnerability Response and Coordination, Cybersecurity and Infrastructure Security Agency

To assist with prioritization, organizations can look into CISA’s Known Exploited Vulnerabilities (KEV) catalog and explore the Exploit Prediction Scoring System (EPSS), a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.  

EPSS was launched by non-profit FIRST in April 2020.

Still, Cerkovnik believes that the rapid increase in vulnerability exposures will become too much for organizations with their current tools.

“We are at an interesting time, where we should shift the burden of providing vulnerability data from the consumer and the user back to the product’s original manufacturer, which is required to provide safe products,” she argued.

Read more: How to Disclose, Report and Patch a Software Vulnerability

The NVD Crisis Explained

The recent NVD crisis, which Infosecurity extensively reported on, is a good example of how fragile the current vulnerability disclosure system is.

Typically, a new CVE is added by a CVE Numbering Authorities (CNA) in cooperation with the software product owner with which the vulnerability is associated.

CVEs are then listed on the NVD, which ‘enriches’ them with additional data and metadata. The NVD then works as a single entry point for organizations willing to learn about the vulnerabilities.

Starting in February 2024, the NVD stopped enriching new CVEs added to its registry, leaving many organizations in the dark.

One important metadata to mention are common platform enumeration numbers (CPE), unique, machine-readable identifiers that organizations can use to get alerted on new vulnerabilities.

“Today, we’re living with about 19,000 CVEs in the NVD – and other vulnerability databases that are based on the NVD – that don’t have a CPE, and this number is growing by over 1000 a month,” said Alrich.

Several security software providers developed tools to fill some of the gaps left by the NVD, but none had the capacity to address the NVD’s backlog entirely.

The NVD is now catching up with CVE enrichment, but those behind the program may still need many months to fill the gaps since new vulnerabilities appear every week.

CISA’s New Data-Driven Approach

In May 2024, CISA also stepped up to fill some gaps left by the NVD crisis by launching the Vulnrichment program.

Credit: Cybersecurity and Infrastructure Security Agency
Credit: Cybersecurity and Infrastructure Security Agency

The program’s primary goal is to add metadata to CVEs, including Common Platform Enumeration (CPE) numbers, Common Vulnerability Scoring System (CVSS) scores, Common Weakness Enumeration (CWE) nametags, and Known Exploited Vulnerabilities (KEV) entries.

“For that, just like to decide on which vulnerabilities we include in our KEV catalog, we use a framework called Stakeholder-Specific Vulnerability Categorization (SSVC), which is essentially a decision tree that helps us prioritize,” Cerkovnik explained.

In parallel, CISA has asked all CNAs to provide complete CVEs – with metadata – when making their initial submission to CVE.org.

In September, the CVE program also launched the CNA Enrichment Recognition List, a document published every two weeks to recognize the most active CNAs.

According to Cerkovnik, these two initiatives illustrate CISA’s and the CVE program’s new data-driven vulnerability management approach.

“For the past eight to 10 years, the CVE program was in a growth era as we were primarily dedicating our efforts to growing the number of CNAs and the number of vulnerability disclosures; now, I believe we are in a quality era. We’re focusing our efforts on requiring better data so that the entire ecosystem improves,” she said.

At the same time, she insisted that good vulnerability management was a team effort and encouraged vulnerability detection providers to do more to fill the remaining gaps.

What’s Next for Vulnerability Management

While these new initiatives are generally welcomed by the software security community, a debate remains about how to develop the best metrics to provide the quality data that Cerkovnik mentioned.

For instance, the typical severity metric, the Common Vulnerability Scoring System (CVSS) has received criticism.

Some argue it oversimplifies the complex nature of vulnerabilities, others believe it can be inaccurate and misleading due to misuse of metrics. A third criticism points to a lack of transparency from NIST’s NVD, which does not disclose the process it uses to attribute a CVSS score, or from CNAs.

Other frameworks have been proposed, such as Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability (DEAD), a model developed by Microsoft in 2022 that not only measures risk but intends to capture the specific context of most potential weaknesses.

For Alrich, an even more significant point of contention is the use of CPE identifiers. “CPE’s main problem is that it is not a standard,” he explained.

“For instance, CPE includes the name of the vendor. Sometimes, names can be different depending on which business unit within a single vendor the software comes from. Is it Microsoft Inc, Microsoft Europe, the name of an acquired company?”

Furthermore, Alrich added that the confusion with the vendor is multiplied when the software is open source.

Alrich and the OWASP SBOM Forum suggest combining CPEs and Package URLs (pURLs), another machine-readable standard identifier that today only applies to open source software packages.

“The great advantage of pURLs is that, contrary to CPEs, they are predictable. You are guaranteed to match a pURL with the right software package,” Alrich said.

CVE now supports pURLS, but its global adoption remains to be seen.

Finally, Cerkovnik thinks the next step for the vulnerability management community will be to develop processes similar to vulnerability disclosures for misconfigurations.

“Addressing misconfigurations to mitigate security risks will be one of the next big issues we will have to tackle in the near future,” she predicted.

Conclusion

As the volume and sophistication of vulnerabilities continue to rise, organizations must adopt a more proactive and data-driven approach to security.

This includes prioritizing vulnerabilities based on their potential impact, leveraging tools like the KEV catalog and EPSS, and shifting the burden of providing vulnerability data back to the original manufacturers.

By working together and investing in robust vulnerability management practices, all stakeholders can better protect against the ever-evolving cybersecurity threats.

What’s hot on Infosecurity Magazine?