At Nucleus, we are continually researching ways that organizations can leverage threat intelligence for smarter vulnerability prioritization.
In November 2021, CISA issued BOD 22-01 — a binding operational directive aimed at reducing the significant risk of known exploited vulnerabilities in the cybersecurity landscape. As part of this directive, federal agencies are required to remediate vulnerabilities within a specific frame of time that is determined by CISA, based on the criticality of the vulnerability.
BINDING OPERATIONAL DIRECTIVE 22-01:
REDUCING THE SIGNIFICANT RISK OF KNOWN EXPLOITED VULNERABILITIES
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.
This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise https://cisa.gov/known-exploited-vulnerabilities and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. CISA will determine vulnerabilities warranting inclusion in the catalog based on reliable evidence that the exploit is being actively used to exploit public or private organizations by a threat actor.” — CISA.gov
As part of the BOD 22-01 initiative, CISA also created a publicly available threat intelligence feed that is known today as the CISA KEV (Known Exploitable Vulnerabilities) Catalog. This list is an incredibly valuable vulnerability intelligence source created for organizations who are looking to reduce their attack surface and exposure.
There are approximately 200k known CVE vulnerabilities, of which only a small subset has been confirmed by CISA as being exploited. With the CISA KEV catalog actively only having less than .5% (839/197569) of all identified CVE vulnerabilities, this is a high impact list that is an efficient and free way to prioritize remediation of what are some of the riskiest vulnerabilities, as confirmed by CISA as having been or actively exploited.
Given that CISA KEV’s threat intelligence feed is an incredibly trustable source coming directly from the US government, we quickly decided to work the feed into our own Nucleus service so that we could enable federal and commercial organizations alike to use these valuable threat intelligence findings in their own vulnerability prioritization and remediation.
As we began researching the vulnerabilities listed in the CISA KEV catalog, our security research team at Nucleus ran into several questions as they began facing the extremely limited data that was limited to just a few informational fields:
- How often is CISA adding new vulnerabilities to their KEV list and how are they prioritizing them?
- Are there certain indicators that researchers can use to predict whether a vulnerability is likely to be added to the list?
- How should things like exploitation traffic be used to further prioritize vulnerability remediation?
With these questions in mind, we created the Nucleus CISA KEV Enrichment Dashboard with the aim of providing insight into how CISA populates their KEV catalog, as well as a place to give understanding and context to unanswered questions. Throughout the process of building this dashboard, we realized just how valuable this information could be for the larger vulnerability research audience, so we opened up access and decided to share the enrichment data we found. The result is our CISA KEV Enrichment Dashboard by Nucleus Security.
Listen as Nucleus Security’s Co-Founder and CEO, Stephen Carter, discusses how this effort from CISA helps U.S. civilian agencies as well as organizations globally on the Mandiant Defender’s Advantage podcast.
What is the CISA KEV Enrichment Dashboard?
The CISA KEV Vulnerability Enrichment Dashboard by Nucleus enables vulnerability researchers to quickly analyze trends of known and exploitable vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency in order to better add intelligence-led prioritization to their vulnerability management.
The table is free to use, sort, search, and export, and it provides a complete list of the CISA Known Exploitable Vulnerabilities Catalog as well as essential information about each vulnerability, including:
- CVE Identifier: The unique Common Vulnerabilities and Exposures (CVE) identification number assigned to each vulnerability.
- Vendor: The organization who developed the product associated with the CVE.
- Product: The product associated with the CVE.
- Date Added: The date CISA added the vulnerability to the CISA KEV list.
- Due Date: Federal organizations are required to comply with remediation dates that are set by CISA BOD 22-01. The due date reflects the date federal agencies must comply with the mandate by.
Using CISA KEV Dashboard for Vulnerability Prioritization
Prioritizing vulnerability remediation using threat intelligence should be a key priority for any organization looking to quickly eliminate vulnerabilities that pose the highest risks. CISA KEV is not only highly trusted and freely available to all, but the low barrier to entry makes it a great place for any organization to start considering how threat intelligence can be incorporated into their vulnerability management program.
Once an organization has implemented vulnerability scanning across their network, applications, and cloud, CISA KEV can then be used to identify what known exploitable vulnerabilities exist within the environment which will provide a focused list on where to prioritize remediation efforts.
Once you get a handle on CISA KEV, we also believe it’s incredibly important to consider incorporating vulnerability threat intelligence beyond a single source. “Only a small subset (2%-7% of published vulnerabilities are ever seen to be exploited in the wild.”, says EPSS. Considering CISA KEV only covers approximately .5% of the total number of CVE’s, it’s a great place to start focusing your efforts but we strongly recommend considering incorporating additional vulnerability intelligence sources to identify a broader set of exploitable vulnerabilities, such as GreyNoise, Mandiant, Recorded Future and other sources.
Enrichment Vendors
What truly sets our CISA KEV Enrichment Dashboard apart from the baseline information provided in the CISA KEV list is the multiple enrichment columns we have added from CVSS, EPSS, and GreyNoise Threat Intelligence, which layer additional intelligence on top of each CVE to help organizations better prioritize and remediate each vulnerability.
CVSS
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities that is maintained by NIST’s National Vulnerability Database. CVSS produces a score ranging from 0 to 10 and categorizes these ratings as None, Low, Medium, High and Critical.
EPSS
The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the probability that a software vulnerability will be exploited in the wild. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
GreyNoise Threat Intelligence
GreyNoise provides this insight by monitoring and analyzing scanning and exploitation traffic around the world via their global passive sensor network. Threat intelligence like this provides further validation in the value of using multiple threat feeds for discovering exploitation which should be used to prioritize vulnerability remediation.
- GreyNoise Traffic – This field shows the number of unique IP addresses actively scanning for this specific CVE in the past 90-days.
- GreyNoise Tag – This field links to the GreyNoise Tag Trends page for each CVE, providing a time-series look at active exploitation traffic (note – GreyNoise does not cover all the CVEs in CISA KEV)
How do I use the CISA KEV Enrichment Dashboard?
We built the CISA KEV Enrichment Dashboard as a basic table accessible to all so that it could be easily sorted, searched, and exported for your own vulnerability observations and research.
By layering further intelligence and insight into the CISA KEV data, we hope that your vulnerability team will now be able to observe these CVEs through an additional layer of intelligence and understanding, leading more intelligent vulnerability prioritization that allows you to quickly sort through the hundreds of vulnerabilities presented and focus on the ones that matter to your team.
You can also use the sorting and filtering features of the CISA KEV Enrichment Dashboard to pull out interesting vulnerability insights and observations, such as the vendors and products that appear most frequently on the KEV list.
Most Featured Vendors
- The top five most featured vendors on the CISA KEV list include Microsoft (with 241 vulnerabilities), Adobe, Cisco, Apple and Google, making up more than 53% of all vendors included.
- Certain brands, like Apple, carry a perception that just buying and using them will keep you secure. As we see from the CISA KEV list, you also must keep them up to date.
Most Featured Products
● The top five most featured products on the CISA KEV list include Microsoft Windows, Adobe Flash Player, Microsoft Internet Explorer, Microsoft Office, and Google Chrome.
● Avoiding Microsoft Windows, Microsoft Office, and Google Chrome is more practical for some than others, and it is important to note that the alternatives to Windows and Chrome, at the very least, are also on this list.
Want to see even more observations from the CISA KEV Enrichment Dashboard?
How to Identify, Prioritize, and Remediate Exploitable Vulnerabilities on the CISA Kev List
CISA KEV provides a great place to start making progress at reducing an organization’s risk. By following a simple course of action, such as the four steps below, organizations can make meaningful progress toward a more mature vulnerability management program that starts by leading with intelligence.
- Scan and identify which assets in your environment have known vulnerabilities that CISA has confirmed as being exploited in the wild
- Automate remediation workflows to assign SLAs for remediation
- Integrate Remediation workflows with existing ticketing systems such as ServiceNow and Jira
- Measure CISA KEV due date SLAs to ensure federal compliance mandates
How Nucleus Can Help
It’s obvious to us that CISA and the US government understand the importance of sharing the vulnerability intelligence they have not only with federal agencies, but also making the threat intelligence available for all to incorporate and act on. They have made this evident through their CISA KEV catalog, which remains a trusted, free, and reasonable sized list of vulnerabilities that every organization should strongly consider using to prioritize vulnerability remediation.
Nucleus not only helps you identify which assets in your environment have been flagged as CISA Known Exploited Vulnerabilities, but we also help you cross reference the data that CISA provides with Mandiant threat intelligence, CVSS, and more to help you better understand every vulnerability’s risk to your environment.
Want to learn more about the CISA KEV use cases within our Nucleus Security platform? Click here.