Discussing the Impact of CISA KEV on The Defender’s Advantage Podcast
Here at Nucleus, we talk a lot about the CISA Known Exploited Vulnerabilities list, but what exactly is its impact in the vulnerability management space? A couple weeks ago, our Co-Founder and CEO, Stephen Carter, sat down with Kerry Matre, host of Mandiant’s Defender’s Advantage Podcast, to discuss just that, as well as how vulnerability management has evolved over time and how the CISA KEV list helps U.S. civilian agencies and organizations globally. Listen in to the podcast episode or check out the full episode transcription down below.
Steve Carter: Thanks, Kerry. It’s great to be here. As you mentioned, I’m co-founder and CEO of Nucleus Security. Just a bit about myself, my background is pretty technical. I spent most of my career building vulnerability management software and teams and programs. And then I started Nucleus in 2018 to build the risk based vulnerability management platform that I personally was always looking for as a practitioner in this space and that I always felt should exist. And so Nucleus, for those that aren’t familiar with risk based vulnerability management, I always like to start by saying we’re not a vulnerability scanner because unfortunately, this is kind of the first thing that people think of when you say vulnerability management. What we are is a platform to aggregate and centralize all of the vulnerability data in an enterprise. So, everything from vulnerability scanning tool, output to reports from penetration tests, bug bounty programs, and things like that.
And then we enrich that vulnerability data with threat intelligence and asset context so that you can prioritize it based on the risk that those vulnerabilities present to the organization. And then finally, we help to automate the response to those vulnerabilities, so the processes and workflows that you have to follow to actually get those vulnerabilities remediate and fixed. So we automate things like alerting and reporting, ticketing and instant creation. But what’s really powerful is our ability to automate the organization of vulnerability data using asset groupings and vulnerability groupings to track and measure risk in any way that the organization can think of. So I know that’s a mouthful, but I’ll pause there.
Kerry Matre: I worked in vulnerability management maybe 20 years ago, and it’s been a thorn in the side of cybersecurity and IT groups since then and even before. So you just made a lot of promises that we’re going to dig into and figure out what that actually means. But there have been a lot of advancements in how you’re going to deal with all these vulnerabilities coming at you, how you’re going to prioritize and such. So that gets us actually directly to the topic of the day. So we want to talk about CISA KEV. What the heck is CISA KEV, and why should we care?
Steve Carter: Okay, so we’ll start from the beginning top here. So CISA, if you’re not familiar, that’s the critical infrastructure security agency, and the KEV is the known exploited vulnerabilities list. And that’s basically a list of vulnerabilities that have been exploited in the wild that CISA has determined have been exploited in the wild. And the idea here is that if your organization is impacted by these vulnerabilities, if you have these, that you should probably think about patching these soon or maybe put them at the top of your list. They came out with this list in November of last year, in 2021. And with it, they put a federal mandate out to all the civilian agencies to patch all of these vulnerabilities within the specified timeframe. So each vulnerability gets a due date, essentially.
Kerry Matre: And that came out by the Department of Justice?
Steve Carter: Yeah, absolutely. I forget the number, there’s like 20 plus federal civilian agencies now. But yes, right now it’s not applicable to the Department of Defense and National Security Agencies and whatnot quite yet. It’s just the civilian side. But what we’ve seen, and what’s kind of interesting is that it has been adopted by a lot of those agencies as well and the DOD, and then it’s been adopted by private sector organizations across the world. And personally, I think it’s just because CISA has a really good reputation in terms of the guidance they’re putting out and the intelligence they’re putting out. So when they make recommendations like this, a lot of folks pay attention. And then secondly, this KEV list is really one of the few free sources of vulnerability intelligence that is really actionable for vulnerability prioritization purposes anyway.
Kerry Matre: How is this different than the national vulnerability database that’s been around for a while?
Steve Carter: So, the national vulnerability database, for those that don’t know, that’s probably the closest thing we have to the full list of all known vulnerabilities. There’s about 190,000 or 195,000 vulnerabilities in total in the NVD. And so just for some perspective here, there are just under 800 vulnerabilities in the CISA KEV, so we’re talking maybe half a percent. So it helps to narrow the list down. But more importantly, I think NVD doesn’t really provide any intelligence or any context around vulnerability exploitation activities. That’s really the gap that the KEV is filling here
Kerry Matre: From over 100,000 down to 800 sounds great, but as a practitioner who has to deal with this every day, 800 is still huge. So is there any further dicing of the information that organizations can do within the KEV to further prioritize?
Steve Carter: Yeah, going down to 800 is great from a hundred plus thousand, but ultimately you want to narrow the list to a much smaller list of what’s most urgent and highest risk to your organization. And to do that, you really have to leverage other sources of vulnerability intelligence, other feeds. And that’s because just about every vulnerability intelligence feed has gaps. None of them are comprehensive. So the organizations that are most mature in this area, are incorporating commercial vulnerability intelligence feeds, they’re incorporating internal vulnerability intelligence around the threat actors and groups that are targeting their organization, and then they’re also pulling in things like CISA KEV list and using it all together to really prioritize and narrow that list down from hundreds to maybe 10 or less of the most important ones.
Kerry Matre: And also, I assume that some of the vulnerabilities don’t apply to every industry. So I think before when we talked, there may have been some that were OT specific or financial specific. So that can narrow down the list too.
Steve Carter: Yeah, absolutely. We know, for example, we have APTs that are targeting private companies and very specific sectors. APT 33 is known for targeting energy companies and the energy companies that are really doing a good job in risk based vulnerability management, they understand the APT 33’s tool set and which malware they’re using. And they’re ultimately prioritizing vulnerabilities that APT 33 is known to exploit. And I use APT 33, there’s others obviously that target the energy sector, but that’s kind of the thinking in some of the more mature organizations today at how to really prioritize and get to the most important vulnerabilities to patch and remediate.
Kerry Matre: This gives me flashbacks to when I was in the vulnerability management world, and back then, the way to prioritize was you had a gazillion line list in a database of here’s all the vulnerabilities that we found. And then you would find out, well they’re internal intranet or externally facing or in a DMZ zone. And then you figured out was it high, medium, low, critical? And then based upon that, you said you got three days, you got two weeks, you got six months, which was ridiculous.
Steve Carter: Six months, that’s a long time.
Kerry Matre: Right. Well, that’s how it was. You couldn’t get time. But what I really like about Nucleus is that you are taking not just the CVE, but you’re adding in that intelligence to give it more than, well, it’s high so you have three days with nothing behind it. So I like that you’re taking that intelligence around adversaries. What other bits of information comes with the CVE, the APT 33 or whatever group, what other types of information can come out of that threat intelligence?
Steve Carter: Yeah, so as an example, I think the Mandiant Advantage platform that we use at Nucleus and we integrate with, has either 30 or 40 data points in their vulnerability intelligence product about each individual vulnerability. And the truth is that every organization kind of views risk differently and wants to prioritize based on different things. So, a lot of organizations view ransomware, for example, as one of their top risks. So if a vulnerability is known to be exploited by ransomware or maybe some other type of malware, they want that at the top of their list of things to patch. Zero day vulnerabilities are another good example. And so we’ve got a flag that says whether or not it’s a zero day and these are important because obviously you need to monitor them closely while you wait for a patch. Sometimes you have to implement compensating controls while you’re waiting for a patch.
And so things like this, how easy is the vulnerability to exploit, and whether or not the exploit requires user interaction. Those are important kind of characteristics of vulnerabilities as well, because if vulnerabilities are trivial to exploit, attackers can and most likely will automate mass exploitation. So you want to patch these really quickly. And then of course, I would be remiss if I didn’t mention all of the attributes around asset and business context, as you alluded to, things like to what degree the asset or the service is exposed on the network. Is it internet facing? Is it in a DMZ? Those are important questions to answer for prioritization as well. How sensitive is the data on the asset, that’s hosted on the asset? How important is the functionality provided by the asset? These also have to be taken to account, not necessarily threat intel, more kind of business context and intel.
Kerry Matre: All part of the threat profile for the business.
Steve Carter: Exactly.
Kerry Matre: I like that you brought out how easy is it to exploit the vulnerability so you can create these automated tools. So to me, that really speaks to who are these threat actors, how are they using this? And then I really like the ability to pivot from, while there’s one vulnerability, one CVE, but once you identify the threat actor, you can go and see the different types of exploits they’re performing, the different types of things that they’re going after. So you’re really looking at a threat actor, not just a CVE like we did 20 years ago. So I’ve seen things come a long way.
Steve Carter: Exactly. And that’s generally a level of sophistication that most organizations don’t have yet, that we’re kind of trying to push people towards. But going back to the different sources of vulnerability and threat intelligence, that’s something that the CISA KEV won’t give you. It won’t give you the attribution as far as who is exploiting these vulnerabilities. That’s something that you really have to go out and get a commercial vulnerability intelligence feed for.
Kerry Matre: Well, so once you do that, you get the CISA KEV list, you bring in the intel through a platform such as your own, all the world’s problems are solved, right? Everything’s good to go, silver bullet?
Steve Carter: Inflation comes down, gas prices, everything, yes. World hunger, of course. No, well, vulnerability prioritization is really important of course. But it’s really just one of many processes and sub-processes in risk-based vulnerability management. And so while doing all of this extremely well and correlating your vulnerabilities to threat intel can have a huge impact, what we’ve found is that some of the biggest problems companies are often centered around communication issues, believe it or not. And this because vulnerability management processes involves so many different stakeholders, folks in different areas of the business with different backgrounds, different skills, and they’re all required to collaborate and communicate together effectively for everything to work. So if you don’t know, for example, who in the organization owns specific computers and assets and services, and who owns the vulnerabilities on those assets and who’s responsible for patching those, if those things aren’t defined and there’s not a way for those people to communicate well, vulnerability management just can’t happen as quickly as it needs to happen.
Kerry Matre: Yeah. So in these platforms, in your platform, are there ways to annotate vulnerabilities to say I can’t patch it because, or I’ll patch it tomorrow, or what kind of communication is in your platform?
Steve Carter: Yeah, exactly. So when we think about things like risk acceptance, who has the authority to accept risk in the organization? Everyone needs to understand that, it needs to be documented. When risk acceptance occurs. In some cases, you’re not actually going to fix the vulnerability because you have compensating controls and you determine that it’s going to be too expensive to fix or it’s going to take too much time. So the compensating controls reduce the risk of that vulnerability, and that has to be captured somewhere. And there has to be a lot of communication to occur to get to that conclusion.
In terms of threat intelligence and things like CISA KEV, we see a lot of risk adjustment. So obviously, the default severity from a scanning tool is one thing. Then you take all of this threat intelligence and try to form a risk calculation automated way, but that’s not always correct. So you have decisions to adjust risk higher or lower based on certain things, and you need, again, somewhere to collaborate with lots of different stakeholders to make those things happen. So those are all the types of things that we also do within the platform to make vulnerability management happen.
Kerry Matre: Yeah, that’s something that’s come a long way, because I used to say, “Hey, patch this,” and someone would say, “No.” And then 30 days later, “Hey, patch this,” and they would say, “No.” So it’s nice to see these collaborations are happening. But there’s also a large piece of the industry that doesn’t have these sorts of platforms. How do you suggest or how are you seeing them deal with these long list of vulnerabilities?
Steve Carter: I mean the truth is, I would say with confidence, most organizations do not have a platform, a vulnerability management platform like Nucleus in place. The larger the enterprise is, the more pain they’re probably feeling from a lot of these processes, the more breaches and compromises they have, so the more they’re kind of leaning into platforms like this. But what we see today is that a lot of the customers that reach us, they’re just getting started. They haven’t used a solution like this. They’re still using spreadsheets with crazy macros. They’re still using primarily email for communication. And they might be using a ticketing system or an issue tracker that some IT folks are kind of manually driving, but there’s really no automation in place.
And what happens is as the organization gets bigger and they’re trying to scale, the vulnerability management team will move slower and slower. And so it just becomes more and more of a problem over time. And then of course, you add to that all of the technology landscape with cloud and containerization and all these new database technologies, you’ve got a lot more vulnerability scanning tools that have come to market, so a lot more data to process and analyze. The problem just becomes more and more exacerbated.
Kerry Matre: Well, I was going to ask you about cloud. How does cloud change things? It just makes things simpler and more complicated?
Steve Carter: It kind of changes things in the sense that it brings with it new tools for discovering vulnerabilities. So now we have cloud configuration scanners that are finding vulnerabilities and weaknesses in your cloud accounts, where you have new types of assets, obviously with cloud, things like buckets and lambda functions and all of these things that now have to be assessed for vulnerabilities as well. Where before, you just had computers and web apps. And then with cloud, obviously your approach to scanning has changed. So you’re doing a lot more kind of agent based scanning. You’re using tools like Amazon or the cloud’s vulnerability scanning tools that are built in. So a lot of interesting new things to think about and deal with, but the overarching kind of vulnerability management approach doesn’t really change at all. So your approach for leveraging and correlating vulnerability intelligence and for prioritizing vulnerabilities, really doesn’t change. You just have some new tools and some different types of assets to deal with, but for the most part it doesn’t change your higher level kind of program.
Kerry Matre: Although it does bring to mind the idea of open platforms that you can accept any types of feeds. You just mentioned some that hadn’t crossed my mind that you need to incorporate into your platform. So as all organizations are moving towards these product inclusive tools or product agnostic, product inclusive, whatever the term is of the week, what you just spoke about really highlights the need for that product agnostic approach.
Steve Carter: Absolutely, yeah. There are new tools, new types of tools being brought to market all the time. So we see now API vulnerability scanners and obviously cloud vulnerability scanners, OT vulnerability scanners, specialized scanners for detecting vulnerabilities and OT environments. And so I think the average enterprise that we work with probably has somewhere between 10 and 15 different sources of vulnerability information from these different tools. And then of course they also have internal pin testers, finding vulnerabilities and third party assessors. And so yeah, it’s just this massive swirl of vulnerability information everywhere. So that’s where it really becomes important to try to bring it all together into one place and kind of normalize it that way.
Kerry Matre: Yeah, you just overwhelmed me. But let’s bring it back to KEV because that’s the point of the CISA KEV, is to kind of distill this down into some priorities. But if there’s a list of 800 vulnerabilities, I fix 750 of them and accept the risk on the others, I’m not really done because change keeps happening. So how have you seen the continuous change of organizations affect your tools and your customers?
Steve Carter: So once you’ve automated your tooling and your processes and say you’re using KEV to do risk based vulnerability management, you’ve kind of set yourself up for success. But to your point, yes, things are changing all the time. I think there are 50 plus new vulnerabilities added to the NVD each day. CISA KEV updates their list and adds anywhere from one to generally five or 10 about every week or two. And so you have to constantly scan your environments to see how you’re impacted by these new vulnerabilities. You have to continuously analyze the intelligence around these vulnerabilities, which is changing hour by hour. I mentioned we integrate with Mandiant’s platform, and we receive some days, hundreds of updates to different vulnerabilities.
And all of this metadata and these attributes about these vulnerabilities, it’s changing all the time. What was not exploited yesterday might be exploited today. Or what was not exploited this morning might be this afternoon. So yeah, there’s this constant state of flux. And so there’s always work to do, unfortunately. And the key is really trying to focus your program on automating everything you can, really when it comes down to it.
Kerry Matre: Yeah. I have a funny story about change back when I was doing vulnerability scanning, was we had one user who would turn off a certain service because he knew when we were going to do our scanning and he would come in the next morning and turn it on, so automate that.
Steve Carter: So he automated the disabling of the service so you guys wouldn’t find his … Okay, that’s clever.
Kerry Matre: Clever, perhaps, not achieving the goal that we were going after.
Steve Carter: If you could automate disabling it when an attacker goes to exploit it, that would be better.
Kerry Matre: That would be perfect. So if we have organizations out there doing things manually or developing their own vulnerability management tools and then they decide, “Nope, I need to get in intelligence, I need to adopt a platform such as your own at Nucleus Security,” what does that process look like? What sort of success have you seen with customers kind of moving from this do it yourself to these automated platforms?
Steve Carter: Yeah, so it’s interesting, when you take organizations that haven’t used a platform like this, they have to rewrite their bigger vulnerability management plan and just rethink how they want to do vulnerability management because everything’s happening so much faster now. So when you think about, let’s say a program that’s doing this manually, obviously it requires a lot more resources. So we bring in customers that have a small army of folks that are kind of manually analyzing all of this data in an enterprise. And so the level of effort decreases tremendously. That’s great. What we also see pretty quickly is the time to remediate vulnerabilities, that window of time shrinks to be a lot smaller just because of the manual work involved and analyzing vulnerabilities, we can shrink what was taking weeks to minutes or hours in some cases as far as the analysis goes, so that’s powerful.
But we have a case recently with a customer that had a pretty large operation where they had folks manually all day every day, reviewing and analyzing scan data. And they were continuously scanning, they were doing that part right. But what happens in those cases also that people don’t realize is that there’s a lot of human error. And so in this case, this this customer discovered, I believe it was just over 40 new high risk vulnerabilities that were just being missed. They were being accidentally filtered out of in some spreadsheet. And so they were just completely invisible to the vulnerability management team. And so when they brought in Nucleus and set up the automation to correlate threat intelligence and automatically kind of prioritize things, they surfaced 40 new vulnerabilities that were either critical or high risk. So that was something that wasn’t really expected, that was a kind of icing on the cake.
Kerry Matre: Yeah, uncovering user error and providing consistency, which we definitely need. All right, well let’s wrap this up. And I want to get back to CISA KEV. So it was just introduced in November of 2021, so we’re not even a year into this. But how have you seen it change so far, and what sort of changes are you looking forward to in the near future?
Steve Carter: Sure. So far, honestly, the KEV hasn’t changed much at all. In fact, I don’t believe they’ve added any new fields or context to the data. They do obviously add new vulnerabilities to the list generally on a weekly basis, so that’s probably just about the only change that I’ve seen. The biggest thing in my mind that’s missing and the biggest opportunity there is including some additional context around that exploitation activity that they say is occurring. So for example, we don’t really know if they observed the vulnerability being exploited one time or a million times. There’s no volume or quantity included. And we don’t know if they observe the exploit on an internal network or if they’re seeing exploitation activity across the internet. That would be great to know. It’d be nice to understand when the activity, the exploitation activity was observed. So was it yesterday or was it five or 10 years ago?
And so how historical is some of this exploitation activity? So personally, I think it would be amazing if CISA provided some level of attribution to the exploitation as well so that we know which threat actors and groups are responsible. So I think there’s a lot of room for improvement. And all of this stuff today, I believe is information that CISA probably knows, but they’re unable to reveal it for different reasons. They can’t reveal their sources and methods. They probably have some of that data’s proprietary. So it’s no fault of CISA’s, I don’t believe. I think if it was up to them, they would kind of add all this context. But in the meantime, that’s why it’s really important to, again, to bring in additional vulnerability intelligence feeds and do that correlation because you can’t rely on any one of them in particular.
Kerry Matre: Yeah, the context is what we all need in all of our cybersecurity efforts, right?
Steve Carter: Absolutely.
Kerry Matre: Well, we’ll be interested to see how it evolves over, even as it comes to the one year anniversary of this release. Well, thank you Steve, for joining me today. I really appreciate your insights into how vulnerability management has changed and how the CISA organization is helping out not only civilian organizations, but those globally around the world. So thank you for your time today.
Steve Carter: Thank you very much, Kerry. It was a pleasure to be here, and we’ll talk to you soon.
Kerry Matre: All right. And thanks to all of our listeners out there. Please join us next time for the Defender’s Advantage Frontline Stories.