Using CISA KEV for Vulnerability Management | Shortcuts
What the heck is the CISA KEV catalog?
Ryan: CISA is the Cybersecurity and Infrastructure Security Agency. To rip it right off their homepage, they lead the effort to enhance the security, resiliency, and reliability of the nation’s cybersecurity and communications infrastructure. It’s mouthful. So, clearly from that statement, they have an interest in elevating the nation’s security posture, or security maturity, as a whole. They assist the leadership themselves, strongly encourage better partnership and better communication between the federal space and the private space.
One way of elevating this communication that relates to elevating security posture is the Known Exploited Vulnerabilities catalog. The CISA Known Exploited Vulnerabilities catalog, it actually falls under something called a binding operational directive that CISA uses as an overall way to push actions forward.
The binding operational directive 2201, which is what the KEV falls under, is the mission to reduce the significant risk from known exploited vulnerabilities. So the KEV is, simply put, a Known Exploited Vulnerabilities catalog. I think right now the list is at 800 something, 812 CVEs, something like that. That is a pretty small list of CVEs, compared to overall known CVEs. So really, what this creates is an actionable list to say, “What are the exploitable vulnerabilities that the US government themselves have identified as being used in a security event?”
Why does the CISA KEV catalog matter in the context of vulnerability management programs, especially with regards to private enterprises that are not obligated to follow it?
Ryan: The biding operational directive, obviously clearly, the actions that CISA maintains in this catalog, one thing is that they give a due date for every vulnerability within the catalog. They assign a due date to it. And any federal agency that is under the regulation or the policies that they must follow under CISA, they need to have that vulnerability remediated by that due date.
So obviously, the private sector doesn’t fall onto that same regulation, but I think it is important to mention that regardless of being federally obligated to follow this action or not, I think that the KEV purely has merit based on the source of truth that it comes from. Not only does CISA have a leg in understanding a lot of security events that happen within the nation, but they’re a much more confident source of truth for a list like this, or the role that this list is trying to play, versus some private sector company coming out with this list. It might have not as much confidence behind it as it would from the US federal government.
So really, I think we should start with what is the problem? The problem is that vuln and patch managers are overwhelmed by the amount of disclosures that happen every year. They’re overwhelmed by the amount of CVEs they have in their environments, and they’re also underfunded to handle these problems year after year.
CISA KEV, I think, even if you’re not following it through federal regulation, I think it can certainly play a role in prioritizing vulnerabilities. I think the KEV allows you to take a step back and say, “Even if we have 250,000 vulnerabilities, how many of them are in this list of 800?” And then is that an actionable goal where you can say, six months from now or however long the remediation takes, you can then say, “I have patched and remediated every single known exploitable vulnerability in my environment.”
And so I think if you were to eliminate the KEV and then try to move forward with that same objective, it becomes a lot more gray and a lot more confusing, where you’re not sure if every single known exploitable vulnerability in your environment is remediated. But with that KEV list, with that truth from the federal government, I think it’s a much more dignified actionable data point.
So, KEV offers a reputable and a robust source of intelligence that an organization, even on the private side, can use to make their list of vulnerabilities more manageable for their team?
Ryan: Yeah. Absolutely. I think that something KEV does really well is, obviously regardless of federal regulation or not, I think it is an extremely useful data point. And that it’s only going to become more useful as its lifetime goes on, and as they further enrich it. Because I know that CISA has some plans to enrich the KEV further. And some active users of the KEV already will know that the notes column in the KEV table has been historically empty for each vulnerability. They don’t really add many notes to it. But recently they’ve started adding more notes in that column, and I assume that over time the enrichment within that table alone will definitely grow.
The KEV list doesn’t include any information about industry verticals, right? Let’s say my enterprise is in financial or retail. CISA doesn’t tell me if those vulnerabilities are of high concern for my industry, does it?
Ryan: I would say the KEV plays a level above that, and that’s where we would encourage you to use as many sources of threat intelligence as you can. So I think the CISA KEV is purely, “Is the vulnerability exploitable or not? Has it been successfully exploited in a known security event?” So that’s where we would encourage organizations to use other sources of threat intelligence, and not just the CISA KEV to purely determine is this vulnerability of particularly higher risk to me, individually, with where our organization is in the industry. That’s definitely where other sources of threat intelligence are going to be able to provide that information.
How does Nucleus uses CISA KEV and how do our customers use the information to build better programs?
Ryan: The most clear implementation of the platform is that within the active vulnerabilities page, and in any vulnerability that you find, as long as it has a CVE associated with it, you’ll be able to see the vulnerability intelligence tab at the top of the model. And then within that vulnerability intelligence tab, we’ll have a very simple false or true switch on if it’s a vulnerability that is currently obtained in the CISA KEV. And so we update that daily. So it shouldn’t be too far behind, really, anytime.
So anytime you find a finding, if it’s identified as something being in the KEV, that’s certainly a data point to work off of. You can build automation rules based off of results of a vulnerability, if it’s in CISA KEV or not. You can build reporting.
And then, I mentioned the Breakdowns that we do, as well. We provide extra analysis on top of each addition to the KEV list, and also point out any notable ones that might be particularly interesting to put more eyes on for any particular reason, whatever it might be.
Is there anything you think is most important for folks to walk away with?
Ryan: Regardless of federal regulation, just forget about that for a second, the CISA KEV is, without a doubt, a useful data point, for threat intelligence and also for prioritization. I spoke on that objective earlier of, if you want to put a goal in place of I want to remediate every known exploitable vulnerability in my environment, you can take the CISA KEV, and you can do that. And you can action on it, and it can be a goal moving forward. But if you were to take away that data point and simply just not use it, even though it’s there, free for everyone to use, if you were to take that data point away, that objective becomes a lot more gray and a lot more complicated.
Do you think this information being public helps bad actors at all?
Ryan: I would say, purely from the role that the KEV plays, it’s a fair question. It is. But I think purely from the role that the KEV plays, I don’t think that as of right now it’s as useful to attackers as it would be defenders. I think that if the KEV got a little bit more enriched, to the point where, there are obviously some things that we think that the KEV could improve on… The amount at which something is being exploited in the wild. That isn’t really something that’s highlighted in the KEV. So when they come out with a new vulnerability, and they say, “Hey, we know that this CVE is being exploited in the wild,” we don’t know how much. It could be mass scanning happening. It could be mass exploitation, or it could be a one-off security event.
So there are certainly some points of enrichment that the KEV can still have added onto it to make it more useful to defenders. But also, I think something like that might potentially bleed into the question of when does this become useful information for attackers as well. So yeah, I think that’s definitely a fair question to keep in mind.