Vulnerability Prioritization

Vulnerability exploitation is rapidly becoming the most common attack vector for cybercriminals, constituting the initial means of access for one third of the cyber attacks recorded in 2021.

However, vulnerability management requires significant time and resources - the sheer volume of exposed vulnerabilities makes it virtually impossible for organizations to keep up with them all. The most viable option for organizations is to prioritize the most urgent vulnerabilities — that is, if they can identify them. Evaluating the urgency of a given vulnerability is, in itself, a major challenge, as this level of urgency is not a static measurement and often changes suddenly and rapidly.

To keep pace with the evolving threat landscape, security teams need robust, accurate and timely vulnerability exploit intelligence that informs and guides their decisions through every stage of the vulnerability lifecycle. When armed with a solution that enables teams to effectively prioritize vulnerabilities and streamline processes, what once was an insurmountable challenge becomes a targeted, proactive process that has a positive impact on the organization’s overall cyber resilience.

What is vulnerability prioritization?

Vulnerability prioritization is the process of evaluating identified vulnerabilities within an organization's digital environment and ranking them in order of urgency and potential impact, to guide remediation efforts. Rather than treating every vulnerability as equally critical, prioritization allows security teams to allocate limited resources toward addressing the most significant threats first — those that pose the highest risk to the organization’s assets, operations, and mission.

Key elements of vulnerability prioritization:

• Contextual risk assessment: Understanding where a vulnerability exists (e.g., internet-facing vs. internal systems) and how that aligns with the business value of the affected asset.
• Threat intelligence integration: Leveraging real-time intelligence feeds to identify vulnerabilities currently being exploited by threat actors.
• Asset criticality: Assessing how critical the affected asset is to business operations or regulatory compliance.
• Exploitability: Determining whether a known exploit is available and how easy it is to use in a real-world attack.
• Exposure: Evaluating whether the vulnerable asset is accessible from the internet or resides behind defensive layers.

To effectively reduce organizational risk exposure, security teams need a means to identify and prioritize those vulnerabilities that pose the greatest risk to their environment. If this process were easier, by now vulnerability treatment would have been relegated to a lower gear of security control, like antivirus and other such measures. However, the prioritization process has been far from easy, often extending the mean time to remediate vulnerabilities, leaving organizations exposed to attack.

Why prioritizing vulnerabilities is essential for cybersecurity 

The numbers show that cybersecurity vulnerabilities are proliferating over time, with the total number of CVEs published per year surging from 6,454 in 2016 to a staggering 20,169 in 2021. With approximately 200,000 vulnerabilities still exposed at any given time, and an average of 50 new vulnerabilities published per day, managing vulnerabilities has become a repetitive, frustrating and seemingly never-ending challenge. According to Gartner, only 1 out of 16 Common Vulnerability & Exposures (CVEs) will be exploited — a mere 6% — most of them within the first days following their publication. This means that, on average, of the 1,500 new CVEs published per month, only 90 truly warrant a security team’s attention. The other 1,410 are just noise, distracting and hindering enterprises from making effective and timely security decisions. 

Moreover, while many organizations tend to focus only on the newly published or headline-grabbing CVEs, sometimes the most dangerous vulnerabilities are decades old. Cybercriminals are well aware of the challenges inherent in vulnerability management and as such, often choose to target the tried and tested CVEs that have been long forgotten in organizational patching cycles. According to the Known Exploited Vulnerabilities Catalog maintained by CISA (Cybersecurity and Infrastructure Security Agency), two of the most routinely exploited vulnerabilities in 2021 were discovered in 2017, while a recent study by Trento University researchers revealed that the majority of vulnerabilities exploited by Advanced Persistent Threat (APT) groups are publicly-known, unpatched CVEs with existing vendor updates available for their remediation. 

These unpatched vulnerabilities are one of the main means of initial infiltration for cybercriminals seeking to launch an attack. In 2018, Ponemon reported that 60% of organizations that had suffered a data breach in the previous two years cited the culprit as a known vulnerability that they had not yet remediated.

The vulnerability prioritization challenge

Nearly two thirds of all companies (65%) say that it is currently too difficult for them to accurately prioritize their vulnerabilities. Currently (as of September 2022), there are approximately 16,000 vulnerabilities scored by the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS) as high severity. This is much too large of a number to drive any form of effective prioritization.

• Over 16,000 CVEs scored CRITICAL by CVSS
• Only 1,215 of these have a POC exploit
• Only 60 with high likelihood of exploitation
• 241 of these actively discussed by threat actors on the underground since Jan 2022

Aside from the sheer volume of vulnerabilities, there are two key problems security teams are facing when attempting to assess and prioritize their organization’s vulnerability exposure:

Problem #1: An over-reliance on CVSS Scores

There’s an open secret in the world of cybersecurity: most of the prioritization of vulnerabilities is driven by CVSS scores. While these scores can inform on the severity of a given vulnerability, they do not adequately factor in the question of how likely that vulnerability is to be exploited in the near future, lacking the critical environmental specificity, contextual intelligence, exploit probability and temporal accuracy needed to effectively focus remediation efforts on the vulnerabilities that truly matter most. 

The CVSS manual itself explicitly states that CVSS ratings measure severity, not risk, noting that these scores were never intended for vulnerability prioritization. Further, this severity rating focuses only on the technical details of exploitation in isolation, ignoring the higher-level goals the malicious actor may be trying to achieve. Once a vulnerability has been identified, it generally takes 7-14 days until it is assessed and scored by the CVSS and once a CVSS is assigned, it is often never revisited or updated. 

The combination of stale CVSS scores and the wait for a score to be assigned leaves too many security teams with a limited understanding of their risk exposure. In particular, it can be difficult to align organizational risk appetite with vulnerability management, when there is no clear insight into the true risk of the threats posed by potential attackers. Consequently, approaches to security tend to be more reactive than proactive and more tactical than strategic. 

Additionally, the newest, most recently published CVEs are not necessarily the most dangerous. Threat intel collected by Bitsight from the cybercriminal underground revealed that over 3,000 ”old” CVE’s, (meaning those published before 2019), have been actively discussed on the underground in 2022 — 86 of which are from before 2003.

Problem #2: Data correlation errors

The discovery of vulnerable internal assets relies on the integration of Common Platform Enumeration (CPE) and CVE datasets. The correlation of CPE data with CVE information enables the attribution of vulnerabilities to specific products and versions in use, allowing teams to accurately identify the vulnerabilities that directly expose their systems to attack. 

The lack of synchronization between these two public NVD datasets (caused by inconsistencies, missing data, typographical errors and formatting issues), often leads to incorrect results, preventing automated systems from precise CPE to CVE matching. This in turn litters vulnerability assessments with false positives — or false negatives — causing organizations to waste valuable time and resources attempting to remediate vulnerabilities that are not present within their systems, while ignoring those that matter most.

How to prioritize vulnerabilities effectively: 5 steps

Security teams desperately need the ability to reduce alert fatigue and prioritize their resources according to real-time threat intelligence and accurate assessments of risk. 

Bitsight’s Dynamic Vulnerability Exploit (DVE) Intelligence provides end-to-end support across the entire CVE lifecycle, streamlining vulnerability analysis, management and remediation/mitigation processes. 

Correlating asset exposure and impact severity data with real-time vulnerability and exploit intelligence derived from cybercriminal activity and discourse, DVE Intelligence equips teams with the critical context they need to identify and prioritize vulnerabilities that pose the greatest risks to their organization — before they can be exploited in attack.

1. Discover & Scope 

Attack surface scanning for specific assets, products (CPEs) and CVEs.

The Task: To manage risk, you need full visibility into the organizational attack surface and clearly defined parameters of the assets you want to protect. This requires the accurate discovery and inventory of both internal and external assets and continuous evaluation of their visibility, accessibility and exposure to attack.

The Challenge: As organizations adapt to the accelerating pace of digitization and update their IT infrastructures to support a remote workforce, security teams face a rapidly expanding attack surface. Without full visibility, managing vulnerabilities and reducing risk becomes an insurmountable task.

2. Map 

Automated mapping of product versions (CPEs) to CVEs to detect vulnerability exposure in organizational assets and infrastructures.

The Task: More than a simple check to see if a product that has been exposed by a CVE is in use within their system, organizations need further granularity to avoid wasting valuable resources. This relies on integrating the CVE dataset with the CPE dictionary to determine whether the CVE affects the specific version of the product (i.e. Chrome version 14.3.112) installed in their environment. 

The Challenge: Although both the CVE and CPE datasets are maintained by the NVD, they are not synchronized — with missing data, inconsistencies and formatting errors complicating correlation between the two. This incompatibility has meant that until now, automating the CPE-CVE matching process has been impossible.

3. Assess 

Classify CVE threats according to MITRE ATT&CK framework to align with security controls and defensive workflows.

The Task: Once a vulnerability has been identified within their environment, security teams must rapidly determine the potential impact and likely exploitation method in order to understand where the vulnerability fits within an attack scenario, how it could serve the attacker, how the threat could materialize and how it might impact their environment.

The Challenge: Most vulnerability assessment tools focus only on the technical details of exploitation and impact in isolation, without consideration of the higher-level goal the malicious actor may be trying to achieve. As a result, security teams lack a concrete approach to effectively evaluate the wider impact of CVE’s or to align CVE threats with their existing security strategies, controls and workflows.

4. Enrich 

Enrich and prioritize vulnerabilities based on risk, urgency, threat context and likelihood of exploitation. 

The Task: Vulnerability treatment in itself is a costly, disruptive and time-consuming process. As mentioned above, only an estimated 6% of vulnerabilities are likely to be exploited and accordingly, security teams must prioritize their workload, focusing their limited time and resources on those vulnerabilities with a high likelihood of exploitation. To effectively evaluate and prioritize the risk and urgency associated with each vulnerability, accurate, timely, context-rich threat intelligence is as important as the identification of CVE exposure within a system.

The Challenge: Many organizations and vulnerability scoring tools remain dependent on the industry-standard CVSS severity score as the basis for vulnerability prioritization. An organization cannot effectively prioritize their vulnerability management efforts if they rely on outdated, superficial severity ratings that remain unchanged - even after a working exploit kit has already been widely distributed across the cybercriminal underground.

5. Remediate 

Track & deploy remediation/mitigation fixes as soon as they are released by the vendor. 

The Task: Once a vulnerability has been prioritized for treatment, teams need to determine the most appropriate steps to take to fix or mitigate their risk. While product vendors are expected to swiftly address vulnerabilities discovered in their software, sometimes there are delays in the creation and distribution of patch updates to fix the issue. To effectively minimize risk exposure to their organizations, security teams must continuously monitor vendor sites and security sources to track vulnerability information, updates, mitigations and patch releases — deploying vulnerability remediations as soon as possible in accordance with the instructions provided by the vendor. 

The Challenge: Tracking patches and mitigations for system vulnerabilities is not a simple task. New patches are released daily, published across multiple disparate sources, including vendor websites and mailing lists, security news groups, vulnerability databases and various third-party websites. As a result, many organizations fail to obtain and deploy vulnerability mitigations in a timely manner, extending their mean time to remediate and leaving the enterprise system exposed to attack.

The benefits of DVE Intelligence

DVE Intelligence equips teams with the critical insight they need to identify and prioritize the vulnerabilities that pose the greatest risk to their organization.

Fast 

Reduce business risk by minimizing mean time to respond/remediate with the earliest insights into the likelihood of exploitation.

Precise 

DVE Intelligence is robust, reliable and accurate, increasing efficiency in teams, enabling them to focus on remediating the specific vulnerabilities that pose the greatest risk.

Consolidated 

The security stack can be rationalized with a single source of truth, presenting all elements of critical, contextual vulnerability and exploit intelligence data in one unified platform solution.

Measurable 

DVE Intelligence provides quantifiable proof of the security processes applied to address vulnerabilities and minimize risk.

Conclusion

Over the past 10 years, the total number of vulnerability exposures has rapidly proliferated. With so many potential points of exposure, vulnerability management teams are overwhelmed and need a reliable and effective method for prioritizing mitigation and remediation activities.

Unlike traditional vulnerability scanning tools, DVE Intelligence supports all stages of the CVE lifecycle, from asset discovery to remediation, fixing the NVD CVE-to-CPE matching issues and providing an accurate assessment of whether a vulnerability will be exploited in the next 90 days. 

DVE Intelligence is powered by Bitsight’s market-leading threat intelligence that runs deep into the cybercriminal underground, exposing threat actor activities and discourse across the clear, deep and dark web in real-time. Armed with this intel, DVE Intelligence enriches each CVE with critical threat context and rich insights, empowering organizations to quickly and effectively understand and pre-empt CVE-based threats exposing their systems, hours after the vulnerability is first published.