Let’s face it: Vulnerability management is not what it used to be a decade ago. Actually, it is not what it used to be a couple of years ago. Vulnerability management is one of those ever-evolving processes. Whether it is because of compliance mandates, board demands, an overall desire to reduce risk, all of these objectives or none, almost every organization is taking a new look at their vulnerability management program. Although too often, they may only focus on scanning for existing vulnerabilities, which could yield a long list of issues without context or priority.

Please do not misinterpret that statement. Scanning is an important part of any vulnerability management program, and not just for traditional infrastructure. Cloud environments should also undergo scanning and vulnerabilities should be remediated regularly. Scanning, however, should walk down the aisle in holy matrimony with vulnerability ranking, ensuring teams are patching the most impactful issues first.

According to IBM X-Force Red’s vulnerability scanning data, about 1.7 million vulnerabilities are reported by scanners in each client’s environment. Out of those 1.7 million, 16 percent have associated public exploits. That means an attacker could exploit up to 272,000 of those vulnerabilities at any moment in time. And, as you have probably heard ad nauseam, it only takes the exploitation of one vulnerability for an attacker to compromise an entire organization.

How can security teams quickly find which of those vulnerabilities have associated public exploits? And out of that pool of vulnerabilities, how do they know which ones to fix first?

The screenshot below, which comes from an initial scan for vulnerabilities, shows the challenge. Even if you cannot see the specific Common Vulnerabilities and Exposures (CVE) numbers, you can still see the list is endless. How can anyone decipher what the data means and which actions to take next?

Figure 1: Vulnerability scan results prior to ranking of the issues detected in the scan (Source: IBM X-Force Red)

Scan, Then Rank!

Hence, the importance of ranking. Without ranking, that possible list of 1.7 million vulnerabilities produced by one scan is just a giant heap of CVEs. The findings are not actionable. Instead of giving the report’s recipients answers, the sheer amount of issues listed merely stresses them out, all while the most dangerous vulnerabilities may be left to stick around even longer, exposing sensitive assets to a motivated attacker.

You may be thinking, “I do rank. I prioritize our scan findings based on the assigned CVSS scores.” As I described in more detail in a prior blog post, ranking vulnerabilities based on the Common Vulnerability Scoring System (CVSS) alone is not enough, because the CVSS was never meant to be used on its own for prioritization. To briefly recap, the CVSS provides a technical score for the severity of a vulnerability, however, it lacks contextual information that is specific to each organization’s environment. In other words, it does not include key risk factors such as the value of the exposed asset to the organization or if the vulnerability can be exploited by attackers.

If ranking — based on those kinds of risk factors — is not subsequent to scanning, security leaders may find themselves wasting time on minimal risk vulnerabilities, false positives, stewing, not knowing where to start with remediation, or manually trying to figure out which vulnerabilities matter most.

Wed Scanning and Ranking in Your Environment

As you most likely know from the countless number of vendor pitches in your email inbox, different security companies have their own “secret sauces” designed to help manage vulnerabilities. But if you are not ready to purchase yet another solution, the best first step for your vulnerability management program is to understand your assets.

Which assets matter most to your organization, and what kind of data do they touch? Once you identify those basics, you can narrow the scope of your scan to only those assets. That may make it a bit easier to identify vulnerabilities exposing the most critical assets — those that, if compromised, may cause the most pain.

Rank Like an Attacker

X-Force Red, IBM Security’s team of hackers, believes in ranking through the eyes of an attacker. After every scan — whether it’s on a cloud or traditional IT environment, internet of things (IoT) or web application, host, container, or anything and everything else — the findings must be inputted into a ranking engine that factors in attacker-minded information. For example, can the vulnerability be readily exploited? Is a public exploit available? Oftentimes, many vulnerabilities on the list are not being exploited by attackers, which diminishes their immediate viability.

Scanners provide an enormous amount of data, and ranking enriches that data so it is actionable for reducing risk. The two should forever live in symbiosis.

To learn more about X-Force Red’s vulnerability ranking, check out how a security leader reduced the number of critical vulnerabilities in his environment by 60 percent in just four months.

More from Software Vulnerabilities

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…

How Log4j Vulnerability Could Impact You

MITIGATION UPDATE: New vulnerability in 2.17 — CVE-2021-44832 Upgrade to 2.17.1 to mitigate this vulnerability Do NOT enable JNDI in any versions Follow: https://logging.apache.org/log4j/2.x/security.html If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers.…