Go back

Exploit Intelligence 101

Vulnerability Prioritization

avatar
Patrick Garrityin/patrickmgarrity/
101

Vulnerability Prioritization

Organizations face ever-growing numbers of security vulnerabilities, driven by the explosion in applications, increasing number of security researchers, and threat actor activity. Defenders often face a backlog of hundreds of thousands of known vulnerabilities; attempting to address all of these vulnerabilities is inefficient, expensive, and can lead to fatigue within security teams. Smart organizations must make strategic decisions about which vulnerabilities to patch today, which can wait for tomorrow, and what might be deferred indefinitely.

In practice only 2-5% of known vulnerabilities are ever exploited by attackers. By focusing on high-risk vulnerabilities, those most likely to be exploited and with the greatest potential impact, organizations can minimize their exposure to attacks while also making the best use of available resources. Effective Vulnerability Prioritization improves overall security while also optimizing resource allocation, allowing security teams to handle the most significant threats efficiently.

What factors affect Vulnerability Prioritization?
When assessing risk of any particular vulnerability there are multiple factors to consider that impact risk, including inherent characteristics of the vulnerability itself, external factors such as threat attacker activity, and other factors such as internet exposure of the vulnerability, mitigating security controls and patching cadence. Some of the most impactful factors include:

  • Known Exploited Vulnerabilities (KEV). A Known Exploited Vulnerability is a one with confirmed exploitation evidence. Depending on the asset context, these should be treated with urgency and remediated as soon as possible.. The importance of remediating Known Exploited Vulnerabilities is underscored by CISA’s BOD 22-01, which mandates federal agencies address such vulnerabilities. CISA states, “Known exploited vulnerabilities should be the top priority for remediation.”
  • Ransomware Campaigns. Vulnerabilities used in ransomware campaigns are often prioritized due to their widespread impact.
  • Botnets, Vulnerabilities exploited by botnets, a collection of infected computers controlled by a common attacker, are critical to address.
  • Threat Actors: Specific vulnerabilities exploited by known threat actors pose increased risks and should be prioritized.
  • Weaponized Vulnerabilities. Weaponized vulnerabilities are those with explicit malicious intent or reported exploitation. These include exploits within malware or those facilitating easy exploitation (Projects such as: MetaSploit, VulnCheck IAI, CANVAS, Core Impact). Weaponized exploits often have secondary payloads, droppers, or implants.
  • Proof of Concept (POC) exploit code demonstrates exploitation and indicates risk. POC exploits, such as blog posts, curl requests, or Python scripts, are often used in real-world attacks. The number of POC exploits associated with a vulnerability correlates with its likelihood of being weaponized or exploited.

There are additional factors to consider. Incorporating these factors within decision-based frameworks like Stakeholder-Specific Vulnerability Categorization (SSVC) can help build decision based logic for prioritizing vulnerabilities. Often, vulnerability attributes beyond threat intelligence can help provide further visibility into the risk a vulnerability might pose. Attributes such as CVSS metrics, CAPEC, CWE, MITRE ATT&CK, threat actors, targeted industries, targeted countries, and categorizations are frequently used by VulnCheck customers to determine the risk a vulnerability poses within their environment.

Beyond exploitation evidence, consider asking the following questions: Is the device/application connected to the internet? Is the device/application used for initial access? Is the device/application controlled by a user and susceptible to phishing attacks? Is the vulnerability remotely exploitable? Is the vulnerability automatable? Is the vulnerability reachable? Are there mitigations in place for the vulnerability?

  • Known exploit availability and maturity. Vulnerabilities with known exploits represent a much more immediate risk than vulnerabilities that have not been exploited, and deserve higher prioritization. However, not all exploits are created equal. It’s critical not only to know if an exploit exists, but also to capture its overall maturity. A proof-of-concept circulated by a security researcher is a good warning that the vulnerability could be weaponized by future attackers, but does not itself represent an immediate existential threat. On the other hand, exploits that are known to be circulating in widely available exploit kits or dark forums pose more significant risks. These known exploits increase the urgency for patching, as they provide low-skill adversaries with packaged tools needed in order to exploit vulnerabilities.
    Insights on known exploits can be found in a variety of locations, such as CISA’s Known Exploited Vulnerabilities (KEV) list and Exploit-DB. Unfortunately these sources are often incomplete or lag behind real-world activity. As a result, many security teams augment these lists with their own independent research in order to ensure they have all the intelligence they need in order to prioritize effectively every hour of every day..
  • Vulnerability severity. Severity is often the first consideration in prioritization. Typically based on Common Vulnerability Scoring System (CVSS) scores, severity provides a starting point, categorizing vulnerabilities from low to critical on a scale of 1-10.
    CVSS scores are a core part of every CVE record, and while essential, CVSS alone does not provide enough context for effective prioritization. CVSS scores provide an indication of the potential risk associated with a vulnerability, but do not capture real world risk, as they don’t account for an organization’s specific environment or the likelihood of active exploitation. CVSS temporal scoring can offer an adjustment to a vulnerabilities score based on threat intelligence enrichment.
  • Likelihood of exploitation.
    The Exploit Prediction Scoring System (EPSS) is a framework designed to estimate the likelihood of a vulnerability being exploited in the wild. It combines various factors, such as the characteristics of vulnerabilities and historical exploit data to produce a probabilistic exploitability score.
  • Asset value and criticality. Not all systems are equal in importance. Prioritization should account for the value and criticality of the assets affected by a vulnerability. For example, a vulnerability in a public-facing, mission-critical server warrants more immediate attention than one in a low-risk environment. Vulnerabilities on assets accessed by a large number of users, especially those with elevated privileges, can be higher risk. User roles and access privileges are also taken into account when vulnerabilities impact assets managed by privileged users or critical infrastructure administrators. Asset-based prioritization ensures the organization’s most valuable resources are protected.
  • Environmental factors. Finally, a wide variety of factors related to the local environment can have a significant impact on the risk of a damaging exploit impacting an organization:
    • Exposure. Vulnerabilities on systems exposed to the internet or public networks are often prioritized over those on internal-only assets, as they are more exposed to attack by external threat actors, and could more easily become a vector for initial access.
    • Network segmentation. Vulnerabilities in isolated segments of the network may be deprioritized if there are additional security layers or isolation.
    • Mitigating controls. Layered security controls, such as restrictive firewall rules or application allow listing, can limit exposure, meaning that vulnerabilities on protected systems may be ranked lower risk.

Challenges in Vulnerability Prioritization
Even in a perfect world, the wide variety of variables make Vulnerability Prioritization a daunting task. Unfortunately, the world is far from perfect. A number challenges make it difficult to put theory into real-world practice:

  • Publishing delays. Public sources of vulnerability data such as the National Vulnerability Database (NVD) and CISA’s Known Exploited Vulnerabilities (KEV) catalog are essential resources, yet they frequently face delays in publishing information. This lag can leave organizations unaware of newly discovered vulnerabilities or exploits, potentially leaving them exposed for days or longer.
  • Data gaps: Public resources often lack key pieces of data on vulnerabilities. Some vulnerabilities have incomplete descriptions, miss important links to external resources, have outdated severity metrics, or do not include up-to-date exploit information, which complicates prioritization efforts.
  • Escalating and evolving threats: Threat actors continually adapt their tactics, leveraging new vulnerabilities as soon as they’re weaponized. This constantly changing landscape means that a vulnerability’s risk level can increase unexpectedly, particularly when an exploit becomes widely available.
  • Poor usability: Many sources of vulnerability intelligence are highly technical and complex, requiring expert interpretation. Furthermore, siloed or difficult-to-integrate data makes it tricky to apply this intelligence in real-time, leaving organizations reliant on manual analysis or outdated threat data.

The Importance of Exploit Intelligence in Vulnerability Prioritization
Given these challenges, high-quality exploit intelligence is invaluable in effective vulnerability prioritization. Exploit intelligence provides critical insights that help organizations assess the likelihood of exploitation, anticipate attack trends, and respond proactively to threats.

Effective exploit intelligence provides defenders with::

  • Up-to-date information: For effective prioritization, security teams require real-time, accurate data on exploit activity, including proof-of-concepts, in-the-wild usage, and tools leveraging specific vulnerabilities. Up-to-date exploit intelligence allows teams to respond before a vulnerability becomes widely exploited, keeping them a step ahead of attackers.
  • Complete data sets: Comprehensive intelligence goes beyond merely identifying vulnerabilities. It includes critical context on how vulnerabilities can be exploited, attacker motivations, and even the geographical or industry targets of specific campaigns. This depth enables security teams to prioritize based on the actual risks rather than theoretical threats.
  • Seamless integration with vulnerability management workflows: Exploit intelligence must integrate smoothly into existing workflows to be effective. Security teams benefit from open APIs and standardized data formats that can be integrated directly in their vulnerability management tools, allowing for automated alerting, reporting, and prioritization within their environment. Easy integration reduces the risk of oversight and improves operational efficiency.

With high volumes of complex vulnerabilities, exploit intelligence is key to effective vulnerability management. Security teams armed with up-to-date, tightly integrated, and comprehensive data can make faster, better-informed decisions, protect their high-value assets, and ultimately stay one step ahead of emerging threats.

Get Started with VulnCheck
Schedule Demo