Prioritizing Vulnerabilities is a Flawed Process: What’s Needed -- Security Today

Prioritizing Vulnerabilities is a Flawed Process: What’s Needed

By Michael Angelo Zummo
Aug 10, 2022

The topic of zero-day exploits and exposed vulnerabilities is always trending within cybercriminal communities, both on clear web platforms and on the underground. From 280-character tweets circulated among cybercriminals on Twitter, to POC exploits released on clear web code repositories, to exploit kits and tools shared across the forums and markets of the deep and dark web, threat actor discourse revealing which vulnerabilities they plan to target is far from scarce.

Given the increasing number of vulnerabilities discovered and disclosed each year, and the mounting struggles of IT departments as they work to keep legacy systems secure, many organizations do not prioritize patch deployment for ‘low-severity’ CVEs, focusing instead on remediating those that are making headlines or those assigned a ‘high-severity’ Critical Vulnerability Scoring System (CVSS) rating.

Threat actors understand that these ‘medium’ and ‘low’ severity CVEs are likely to remain unpatched and un-remediated within enterprise environments and take advantage of the flawed prioritization process to gain access to critical assets, moving laterally through the network to deploy high-profit, high-impact attacks.

Some of the most widespread and devastating cyberattacks over recent years have originated with the exploitation of vulnerabilities rated ‘medium’ or ‘low’ severity by the CVSS.

The prioritization process is inherently flawed: the CVSS score measures the estimated severity – not risk – of exploitation.

In many cases, timely patch management for CVEs rated at medium or high severity is an issue of compliance, required by industry standards, government agencies or other regulatory bodies such as the Payment Card Industry Data Security Standard (PCI DSS). Predicating the prioritization of patching cycles on CVSS ratings alone is therefore a potentially fatal error, and yet it remains the prevalent methodology for many organizations and vulnerability scanning tools.

Since the standard of Common Vulnerabilities and Exposures (CVE) was first introduced in 1999, almost 200,000 publicly known vulnerabilities have been recorded to date. While many of these vulnerabilities have since been patched (some were patched years, even decades ago), many organizations have not yet applied the available security updates and patches, leaving their systems exposed to cyberattack.

How CVSS Scores are Calculated

Published CVSS scores are typically comprised of a combination of Base Metrics and Temporal Metrics Scores only. While a useful starting point, Base Metrics by definition are static, representing the intrinsic characteristics of a vulnerability that remain constant over time. Once it is published, the score is often not re-evaluated or updated to reflect the current Temporal status.Static scores are not much help in the current, rapidly evolving threat landscape.

CVSS scoring mechanisms have gone through three major revisions (and a number of minor revisions) since the framework was inaugurated in 2005, with CVSS Version 3.1 being the most current revision. According to the National Vulnerability Database (NVD), CVSS Version 3.1 is generated through the measurement of three core metric groups:

(1) Base Score Metrics, which represent the intrinsic and fundamental characteristics of a vulnerability;

(2) Temporal Score Metrics, which represent the current state of exploit techniques or code availability;

(3) Environmental Score Metrics which represent those characteristics of a vulnerability that are relevant and unique according to each individual organizational infrastructure.

How can an organization effectively prioritize their CVE patching cycles if they rely on an outdated severity rating that remains unchanged even after a working exploit kit has been widely distributed within the cybercriminal underground?

As explicitly noted in the CVSS version 3.1 user guide, CVSS measures severity, not risk. Accordingly, insight into threat actor discourse and interest surrounding CVEs and their related attack vectors for exploitation is critical, providing the accuracy, relevance and context needed to effectively prioritize vulnerability remediation processes.

This vulnerability currently has a CVSS 3.1 score of 9.8 – likely flagging it as the highest priority patch for organizations using the software. Though remediation of this CVE is likely to be prioritized quickly, it is important to understand the context of underground threat actor discourse surrounding the exploitation of this vulnerability.

In the image below (CVE-2022-22954) we can see that most of the chatter was observed on social media platforms such as Twitter. However, there are also a significant number of code repository entries of POC exploit codes.

It is also important to note chatter on high-profile underground forums and the extent of actor participation in those discussions. For CVE-2022-22954, chatter surrounding the exploitation of the vulnerability was observed on a notable underground forum as early as 4/12/2022.

A Need to Re-Prioritize

Monitoring underground chatter does more than simply justify what is already set to be prioritized by one’s vulnerability scanner. There are likely multiple vulnerabilities with a CVSS score below 4.0 which would go unflagged by scanners due to their low severity score.

For example, on a well-known Telegram group (Graphic below) dedicated to the discussion of hacking tools and tactics, a message was observed sharing information surrounding the recently publicized CVE-2022-22950 and CVE-2022-22948 vulnerabilities. It’s easy to argue that the discussion of these CVEs on such a prominent cybercriminal channel might encourage threat actors to target these vulnerabilities, regardless of their low-severity CVSS ratings.

Additional chatter was also observed on other cybercriminal Telegram groups associated with notable hacking groups discussing the same CVEs.

Monitoring in Real Time

Vulnerability and exploit chatter is rife across all spectrums of the internet. Yet this intel can be extremely difficult to track without real-time visibility into the primary arena of cybercriminal activity – the deep and dark web – rendering an accurate identification of immediate threats a near insurmountable challenge.

While all vulnerabilities ought to be of some concern, only 6% of CVEs are actually exploited. Without accurate threat intel to provide insight into the risk – rather than severity – of each vulnerability, security teams find themselves fighting an uphill battle, overwhelmed with the sheer volume of vulnerabilities potentially exposing their organization.

Automated threat intelligence helps to separate the wheat from the chaff, by providing the much-needed context to drive informed security decisions, and by helping teams enhance the productivity and efficacy of their patching cycles, without exposing their systems to avoidable risk.

The process for monitoring vulnerabilities in real-time can support the patching cycle process, empowering security teams to prioritize remediation according to accurate threat intelligence regarding the likelihood of a vulnerability exploitation.

Featured

Security Industry Association Announces the 2025 Security Megatrends

The Security Industry Association (SIA) has identified and forecasted the 2025 Security Megatrends, which form the basis of SIA’s signature annual Security Megatrends report defining the top 10 factors influencing both short- and long-term change in the global security industry. Read Now
- Cybersecurity
- Artificial Intelligence
Generative AI, Cybersecurity Among Top Risks for Healthcare Provider Organizations in 2025

Overseeing the use of generative artificial intelligence, enhancing cybersecurity and ensuring compliance with a host of federal healthcare regulations headline the Top Risks health systems face in 2025, according to an annual study by Kodiak Solutions. Read Now
- Hospital
Wisconsin Shooting Likely a 'Combination of Factors'

Following the deaths of a teacher and student at Abundant Life Christian School in, Madison, Wisc., police chief Shon Barnes indicated that the motive appears to be a “combination of factors” for a 15-year-old female student’s attack on a study hall. Read Now
- Active Shooter
- Incident Response
Louisville Muhammad Ali International Airport Transforms Operations Using Data Insights

Genetec Inc., provider of enterprise physical security software, recently announced that Louisville Muhammad Ali International Airport (SDF), a civil and military airport in Kentucky, USA is using Genetec Security Center to drive operational improvements to enhance efficiency and security while improving customer experience. Read Now
- Airport Security

Webinars

Building a Unified Approach to School Safety
The Center for Safe and Resilient Schools and Workplaces

Precovery in Action: Proactive Strategies to Promote School Safety and Mass Violence Prevention
Hanwha Vision (formerly Hanwha Techwin), NAPCO Security Technologies, Inc.

Getting Control of your Access

Whitepapers

Salient Systems

A Model for Community Security
Genetec

State of Physical Security 2025
Winsted Corporation

Sit/Stand Consoles: Helping Increase Productivity

New Products

ResponderLink

Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3
4K Video Decoder

3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3
Luma x20

Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

Prioritizing Vulnerabilities is a Flawed Process: What’s Needed

CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure

Fast-food Operator Enhances Safety and Cuts Security Costs with Interface Systems’ Virtual Guard

Eagle Eye Cabinets Extend Video Security to Remote and Hard-to-Wire Locations

ESX 2025 Registration Now Open

ASIS International Announces Officers and Directors for 2025 Global and Regional Governing Boards

ISS Welcomes New Director of Strategic Partnerships, Regional Sales Director

Security Industry Association Opens Call for Nominations for 2025 Women in Security Forum Power 100