Vulnerability Prioritization: Best Practices for Modern Cyber Security Defense

With threat exposure distributed across legacy, hybrid, and cloud-native environments, patching vulnerabilities in a sensible order requires sifting through the astronomic amount of data generated by detection tools and prioritizing the patching order in line with business priorities. 

Understanding the Challenge of Vulnerability Management Across Diverse Environments

Vulnerabilities are the most pervasive weakness on the planet. Like a strained tendon, they slow down development and create a constant and hard-to-evaluate risk. They generate so much interest that new tools designed to detect them are sprouting up every day like mushrooms.

These tools come in many shapes and are called anything from network security monitoring, web vulnerability scanning, data loss prevention, endpoint detection and response, network defense wireless solution, packet sniffers, antivirus software, Web Application Firewalls or network firewalls, Public Key Infrastructures (PKIs), managed detection services, and the list goes on. 

And detect they do. So much, in fact, that new tools are sprouting up to help filter all these detected vulnerabilities according to various ratings. 

The Flaws in Risk-Based Vulnerability Prioritization

Not all vulnerabilities are equal. And the judges are out to score them on basic, temporal, and environmental metrics, the most dangerous of them scoring highest on the CVSS hall of fame and jostling for visibility in NVD and MITRE CVE lists. 

With all those sniffing tools, cyber defenders should be able to catch those pesky vulnerabilities and filter them to let the harmless ones run free and ruthlessly eliminate the dangerous ones, shouldn’t they? Well, not quite.  

Despite their best efforts, these detecting and monitoring solutions generate too much data, including a sea of needlessly distracting false positives. By the time the valiant cyber defenders have gone through one batch and patched it, the environment configuration has changed, and new vulnerabilities have multiplied. 

Why Traditional Vulnerability Prioritization Falls Short in Modern Cybersecurity

The problem is not with the detection tools that are performing remarkably well in providing the data to calculate cyber risk exposure. It is not even with the outstanding new tools that filter through the mass of data, filter them according to their CVSS score and intuit a patching prioritization order that, at the time it is generated, makes perfect statistical sense.  

The problem is that the entire concept of prioritizing vulnerability patching based on risk scores is rooted in yesterday’s thinking. Both the infrastructure and the attacker challenge its timeliness and relevance. 

The Impact of Continuous Development

On the enterprise side, the near-ubiquitous adoption of continuous development results in constant changes in a configuration that render some of the scheduled patching irrelevant and introduce new vulnerabilities that are not included in the prioritized patching schedule.  

The Rise of Advanced Hacking Tools and Organized Cybercrime

On the attacker side, the proliferation of hacking tools shopping centers flourishing on the darknet means that defenders are now contending not only with some hooded evil geniuses hidden in basements, they are facing a growing and increasingly organized industry, that also has R&D departments churning new TTPs (Tactics, Techniques & Procedures) at record speed, and selling them and their automated version. 

This means that prioritizing vulnerability patching based on risk scores established through industry-wide statistical means is fighting yesterday’s war. A new thinking paradigm to prioritize vulnerability patching is needed.  

Adopting Offensive Tactics for Effective Vulnerability Management

Instead of using techniques stemming from the erstwhile “securing the perimeter” line of thinking, it is time to take a leaf or two from tried and tested military strategy summarized into cliched adages:

“Know thy enemy” and “The best defense is a good offense.”

That may sound like a good idea, but unlike traditional military enemies, hackers do not operate as an army. They are faceless, motivated by any number of goals, ranging from greed to selfless hacktivistic defense of the oppressed (as defined by the hacktivist), from corporate to national spying, from information gathering to destructive abilities, and the list goes on. 

So, with such a multitudinous, multifaceted enemy, how is it possible to leverage military wisdom and get to know the enemy? 

Regardless of its identity or motivations, the enemy is going to use tools to launch attacks. And, as stated by the National Security Agency, “To effectively resist attacks against information and information systems, an organization needs to characterize its adversaries, their potential motivations and classes of attack.”

And we are in luck!

MITRE ATT&CK  does exactly that! It collates known attacks and attackers and then maps potential attack routes in a publicly available framework.

Leveraging Continuous Security Validation for Real-Time Threat Mitigation

The global nature of the internet makes going against all malicious actors a pipe dream. Yes, there are initiatives to catch and jail the worst offenders, but the odds of global cooperation reaching a level that enables catching and neutralizing all offenders is next to nil. 

With a comprehensive Continuous Security Validation (CSV) suite – that includes BAS (Breach and Attack Simulation), CART (Continuous Automated Red Teaming,) and Advanced modules. Any organization can continuously emulate attacks on their environment, exactly like a swarm of attackers would.  

Yet, unlike what happens under a real attack, security validation attacks yield, among other data, an optimized vulnerability patching priority schedule created by an Attack-Based Vulnerability Management (ABVM) included in each CSV suite module and based on risk scores derived from the actual risk to the validated environment. 

Patching attack-based prioritized vulnerabilities are the most efficient way to continuously improve security posture.