Hacking tools and techniques evolve quickly as threat actors adapt to new vulnerabilities and fixes for old ones. Flaws in common software components are discovered every day, some of which are severe enough to provide direct access to internal networks. When these are discovered, and the exploitation technique becomes publicly available, threat actors jump at the opportunity to exploit them before patches roll out. This becomes a constant cat-and-mouse game where defenders have to patch vulnerabilities as fast as possible, and attackers race to exploit them before that can happen.
What Is The KEV?
Due to the cyclical nature of vulnerability research and remediation, vulnerabilities tend to fall in and out of popularity for threat actors quickly. A vulnerability discovered in a common component last week is far more likely to be exploited than a 10-year-old vulnerability, even if the older bug is more severe. Older components are far more uncommon, especially in external networks. In internal networks, it is not unheard of for 10+ year-old bugs to be discovered due to certain dependencies in various components.
The Cybersecurity & Infrastructure Security Agency (CISA) has released the Known Exploited Vulnerabilities Catalog (KEV) to provide everyone with information about common threat actor tactics. This is a constantly evolving list of the most common exploits used in the wild by criminal hackers. There are three main criteria for a vulnerability to be added to the KEV:
- Assigned CVE ID – This means that the exploit is publicly cataloged and recognized. CVEs get assigned to reported vulnerabilities that have been confirmed to be reproducible and valid across instances of a product.
- Active exploitation – Active exploitation refers to how commonly used a vulnerability is by threat actors to compromise targets. Vulnerabilities must be proven to be under active exploitation through evidence on exploited systems. This evidence is typically acquired through using honeypots to capture valuable data or performing forensic analysis on previously exploited systems.
- Clear remediation guidance – The final criterion is that there must be clearly defined steps for fixing the problem. There can be permanent solutions, such as a patch or decommissioning the product, or temporary workarounds provided through vendor guidance.
Having this list available allows one to prioritize remediation and properly gauge overall risk. Risk can be thought of as an intersection of exploitation likelihood and the impact upon exploitation. Even vulnerabilities with high impact can have low overall risk if it is unlikely that they will ever be exploited. Inversely, lower-impact vulnerabilities can have the risk driven up by ease of exploitation making the likelihood of attack higher.
How Can Defenders Use The KEV?
The KEV is a fantastic resource that should be utilized by defenders. The primary method of utilizing it is monitoring residual risk on the network. Certain vulnerabilities may be costly or difficult to remediate and can be determined as acceptable risks. As exploit maturity evolves, the exploitation of a vulnerability may increase dramatically if public exploit code becomes available. Having a reference for when residual risks may become unacceptable can provide the defender with a framework for reevaluating threats on their network.
Another use for the KEV is knowing which components should be carefully monitored. Many components are far more commonly exploited than others. These are typically extremely common software components that are commonly exposed to the internet, such as VPN gateways. These are prime targets for threat actors, meaning they are heavily researched for vulnerabilities. The KEV will show trends of what components are commonly exploited and can help defenders know where their attention should be directed.
Using the KEV can be very helpful for post-market surveillance of a novel product. Many industries and regulatory bodies require strict plans in place for monitoring products after they have a public release for remediating vulnerabilities. 3rd party components are common in novel products, as they can massively cut down on the work needed to release a finished product. It is just as important to monitor these components for vulnerabilities as it is to monitor the main product. The KEV can show if any 3rd party components become actively exploited.
As part of the criteria for a vulnerability to enter the KEV, there must be actionable remediation steps. This is great for defenders, as there is a centralized resource to find the flaws and fix them in one step. In the event that security teams find a flaw that is on the KEV, they should also rely on it as a first step for understanding what the vulnerability is and how they can remediate it quickly and correctly.