Beyond CVEs: The Key to Mitigating High-Risk Security Exposures

Use ongoing exposure management to parse the riskiest exposures and probable attack paths, then identify and plug the choke points.

In 2022, the National Institute of Standards and Technology reported more than 23,000 new vulnerabilities, the largest spike ever recorded within one calendar year. Alarmingly, this upward trend is anticipated to continue, with recent research suggesting that we may see more than 1,900 new common vulnerabilities and exposures (CVEs) per month on average this year, including 270 rated high-severity and 155 rated critical-severity.

As CISOs and security teams grapple with reduced security budgets and the perpetual scarcity of cyber talent, patching this veritable tidal wave of new vulnerabilities every year is simply an unattainable and ludicrous task.

Out of the hundreds of thousands of registered CVEs, only 2% to 7% are ever seen exploited in the wild. Thus, mindless patching is rarely a fruitful activity. With expanded attack surfaces, the threat landscape isn't as siloed as we often treat it. Attackers aren't executing an attack on an individual vulnerability because it almost never leads to critical assets. Vulnerabilities, in most instances, do not equal exposures and aren't rewarding enough for an attacker looking to penetrate organizational systems.

Instead of concentrating on vulnerabilities, malicious actors are leveraging a combination of exposures, such as credential and misconfigurations, to discreetly attack critical assets and steal company data. Let's explore some of these prominent, and often overlooked, exposures that organizations should be most concerned about.

The Discarded Environment: On-Premises

While we cannot discredit the need for robust cloud protections, its dominance over the past decade has caused many to overlook their investment in building effective and agile on-premises controls. Make no mistake, malicious actors continue to actively exploit on-premises exposures to gain access to critical assets and systems, even if they are in cloud environments.

Earlier this year, Microsoft urged users to secure their on-prem Exchange servers in response to several instances where security flaws within the software were weaponized to hack into systems. With all the focus on cloud security, many organizations have become blind to the hybrid attack surface and how attackers can move between the two environments.

Overly Permissive Identities, Privileged Access

With convenience in mind, cloud users, roles and services accounts continue to grant excessive permissions. This can make things easier to manage and it avoids having to deal with employees constantly asking for access to various environments, but it also allows attackers to expand their foothold and attack paths after successfully cracking through the first layer of defense.

A balance must be struck because right now, many organizations lack strong governance in relation to identity, resulting in excess access to those who don't require such abilities to perform their tasks.

While securing identities is highly complex in hybrid and multicloud environments, operating on the philosophy that every user is a privileged user makes lateral spread far harder to stop. It could also be the difference between a minor attack and a weeks-long project to try and contain the damage. Our recent research showed that 73% of top attack techniques involve mismanaged or stolen credentials.

The Human Glitch

Let us not forget about one of the most common, yet detrimental, mistakes: improper deployment and utilization of security controls. You make the investment, but you also must ensure that you reap the benefits. Despite being a widely communicated issue, security control misconfigurations are still highly prevalent. While no threat detection and response or endpoint solution is bulletproof to begin with, many are also misconfigured, not deployed across the entire environment, or inactive even when deployed.

We are operating in a world of hypervisibility, where diagnostic fatigue is prevalent and security teams are inundated with too many benign and unrelated vulnerabilities. CISOs and security teams seem to be on a quest to see everything. But exhaustingly long lists of exposures and technical weaknesses prioritized based on CVSS or other scoring mechanisms don't make their organizations safer. The key is to see what is important and not lose the critical in the sea of the benign.

Instead of trying to fix everything, organizations must work to identify their chokepoints, the areas where exposures commonly converge on an attack path. Doing this requires diligent evaluation of your exposure landscape and grasping how attackers can navigate through your environment to reach critical assets. Once these choke points are identified and remediated, it will make the other exposures irrelevant, not only saving an enormous amount of time, but potentially the sanity of your security team as well.

Additionally, this can have the added benefit of mobilizing your IT teams because it gives them a clear view into the significance of certain patches, and they no longer feel as though they're wasting their time.

Keeping Ahead of Threat Landscape

As Henry Ford once said, "If you always do what you've always done, you'll always get what you've always got." While most organizations have robust vulnerability management programs in place, vulnerabilities are only a small portion of risk.

Keeping ahead of the volatile threat landscape requires ongoing exposure management mechanisms. Understanding which exposures present the most risk to your organization and critical assets — and how an attacker may leverage these exposures on an attack path — will significantly help plug gaps and improve overall security posture.

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading