As a security researcher, common vulnerabilities and exposures (CVEs) are an issue for me — but not for the reason you might think.
While IT and security teams dislike CVEs because of the threat they pose and the mountain of remediation work they create for them, what troubles me is the way our modern security procedures relate to CVEs. Our mitigation strategies have become too focused on "vulnerability management" and are too CVE-centric, when what we really need is a hacker-centric approach to effectively reduce our exposure.
Vulnerability management as a primary strategy doesn't really work. According to the National Institute for Standards and Technology, 20,158 new vulnerabilities were discovered in 2021 alone. This represented the fifth consecutive year of record numbers for vulnerability discovery, and it looks like 2022 may very well continue the trend. Security teams cannot reasonably patch 20,000 new vulnerabilities a year, and even if they could, they shouldn't.
This might sound counterintuitive, but there are a few reasons why it's not. The first is that recent research reveals that only about 15% of vulnerabilities are actually exploitable, and so patching every vulnerability is not an effective use of time for security teams that have no shortage of tasks. The second and equally important reason is that even if you did continuously patch 100% of the CVEs in your network, this likely still wouldn't be effective at stopping hackers.
Hacker Strategies Are Vast and Varied
Phishing, spear-phishing, varying levels of social engineering, leaked credentials, default credentials, unauthenticated access using standard interfaces (FTP, SMB, HTTP, etc.), accessible hotspots with no passwords, network poisoning, password cracking — the list of strategies that hackers are employing is vast and varied, and many don't even require a high-level CVE, or any CVE at all, to be dangerous to an organization. The recent Uber breach is an excellent example of how hackers exploited an organization without utilizing the latest CVEs or overly complicated attack methods to target organizations.
Depending on whether you believe what the hacker claimed on Uber's Slack channel, or Uber's recent comments, the hacker was either an 18-year-old who exfiltrated data from an Uber staffer via a clever social-engineering/spear-phishing attack, or the work of South American hacking group Lapsus$, which executed a spear-phishing attack, utilizing the leaked credentials of a third-party contractor obtained from the Dark Web. In either scenario, there was no complicated coding or vulnerability exploitation that went on here. Instead, it was a variation on an old-school tactic that is tried and true.
It's Not The Vulnerability but the Vector That Matters
I don't want anyone to get the wrong idea. Patching is very important; it's a critical part of a strong security posture, and a crucial component of every security strategy. The issue is that many tools today prioritize remediation recommendations based solely on Common Vulnerability Scoring System (CVSS) scores, and what gets lost is the organizational context; the understanding of how to separate the meaningful 15% of vulnerabilities from the other 85%.
As an experienced penetration tester in the Israeli Defense Forces and vice president of research, leading a team of ex-pen testers and red teamers at Pentera, what I've learned is that it's not the vulnerability but the vector that matters. Just because your attack doesn't begin with a major vulnerability doesn't mean it won't end with one. The most dangerous vulnerability to your organization might be a 5.7/10 CVSS score hidden at the bottom of a list of high-scoring false positives.
Leaked Credentials Are a Bigger Threat
Leaked credentials likely pose a far greater threat to the average organization than the next dozen CVEs to be announced combined, yet many organizations have no protocol in place to discover if any of their credentials are floating around in the darker parts of the Web. We act as if hackers will spend countless hours developing exploits to CVEs, while they are really just looking for the most efficient way to access our networks. Many of today's hackers, and hacking groups, are financially motivated, and like any organization they want the best ROI for their time. Why spend time executing a complicated attack when you can just buy or scrape the credentials?
Right now, our defenses aren't working, and we, as security professionals, need to reexamine where the weak points are. While vulnerability management is definitely a core part of any meaningful security strategy, we need to move away from it as a primary methodology. Instead, we need to take a good look at the strategies hackers are utilizing and base our security strategies on how to stop them. If we want our security to actually be effective toward reducing our exposure, our strategies must focus on understanding the real-world techniques and methodologies that hackers are using to exploit us.