Vulnerability Prioritization: Tutorial & Best Practices

As technology and applications increasingly become central to how organizations function, minimizing the risk posed by an expanded number of vulnerabilities equally becomes a more prominent concern. Over the past decade, the landscape of cybersecurity vulnerabilities has undergone a seismic shift, history revealing a steady increase in reported vulnerabilities. This surge can be attributed to many factors, including the pervasive integration of technology into various facets of life and the consequential expansion of potential attack surfaces.

The constant increases in reported vulnerabilities consume the resources of security teams so much that prioritizing vulnerabilities is imperative for any organization striving to navigate the evolving risks in real time and sustain operational success. Prioritization refers to the process of systematically assessing and ranking vulnerabilities to determine their potential impact.

The vulnerability prioritization process resides within the second step of the vulnerability management lifecycle, to which we’ve dedicated a full article.

After the vulnerability assessment is completed, the aim is to enrich the findings with contextual information, identifying vulnerabilities that demand immediate attention due to posing a high risk of potential for significant technical compromise and business impact. impact.

This phase zeroes in on crucial factors such as impact, exploitability, and severity, which aid in identifying the vulnerabilities that pose the most significant risk and need urgent mitigation efforts to fortify the overall security posture. This approach ensures that limited resources like time and labor are allocated efficiently to tackle the most critical security weaknesses first, reducing the organization’s overall risk exposure.

At first, the main focus of vulnerability management was on reactive measures: fixing vulnerabilities as they came to light, typically based on scans performed only on a periodic basis. However, organizations started to understand that the sheer volume of new risks made reactive tactics insufficient.

In this article, we dive into vulnerability prioritization best practices, methodologies, and strategies that enable organizations to adopt a proactive and comprehensive approach to prioritizing their vulnerabilities.

Summary of vulnerability prioritization and best practices

What is vulnerability prioritization?

Vulnerabilities can stem from various sources, including programming bugs, configuration errors, unpatched software, and human error. Prioritizing vulnerabilities enables enterprises to concentrate on the most impactful threats amid a multitude of potential risks. For instance, a critical vulnerability residing within a bordering edge device presents a more significant risk (because it offers attackers a potential gateway into a company’s network) than a similar critical vulnerability found in an isolated laptop within a logically segmented separate zone.

The focus of prioritization is on finding weaknesses that can cause significant financial losses, violate regulatory compliance, or damage the organization’s reputation. These vulnerabilities are then earmarked for immediate attention and remediation. This strategic approach ensures that amid the sea of potential vulnerabilities, resources and efforts are channeled toward mitigating the gravest threats to the organization’s stability and security.

Challenges with traditional vulnerability prioritization

Traditional vulnerability prioritization approaches do not scale effectively to combat rapidly expanding attack surfaces and the intricate interplay between vulnerabilities and their real-world impact. Prioritization in the past used to face numerous challenges.

Overreliance on CVSS

There’s been a traditional dependency on the Common Vulnerability Scoring System (CVSS) from NVD (The National Vulnerability Database). The CVSS score is a numerical representation of the technical severity of a security vulnerability, providing a standardized way to assess and communicate the potential impact of a vulnerability. Remediation and security teams have often been conditioned to rely solely on CVSS, believing it to be the sole method for easily prioritizing vulnerabilities and directing their remediation efforts. However, this system has limitations and doesn’t encompass all crucial elements for an effective prioritization strategy.

One of the many issues with overreliance on CVSS is the inability of the CVSS scoring system to consider contextual factors specific to an organization’s environment. For instance, it often disregards critical elements like asset value, network topology data such as zoning connectivity, and the potential impact of a vulnerability in a specific operational context.

{{banner1="/banners"}}

Taking a first-come, first-served approach

This is a common fallback when a concrete prioritization framework is absent. In such scenarios, remediation teams tend to tackle vulnerabilities based on their ease of patch application, with remediation efforts predominantly steered toward implementing fixes that can be swiftly applied. While seemingly practical in addressing vulnerabilities, this method often overlooks the criticality of the risk associated with each vulnerability. As a result, it may inadvertently sideline more severe and high-risk vulnerabilities in favor of quick-fix solutions, potentially exposing the organization to higher risks in the long run.

A lack of risk context

Remediation in isolation leads to inefficiencies in the prioritization process. It’s crucial to understand the specific security measures in place, the unique characteristics of each asset, and the potential financial and legal risks linked to different parts of the system before deciding on patching strategies.

Without this context, the patching process lacks direction and might prioritize less critical vulnerabilities over more severe ones. This fragmented approach doesn’t effectively safeguard against the most substantial threats, potentially exposing critical assets while focusing on network segments that might not significantly impact the organization’s overall security posture.

Driving patching based on operational efficiency

The tendency to drive patching efforts based on operational efficiency is a common challenge many IT teams experience. Success metrics in remediation programs revolve around the number of patched vulnerabilities rather than adequately mitigating risks crucial to securing the organization.

This disconnect between the sheer volume of patches applied and the actual risk reduction creates a gap in the cybersecurity strategy, potentially leaving critical vulnerabilities unaddressed while focusing on numerical achievements in patching.

Modern vulnerability prioritization models

Modern prioritization approaches represent a paradigm shift in vulnerability management, embracing innovative methodologies to efficiently identify and mitigate the most serious security flaws within complex digital environments.

Exploit Prediction Scoring System (EPSS)

EPSS is a contemporary approach designed to identify vulnerabilities with the greatest potential for exploitation. Using a variety of parameters, such as the age of the vulnerability, the presence of known exploits, and historical data linked to similar vulnerabilities, this novel method uses machine algorithms to predict the likelihood of exploitation.

By leveraging these multifaceted metrics, EPSS assists in formulating remediation strategies that prioritize vulnerabilities deemed highly susceptible to exploitation, ensuring a more targeted and proactive security approach.

Stakeholder-Specific Vulnerability Categorization (SSVC)

The Stakeholder-Specific Vulnerability Categorization (SSVC) model is intended to help organizations understand how to apply vulnerability risk to their environment and what the appropriate remediation decisions are based on that contextualized risk.

This framework considers the varied concerns and interests of stakeholders such as IT personnel, executives, and system users.

By incorporating their perspectives into the vulnerability categorization process, SSVC aligns security efforts with each stakeholder group’s goals, priorities, and risk tolerances.

The SSVC decision tree framework considers factors beyond technical severity, evaluating vulnerabilities through multiple lenses, including operational impact, compliance implications, financial risks, and reputational damage.

{{banner2="/banners"}}

CISA Known Exploited Vulnerabilities (KEV) Catalog

CISA KEV is a federally maintained project that is updated on an ongoing basis to help security teams better prioritize based on whether an exploit in the wild has been reported for a vulnerability. This resource is a foundational starting point for organizations lacking extensive resources or technical expertise.

It offers a consolidated database specifically targeting high-risk vulnerabilities with known exploits in the wild, enabling even those with limited technical understanding to initiate their security measures from a centralized and reliable source.

Custom solutions

Organizations can use custom solutions to address their own prioritization strategies. This revolves around integrating frameworks like EPSS with asset-specific contextual insights. This approach aids in pinpointing the vulnerabilities with the greatest likelihood of exploitation and discerning the assets of the most value within an organization’s infrastructure.

Best practices and recommendations

In this section, we discuss the best practices for vulnerability prioritization that can help organizations streamline their remediation strategies.

Prioritize by attributes - not just contextualized score

As we’ve established so far in this article, a single score for technical severity doesn't paint the full picture. To establish true criticality, it’s more effective to use a layered assessment approach, which might involve the inputs below (not an exhaustive list) to define an aggregated score, making it possible to compare vulnerabilities in their full context using various attributes:

• CVE score: Starting with a score for technical severity,
• Exploit Prediction Scoring System (EPSS): Gauging the likelihood of actual exploitation.
• Threat intelligence feeds: Checking for existing exploits and successful attacks within your industry.
• CISA KEV information: Identifying known exploits observed in the wild.
• Vulnerability age: Considering the time factor and potential attacker attention.
• Business impact: Factoring in the criticality of the applications and assets that can be compromised.
• Minding patch availability and ease of deployment.

Translating such inputs into numbers and associating a weight to each input is challenging, which is why it makes sense to use platforms designed for this purpose. Using the Silk platform, security teams can consolidate data sources, including detection tools, asset management systems, threat intelligence feeds, and OSINT data, amalgamating and contextualizing information to guide their prioritization strategies. This approach allows security teams to assume a more proactive stance based on the level of threat associated with a vulnerability and the relative risk posed to the business, in contrast to a simple technical severity score.

Integrate risk based on asset intelligence

Creating comprehensive asset risk profiles involves harnessing diverse sources to gather asset-centric data to build asset profiles. By utilizing tools such as endpoint detection and response (EDR), vulnerability scanners, and dedicated asset inventory solutions (like the CMDB functionality embedded in tools like ServiceNow), organizations can collect a wide array of data pertinent to their assets. This data encompasses asset inventory information on asset configurations, known vulnerabilities, system vulnerabilities, and asset interconnections.

Consider the asset’s business value, environmental context such as its specific location within the network (whether internal or external, including network segmentation information), application context, any system dependencies, existing mitigating security controls, business impact, risk propagation, and exploitation consequences (the anticipated impact if compromised). Creating comprehensive asset risk profiles involves harnessing diverse sources to gather asset-centric data.

Categorize the asset type, whether it’s hardware, software, or code, outlining its relevance to business functions. Detail its connections with other systems and which application it supports in order to evaluate its importance to the organization. Evaluate the sensitivity of the data it handles and its exposure to potential risks. Additionally, factor in the larger environmental setting by assessing the network structure, current security protocols, compliance obligations, and operational interdependencies to ensure a holistic understanding of asset profile and risk context. Understanding these aspects will enable a comprehensive evaluation, aiding in tailored risk mitigation strategies and the prioritization of security measures to safeguard the asset effectively

The Silk platform streamlines this process by offering an integrated solution. Silk correlates asset information and tags from multiple tools and allows security teams to apply custom labels that reflect environmental attributes and business-specific information. Silk allows teams to extend existing asset inventories, such as CMDBs, with security profiles, as well as enrich asset profiles with security labels through bidirectional integration.

Leverage existing modern frameworks

Leverage a framework like EPSS or SVCC in conjunction with asset profiling to better scope the remediation and enhance the precision of remediation efforts. By using a tool like Silk that combines SVCC and EPSS predictions with a detailed understanding of asset profiles, you can better prioritize consolidated findings of vulnerabilities and tailor your remediation strategies to address the most critical threats specific to your assets and operational environment.

Track the remediation of high-priority vulnerabilities

Consider a functional and accessible workflow for stakeholders in establishing accountability and effectively tracking the remediation timelines for high-priority vulnerabilities. It’s important to acknowledge that solely assigning risk scores to vulnerabilities isn’t enough to avert cyber threats unless the organization has a mechanism to establish and track accountability among relevant teams and institutes a structured workflow based on asset ownership and remediation responsibilities to support a more cohesive remediation lifecycle. The integration of remediation and prioritization within Silk’s unified platform offers significant advantages to organizations by streamlining real-time remediation efforts, facilitating the operationalization of remediation tasks, and providing visibility across the full lifecycle.

{{banner3="/banners"}}

Examples of vulnerability prioritization

We will use two examples, CVE-2019-19781 and CVE-2017-0199, to illustrate how each poses a risk to an organization and how using a modern vulnerability prioritization framework can help better address that risk. We will also delve into a theoretical calculation to assess the risk scores for both vulnerabilities.

CVE-2019-19781

This is a critical vulnerability in Citrix ADC and Gateway systems enabling remote code execution by unauthenticated attackers. To mitigate this risk effectively, organizations can adopt a proactive approach by integrating EPSS, asset profiling, and threat intelligence to create a clear and concise remediation strategy.

EPSS

First, leveraging EPSS helps determine the likelihood of exploitation for CVE-2019-19781. It enables organizations to prioritize vulnerabilities based on their exploitability and potential impact, which will be significant in this case due to the details of this vulnerability. For instance, it allows unauthenticated attackers to execute arbitrary code remotely, potentially compromising sensitive data, taking control of affected systems, and even disrupting critical services. Security teams have a limited set of options for implementing mitigating controls in the short term to limit the impact of a successful exploit.

Asset profiling

This analysis helps the organization understand the role and significance of Citrix ADC and Gateway systems within the organization’s infrastructure. These systems are central to managing and securing network traffic, providing access to applications, and ensuring data integrity across various organizational functions. By maintaining an asset inventory, teams can quickly scope the extent of the remediation project. Teams can compile a list of impacted assets in their environment and determine a hierarchy for remediation based on the networks where the gateways sit and which applications they front-end. If networks are regulated, or if the application deals with sensitive data, the security team can focus on that set as the first priority.

Understanding the Citrix ADC implementation context is important, especially the enabled security features and controls safeguarding these endpoints. By assessing the presence and effectiveness of security measures within the installation, organizations can assign a hypothetical score ranging from 0 to 10. Furthermore, the location of this asset, whether internal or externally accessible, helps narrow down the threat exposure. This contextual scoring aids in streamlining the overall risk assessment process, offering a tailored evaluation of each asset’s security posture within the Citrix ADC environment.

Threat intelligence

Threat Intelligence significantly aids security teams in evaluating residual risk within their environment. An intelligence score is generated from continuous monitoring of potential exploitation, active discussions in social media regarding ongoing vulnerabilities, and tracking underground exploit transactions. This proactive approach assists organizations in addressing vulnerabilities still in the process of mitigation. Leveraging this information allows teams to pivot and adjust their prioritization strategies, especially for vulnerabilities that are initially deemed to have a lower impact but exhibit potential threats discovered through ongoing intelligence gathering. In the case of CVE-2019-19781, initially perceived with a lower impact, ongoing intelligence gathering reveals potential threats associated with this specific vulnerability and higher impact with a potential of unauthorized access and compromise of sensitive information

CVE-2017-0199

This vulnerability was initially disclosed in early 2017 but originated in late 2016 when security researchers identified a critical vulnerability within Microsoft Office products. The vulnerability specifically resides in the handling of certain rich text format (RTF) documents. It was assigned a CVSS score of 7.8 (high severity) but has been listed as critical due to its potential for exploitation through various attack vectors, such as email attachments or links leading to malicious documents.

Cybercriminals exploit this vulnerability to deliver malware, gain unauthorized access, and compromise systems. Due to its ease of exploitation and the widespread use of Microsoft Office products, CVE-2017-0199 became a focal point in cybersecurity discussions and prompted immediate attention from security experts and Microsoft for mitigation. This shift in remediation priority was solely driven by its composite threat intelligence score, which indicated active weaponization and suggested that cybercriminals leveraged this vulnerability in a combination of ransomware and malware spread attacks.

This heightened threat has sparked a renewed focus on asset profiling within organizations. Its significance lies in the potential vulnerability of end-user workstations, which, if compromised, could become entry points for malware infiltration, creating a pathway for rapid propagation across the network.

Risk score calculation

The risk scores in this example are derived by evaluating various factors associated with each vulnerability using a scale from 1 to 10. Each parameter is assigned a score reflecting its severity or impact level. By summing these individual scores across all parameters, we derive a hypothetical composite risk score, offering a holistic view of the vulnerability’s overall risk potential. These factors include the following:

• Asset value
• Active exploitation in the wild
• Ease of exploitation (automated/manual)
• Maturity of exploit code
• Vulnerabilities associated with malware
• Vulnerabilities related to ransomware
• Exploitation consequences

This table is a snapshot of the risk scores associated with the CVEs discussed in this article, offering a comparative analysis across distinct risk parameters. The risk score is computed leveraging the factors powered by EPSS, enriched with threat intelligence inputs, and tailored through asset profiling, ensuring a holistic evaluation of the vulnerability risk score. This approach enables the weighting and prioritization of individual risk parameters based on the unique characteristics and exposure of each asset.

{{banner4="/banners"}}

Conclusion

Given the dynamic nature of today’s threat landscape, it is critical to utilize cutting-edge approaches such as contextual risk prioritization, threat intelligence stream integration, and customized frameworks for vulnerability management.

Organizations can increase their resilience against new cyber threats by adopting proactive methods that strengthen defenses, quickly identify vulnerabilities, and prioritize remediation operations. Keeping up with the rapidly changing cybersecurity landscape, protecting sensitive assets, and ensuring operational continuity all depend on the strategic application and ongoing adoption of these tactics.