Last week at BSidesLV, I had the privilege to explore the complexities of the CISA's Known Exploited Vulnerabilities (KEV) Catalog. This vital resource aids organizations in understanding which vulnerabilities are actively exploited and how to prioritize remediation efforts effectively.
Here, I’ll share three key insights from my analysis that can enhance vulnerability management strategies.
The full talk (it's only 20 minutes, but I clearly could have used 30!) can be found here, and the slides and dataset used can be found here.
The Decreasing Age of CVEs Added to KEV
The average age of CVEs added to the KEV decreases over time. In 2023, which we consider the first full baseline year, most vulnerabilities were added within the first week of their assignment. This trend suggests not only are vulns being exploited faster (we know this) but also improved information sharing and partnerships between CISA and other organizations.
Additionally, the shift towards younger CVEs being added to KEV is encouraging as it indicates that the security community is becoming more proactive in identifying exploitation. For organizations, this means staying vigilant and ready to respond quickly to newly disclosed vulnerabilities, as they're more likely to be added to the KEV shortly after discovery.
The Fluidity of the "Known Ransomware Campaign Use" Field
A lesser-known aspect of the KEV data is that it's not static.
In October 2023, CISA added a field called "known ransomware campaign use" to the catalog. We found that this field is updated silently and can change from "unknown" to "known" without fanfare. From October 2023 → July 2024, this field was updated 41 times.
Research suggests that vulnerabilities flagged for known ransomware use are patched 2.5 times faster; this makes sense given the significant financial and operational impacts of ransomware attacks. Organizations should pay close attention to this field and regularly check for updates. It goes without saying that if a vulnerability in your environment is flagged for known ransomware use, it should be prioritized for patching immediately.
Prioritization Insights from within the KEV Data
Another interesting finding is that by considering two data points from within the KEV, you can discern a “level of concern” that organizations can use to make more informed decisions about which vulnerabilities to address first when resources are limited.
1. The time that is given to fix the vulnerability.
Early on, the time to fix a vulnerability was either 14 or 180 days. Shortly after the Russia/Ukraine war, CISA seemed to adjust to a 21-day fixed period. However, if you look at the bottom right of the plot, you'll notice that there have been a handful of vulnerabilities with even shorter fix timelines in the last year.
2. The day of the week the vulnerability was added to the KEV.
Interestingly, the day of the week a vulnerability is added can be telling. In the past year+, there have only been two drops on a Friday, and both had a time to fix of 7 days (a time to fix of 7 days has only happened six more times). Overall, the time to fix has standardized to 21 days for most entries, but shorter timeframes indicate higher-priority vulnerabilities.
To summarize, although the KEV catalog is mainly intended for government use, it provides valuable insights for prioritizing vulnerabilities. Cybersecurity professionals can enhance their remediation efforts by analyzing patterns such as vendor dominance, time given to fix, the day of the week an issue was added, and any changes to the ransomware field.
Again, the full talk can be found here, and the slides and dataset can be found here.