OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

How-to guides

The real impact of exploitable vulnerabilities

Orani Amroussi | October 13, 2022

Close out 2022 the right way. Join us at the CyberRisk Summit!

______________________________________________________________________________________________________________________

Vulnerability scanning across multiplace attack surfaces of a product can often yield hundreds of exploitable vulnerabilities. Of course, it’s impossible to resolve all of these vulnerabilities at once, as teams lack the capacity and/or resources to do so. And organizations are under constant pressure to update and improve their network, application and cloud environments. 

Exploit maturity data enables filtering of the vulnerabilities to identify mature ones with a record of exploitation, those vulnerabilities for which there is only proof that they could be exploited, and vulnerabilities with no recorded exploitation data. 

Ultimately, the goal is not to fix all the exploitable vulnerabilities, but rather to fix those that could negatively impact the business. And first ascertaining the level of maturity of the vulnerability is an essential exercise when faced with multiple potentially serious threats. 

This blog is an extract from the Vulcan Cyber Voyager18 team’s latest white paper, “Exploit maturity: an introduction”. Download it here

Maturity level of exploitable vulnerabilities

A vulnerability can be classified into one of three categories based on the exploitation records and cause:   

Unknown 

A vulnerability has been identified and a warning has been issued by the developer, or the maintainer of a third-party library, database, or operating system.  There is no evidence of exploitation in the wild, and no published Proof of Concept is known.

Proof of concept 

No exploitation has been recorded, but there is a proof of concept for what exploits the vulnerability. The exploit can be difficult to implement or simply hasn’t been used in the wild.

Exploited 

There are real cases in which attackers have exploited the system, or the vulnerability has been verified by an author in an authoritative exploit database.

Criteria for maturity levels

A vulnerability that is being actively exploited usually requires immediate attention, but there are several criteria to consider so that Security Operations teams can identify the vulnerabilities with the highest priority:

Effort needed to make the exploitation work

With attackers generally being opportunists seeking quick wins and open goals, they’re likely to ignore exploits that require considerable effort to leverage:

Amount of work 

The more steps needed to exploit the vulnerability, the lower the exploitation maturity level. Many steps may need to be executed in order to make an exploitation work, such as:

  • Registering a new account in the customer portal
  • Successfully purchasing the product
  • Registering the purchased product kit with the current account
  • Calling an API that has a vulnerability

Ease of exploitation 

How much expertise do threat actors need to exploit this vulnerability? A complex exploitation process will mean that the vulnerability is unlikely to pose an immediate threat.

Exploit availability 

Where we might find the exploit is also of importance when it comes to assessing the risk of the vulnerability. If the exploit appears on the exploit database, it should be remediated right away. 

Exploit impact 

For every exploitable vulnerability, the impact on the company, product, and reputation can differ. Confidentiality, integrity and availability are all potentially affected in the case of a data breach. Understanding where you stand to be most impacted is key to assessing what to focus on first. 

Impact in context

In 2016, a cyber-security attack recorded in the central bank of Bangladesh at the Federal Reserve Bank of New York generated multiple fraudulent withdrawals equivalent to around $1 billion U.S. dollars. The hackers exploited a security vulnerability in the banking system to retrieve the necessary credentials, then injected malware to delete database records of the illegal transfers.

Exploit scope 

An exploit affecting a single system is a wholly different situation than one that targets an entire company system. Security teams must identify the potential scope of an exploit in order to assess how much of a priority it is compared to others.

Scope in context

In 2017, the Google Project Zero team discovered that Cloudflare's servers were allowing sensitive data to be cached by search engines. At that time, approximately six million websites were using Cloudflare's services, and between September 2016 and February 2017, the problematic caching mechanism was triggered 1,242,071 times. In Cloudflare's case, the scope did not stop at the application level, but affected multiple web applications from around the world.

Taking action on exploitable vulnerabilities

Exploring how vulnerabilities turn into exploits gives us visibility into the lifecycle of a potential system compromise - and helps us better strategize how to avoid one. But the critical next step is prioritizing the most critical exploitable vulnerabilities and taking the necessary steps to mitigate the cyber risk. And with an ever-expanding attack surface, efficient and collaborative processes are crucial in order to stay secure.

For more in depth content, download the full “Exploit maturity: an introduction” white paper here.  

The Vulcan Cyber® risk management platform helps security teams own their risk. Book a demo today, or start your 30 days trial.