Get a demo

How-to guides

The true impact of exploitable vulnerabilities for 2024

On the surface, exploitable vulnerabilities all seem like priorities. But this isn't always the case. Here's everything you need to know.

Orani Amroussi | May 6, 2024

Vulnerability scanning across multiple attack vectors in an environment can often yield hundreds of vulnerabilities. Of course, it’s impossible to resolve all of these vulnerabilities at once, as teams lack the capacity and/or resources to do so. At the same time, organizations are under constant pressure to update and improve their networkapplication, and cloud environments.

Exploit maturity data enables filtering of the vulnerabilities to identify mature ones with a record of exploitation, those vulnerabilities for which there is only proof that they could be exploited, and vulnerabilities with no recorded exploitation data. 

Ultimately, the realistic goal is not to fix all the vulnerabilities but rather to fix those that could negatively impact the business. Accordingly, first ascertaining the level of maturity of the vulnerability is an essential exercise when faced with multiple potentially serious threats.

This blog explores the true impact of exploitable vulnerabilities as we close out 2023 and enter 2024. You can read the extended white paper here. 

TL;DR

Exploitable vulnerabilities vary in risk, necessitating a nuanced management approach that considers exploit maturity and potential impact. Prioritization is key, focusing on vulnerabilities with known exploits, especially those actively exploited or requiring minimal effort to leverage. Effective management strategies involve assessing the availability and complexity of exploits, alongside the potential damage and reach of the vulnerability, to allocate resources efficiently and mitigate the most critical threats first.

Vulnerability maturity level

A vulnerability can be classified into one of three categories based on the exploitation records and cause: 

  • Unknown: A vulnerability has been identified and a warning has been issued by the developer or the maintainer of a third-party library, database, or operating system. There is no evidence of exploitation in the wild, and no published proof of concept is known.
  • Proof of concept: No exploitation has been recorded, but there is a proof of concept that exploits the vulnerability. The exploit may be difficult to implement, impractical, or simply hasn’t been used in the wild.
  • Exploited: There are real cases in which attackers have exploited the system, or the vulnerability has been verified by an author in an authoritative exploit database.

 

Criteria for maturity levels

The average enterprise typically encounters an overwhelming number of vulnerabilities in their environments. This is a prominent issue for most security teams in 2023.

54%

of security leaders patched fewer than 50% of vulnerabilities in their backlogs in 2023.

Not all vulnerabilities are created equal. While one that is being actively exploited usually requires immediate attention, there are several criteria to consider so that security operations teams can identify those with the highest priority.

 

1. Effort needed to exploit the vulnerability

With attackers generally being opportunists seeking quick wins and open goals, they’re likely to ignore exploits that require considerable effort to leverage:

  • Amount of work: The more steps needed to exploit the vulnerability, the less appealing it is to threat actors, which will lower the risk.
  • Ease of exploitation: How much expertise do threat actors need to exploit this vulnerability? A complex exploitation process will mean that threat actors are more likely to use other, easier exploits, which means the vulnerability is less likely to pose an immediate threat.

Many steps may need to be executed to make an exploitation work, such as:

  1. Registering a new account in the customer portal
  2. Successfully purchasing the product
  3. Registering the purchased product kit with the current account
  4. Calling an API that has a vulnerability

 

 

2. Exploit impact 

For every exploited vulnerability found in the wild, its impact on the company, product, and reputation can differ. Confidentiality, integrity, and availability are all potentially affected in the case of a data breach. Understanding where you stand to be most impacted is key to determining what to focus on first.

Impact in context

In 2016, a cyber-security attack recorded in the central bank of Bangladesh at the Federal Reserve Bank of New York generated multiple fraudulent withdrawals equivalent to around $1 billion U.S. dollars. The attackers exploited a security vulnerability in the banking system to retrieve the necessary credentials, then injected malware to delete database records of the illegal transfers.

3. Exploit scope

An exploit affecting a single system is a wholly different situation than one that targets an organization’s entire environment. Security teams must identify the potential scope of an exploit to assess how much of a priority it is compared to others. Note that even exploits compromising a single host will often lead to the entire system being affected, so the scope must be considered in this context.

Scope in context

In 2017, the Google Project Zero team discovered that Cloudflare’s servers were allowing sensitive data to be cached by search engines. At that time, approximately six million websites were using Cloudflare’s services, and between September 2016 and February 2017, the problematic caching mechanism was triggered 1,242,071 times. In Cloudflare’s case, the scope did not stop at the application level but affected multiple web applications from around the world.

Take action on exploitable vulnerabilities with Vulcan Cyber

Exploring how vulnerabilities turn into exploits gives us visibility into the lifecycle of a potential system compromise and helps us better strategize how to avoid one. As we head into 2024, security environments have never been more complex. Exploitable vulnerabilities have never been more of a concern, and security leaders know action is needed. 

At the forefront of cyber security innovation, Mandiant was well aware of this issue. They used Vulcan Cyber to prioritize the risk that mattered most: 

"With Vulcan, we've been able to consolidate all of our data in one place and focus on only the vulnerabilities that matter to us, so our developers can fix things fast, and focus on adding value to our customers”

Matt Shelton, Director of Technology Risk & Threat Intelligence, Mandiant

 

The Vulcan Cyber risk management platform is designed to help teams drive mitigation outcomes for those vulnerabilities that represent the most risk to their specific organizations. Book a demo today to learn more.

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management