Prioritize Patching: A Risk-Based Vulnerability Management Approach
Risk-Based Vulnerability Management (RBVM) - a better way to add context to your vulnerability management program.
In July 2021, a consortium of international government agencies issued a joint cybersecurity advisory detailing the top 30 vulnerabilities that threat actors exploited in 2020 and throughout 2021. Of those vulnerabilities, four of the most targeted vulnerabilities were associated with technologies that sit on the perimeter of your network and are publicly accessible to the Internet. These included Pulse Secure VPN, Fortinet VPN, Accellion data transfer application, and Microsoft Exchange.
Attackers target perimeter devices and services for two main reasons. First, it’s what they can see since they are publicly visible. Second, they serve as access points into the internal environment. While threat actors have always targeted the perimeter defenses of organizations, the increase in remote work has brought increased risk as companies struggle to adopt new technologies. This poses a more pronounced risk for organizations that have a large legacy of on-premise infrastructure and have not yet adopted cloud technologies as the transition is more difficult, timely, and costly to accomplish. Ransomware threat actors can recognize the hallmarks of these legacy environments from the outside, which enable easier lateral movement and deployment of ransomware for the actors upon entry. This results in larger disruption to the environment and longer downtime for business operations.
This leads us to another fact that stands contrary to popular public opinion: the majority of attacks are not overly sophisticated and do not use “zero day” vulnerabilities (vulnerabilities that have not yet been publicly released) to gain access into an environment. For threat actors targeting your environments, including ransomware groups, it is about finding a single weak link, one small oversight or gap in security that can yield a great return.
While this sounds frightening, the good news for organizations is that you don’t have to have a massive security budget to secure your perimeter. You can create a system to effectively manage your risk with public information rather than attempt to predict what the next zero day will be. The challenge then becomes how to sift through and understand the large number of existing vulnerabilities.
Establish the Context, Then Act
Entering stage left: Risk-based Vulnerability Management (RBVM) - a better way to add context to your vulnerability management program.
Mitigating vulnerabilities can seem like a daunting task, especially for organizations that do not have proper staffing to tackle the endless number of vulnerabilities emerging every day. Whereas Vulnerability Management focuses mainly on identifying vulnerabilities and classifying them based only on the severity of the vulnerability itself (rather than the true risk to your organization), RBVM adds contextual information relating to the risk and impact to your environment, not a general risk rating of the vulnerability itself.
Say you have a list of 25 vulnerabilities rated “critical”. A simple Vulnerability Management approach would suggest that all of them need to be patched ASAP. An RBVM approach allows you to prioritize based on the true risk they pose to your organization. For example, if you identify a vulnerability on your VPN device that: 1) if exploited, could provide an attacker access into your internal environment;2) is actively being exploited in the wild; and 3) would affect your entire workforce, since all employees use that VPN -- then that deserves your highest attention. Compare this to another critical vulnerability of an internal application that, if exploited, could lead to unauthorized access to a limited amount of non-confidential information. While important to address, the internal vulnerability would require a threat actor to already have access to your internal environment, so it should not have the same level of urgency as the vulnerability in the VPN that could provide access. That additional context is very important in prioritizing your response.
Establishing an RBVM Program
If by now you’re sold on the idea of RVBM, you may be wondering where to start. A proper RBVM program has overlap with any good Vulnerability Management program but the true separation occurs by introducing a better context of the threat itself and the impact it could have on the organization if a threat actor exploited it. The core components of a robust RBVM program include:
- Everything starts with knowing (or identifying) what your assets are. This includes your managed endpoints (servers, workstations, network devices, etc.) for both internal and external facing devices. Additionally, knowing what third-party applications and their usage is critical. This can range from what software/services you are hosting on your perimeter (e.g. your VPN device, your web server, etc.) to the business applications used for day-to-day operations (e.g. your PDF reader, your word document program, etc.).
Scan and Monitor your Assets for Known Vulnerabilities
- Continuous vulnerability monitoring is a concept that is starting to gain traction so you achieve near real-time visibility on vulnerabilities for your organization. This ties very well into a Patch Management program that helps remediate vulnerabilities. For companies that are not able to achieve continuous monitoring, start with quarterly vulnerability scans and an annual penetration test. To fill the gaps between the scans, monitor patch releases for your core systems and applications and categorize the risk based on the information provided in the patch release. The end goal is to patch as quickly as possible.
Prioritize Remediation Based on the Threat Context
- Context is everything. Knowing the type of vulnerability you are dealing with and the level of impact it could have on your environment if it were exploited is the driving force behind how you prioritize activities, especially with a limited team. The IT and Security teams should guide the business on understanding the risk and take initiative to patch systems and applications when a critical patch is released.
Remediate and Verify
- Once you remediate, test it! We often see reports from IT teams or IT service providers that something has been patched and when we run our Corvus scan again we notice that it wasn’t applied properly or not to the entire fleet of assets. When dealing with critical vulnerabilities that could significantly impact your organization, a double check is worth the small time investment to reduce the likelihood that something was overlooked.
A robust Risk-Based Vulnerability Management program coupled with a solid Patch Management program can help organizations better prioritize the risks associated with their environment. By adding the right context to the vulnerabilities being identified, you can take a mountain of vulnerabilities and break them down into a more digestible format that can better be tackled by your IT and Security teams. Securing your organization starts with visibility and ends with mitigating the risk. Everything in between comes down to how you prioritize mitigation strategies, such as patching your assets.
At Corvus, we see risk mitigation as a top priority. From scanning our policyholder’s perimeter network to providing additional context on emerging threats and explaining the impact they can have on their security, we strive for the mission of a safer world. Along with that goal, our VCISO services can help organizations dig deeper into their cyber defenses through a suite of consultative sessions with our security partners.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.