When the Cybersecurity and Infrastructure Security Agency debuted its list of known, exploited vulnerabilities in November, it was nearly 300 flaws long and came attached to an order for federal agencies to fix them quickly.
Now, as of this week, the catalog known as “KEV” or the “Must-Patch” list is well on its way to 800 listings, and it’s the “No. 1 topic” that CISA Executive Director for Cybersecurity Eric Goldstein says comes up in his frequent, daily meetings with businesses.
The reason, said Goldstein, is that the private sector has — without any order from his agency — adopted the KEV list as a guide for the vulnerabilities they focus on, rather than relying on the traditional open-source industry standard Common Vulnerability Scoring System for assessing the severity of software weaknesses.
The KEV list features flaws in a who’s-who of big tech products, from Adobe to Oracle to Microsoft.
“I think it has driven extraordinary focus and really a big re-conceptualization of how organizations rate and prioritize vulnerabilities, moving away from CVSS as the default, and more towards what’s actually being used ‘in the wild,'” Goldstein told CyberScoop in an interview, referring to a term for threats actively used in real-world attacks, rather than just theoretically.
CISA, a division of the Department of Homeland Security, has placed 41 additions on the KEV catalog this week alone. But Goldstein said he doesn’t fear swamping users with too many vulnerabilities. Ideally, with available technological tools, no human ever has to interact with the list; it should, he said, be entirely “ingested by machines with the use of prioritized, automated mitigation.”
One company that provides an automated tool for detecting vulnerabilities to internet-accessible programs and services, Palo Alto Networks, said it was able to align it with KEV to rapidly discover vulnerabilities on that list.
“Ideally, both CISA and every agency CIO should have real-time visibility into every internet-facing instance of every KEV across their respective domains,” said Ryan Gillis, vice president of cybersecurity strategy and global policy. “We appreciate CISA’s eagerness to continue driving towards enhanced visibility and automation.”
Vince Voci, vice president of cyber policy and operations at the U.S. Chamber of Commerce, said KEV is “a good maturation and strengthening of CISA that we at the Chamber and others have helped support over time.”
While he said he doesn’t have a good sense of how widely the private sector is adopting KEV, Voci said it’s handy for “when you’re looking at a patch and vulnerability management system to help network vendors rack and stack and move toward the highest priority list.”
Room for improvement
Not everyone is a fan of how the KEV list is expanding. Bob Rudis, head of data science at GreyNoise intelligence, tracks the list, and while he counts himself as an advocate of KEV, he hasn’t been impressed by recent additions, saying that CISA is “scraping the bottom of the barrel” and focusing too much on “old” vulnerabilities. Rudis said he’s working on a blog post proposing how to make KEV more useful.
Rudis said additions that would make KEV better include information on the last known time frame that a vulnerability was seen to be exploited; the frequency and volume of exploitation; reference points for evidence that someone has exploited a flaw, so users know if it came from a trustworthy vendor or researcher; industries targeted; and the kind of attacker taking advantage.
“If a 2016 vulnerability has not seen a reported exploitation in the past 30-90 days, I’m not sure having a security team member bug an ops team member to PATCH NOW is going to go over well,” Rudis said in an online chat with CyberScoop. “This field shld be updated regularly.”
Beyond the 41 catalog additions, CISA this week updated answers to its “frequently asked questions” and clarified how a vulnerability makes the KEV list. Federal agencies still have deadlines to fix the flaws as they’re added under the original November CISA directive, with the next set of deadlines coming later this month.
CISA explained why the age of a system or vulnerability doesn’t impact whether a flaw is included or not.
“CISA does not assume that all running legacy products are fully patched. CISA also does not assume that all end-of-life products have been decommissioned,” the FAQ says. “The absence of evidence of exploitation currently occurring does not preclude a vulnerability from being exploited in the future. If an actor is targeting your network and you have a vulnerable legacy product, they may use that vulnerability to their advantage.”
In order to make the list, a flaw must have a Common Vulnerabilities and Exposures (CVE) number, assigned by an organization that the Mitre Corp. operates with funding from DHS. The CVE program is a system for documenting and categorizing publicly known vulnerabilities.
KEV-eligible flaws also must demonstrate strong evidence of use in the real world, and have a clear patch available.
“CISA analysts perform daily open-source searches for vulnerabilities,” the agency explained. “Active exploitation information obtained from vendor security advisories are trusted sources and considered accurate.”
It continued: “When cybersecurity news outlets, academic papers, cybersecurity company press releases (not from the affected vendor), etc., report active exploitation, CISA reviews wording and original source citations for the exploitation for accuracy and reliability. If the information is reliable, CISA adds the vulnerability to the KEV catalog.”
Voci said the list is still in its “first step” phases. There’s more CISA can do, from “enriching information to make it more actionable” to expanding outreach to the private sector. All in all, it’s a good addition to a suite of CISA industry collaboration programs, he said.
“Industry has long talked about importance of cyber information sharing,” Voci said. “The KEV program is another piece of this world, this ecosystem for information sharing.”