Double Your Threat Blocking in 90 Days
By Picus Labs • October 02, 2023, 13 min read
As organizations grow, their IT landscapes tend to become increasingly multifaceted and intricate, leading to more complex IT infrastructures. This diversification generates a larger attack surface, encompassing vulnerabilities and entry points to various organizational assets. These assets range from minor endpoints to databases, third-party software, and physical components like routers.
To remediate this attack surface, organizations need to follow a continuous vulnerability management lifecycle. This life-cycle involves listing assets, identifying hidden vulnerabilities within them, and prioritizing the remediation actions based on business contexts and the criticalness to business operations if the vulnerability is exploited. In this blog, we are going to delve into the inner working mechanism of a vulnerability lifecycle and discuss NIST’s SP 800-40r4 guide to enterprise patching programs.
The Vulnerability Management Lifecycle is a continuous and structured process encompassing the systematic identification, prioritization, mitigation, validation, and reporting of vulnerabilities within an organization's information systems and software applications.
This lifecycle is integral to strengthening an organization's overall security posture, ensuring the protection and confidentiality of sensitive data, and minimizing the risk of exploitation by continuously addressing and managing vulnerabilities in light of the evolving threat landscape.
Following a vulnerability management lifecycle provides six main benefits.
Offers comprehensive insight into vulnerabilities present in organizational assets to inform security and risk management decisions.
Acts as a proactive defense mechanism, allowing companies to address and mitigate vulnerabilities before they can be exploited by adversaries.
Supports optimized, data-driven allocation of resources, including time, money, and personnel, enabling effective and efficient management of vulnerabilities.
Aids in maintaining compliance with industry regulations and standards, as many certifications require the implementation of a robust vulnerability management program.
Provides a structured approach to validate the effectiveness of security measures and controls in place, ensuring ongoing improvement in security posture.
Fosters a security-aware culture within the organization, promoting continuous vigilance and responsiveness to emerging security threats and vulnerabilities.
A classical vulnerability management lifecycle is comprised of five principal stages, as listed below:
In this section, we will delve deeply into each of these stages, demonstrating how the Picus Complete Security Control Validation platform can assist you in automating certain steps more efficiently and in providing more comprehensive, current visibility into an organization's security posture.
Every vulnerability management lifecycle should begin by creating a comprehensive asset inventory. If organizations don’t secure a holistic view of their assets, they risk overlooking assets laden with critical vulnerabilities that demand immediate attention. Organizational assets include servers, databases, endpoints, software, security controls, physical network devices, and even third-party tools that might introduce vulnerabilities.
Figure 1. Organizational Assets and Exposure Points
Organizations often prioritize monitoring and scanning critical databases, servers, and domain admin endpoints, recognizing them as assets vulnerable to threats. However, many overlook the significance of components integrated within the organizational network, such as physical servers, leading to potentially devastating consequences.
A notable illustration of this vulnerability is the 2013 Target data breach . Attackers exploited a third-party HVAC vendor's software, enabling unauthorized access to Target’s network. This breach allowed the infiltration of malware into Target's systems and the compromise of over 40 million customers' credit card information.
Hence, creating an asset inventory is vital because if one critical vulnerability enabling remote code execution is missed in lieu of identifying nine others, then addressing these nine may not substantially enhance the overall security posture of an organization due to the persistent high risk of a data breach.
Once all assets are cataloged, it’s time to conduct vulnerability assessments on them.
For this step, organizations can leverage automated solutions like attack surface management tools, especially when dealing with a vast number of assets. These tools offer insights into the IT assets, shedding light on the security risks they pose based on configuration, usage, policies, security control coverage, and installed software.
Additionally, organizations often utilize vulnerability scanners and engage in both manual and automated penetration testing as practices within this step.
The Picus Complete Security Control Validation platform provides organizations with an automated, continuous approach to vulnerability assessment. It uses attack simulations, specifically designed to safely mimic the exploitation scenarios of certain vulnerabilities (Refer to Figure 2).
The Picus Threat Library features an extensive collection of vulnerability exploitation attack simulations. Continually updated by our dedicated red team engineers, these simulations safely illustrate how an adversary could leverage a particular vulnerability within your organization, all in a secure and non-destructive manner.
Figure 2. Picus Complete Security Control Validation Threat Library
To have a more solid understanding of these threats, we can pick up a single threat and examine its kill-chain.
Figure 3. A Vulnerability Exploitation Threat from Picus Threat Library
The threat corresponding to ID 27521 involves downloading four ELF files, initiating the Linux Netfilter Elevation Privilege Vulnerability (also known as CVE-2022-1972, CVE-2021-22555, CVE-2022-34918, and CVE-2023-32233). These vulnerabilities emerge due to out-of-bound write vulnerabilities in the Netfilter subsystem and can be exploited by attackers to secure privilege escalation to root. By integrating this threat into an attack simulation, an organization can measure its readiness against these specific vulnerabilities before a skilful adversary acts on them.
In the prioritization stage of the vulnerability management lifecycle, the security team meticulously evaluates and organizes identified vulnerabilities to address those that need immediate attention.
The classification and prioritization of the identified vulnerabilities can be done based on the factors as listed below.
Asset Value: The value of the asset possessing the vulnerability is a critical factor in prioritization.
CVE and CVSS Score Assessment: While important, the CVE and CVSS score of the vulnerability alone are not sufficient. For instance, a critical vulnerability with a CVSS score of 9.0 may not necessarily be business-critical if the identified vulnerability resides on an asset that operates under a zero-trust architecture with very limited privileges and restricted access to other organizational domains.
Potential Business Impact: The possible repercussions on the business if a specific vulnerability is exploited by an adversary must be considered.
Access or Privileges Gained: The type of access or privileges that an attacker can potentially gain in the organizational environment plays a significant role in vulnerability prioritization.
Likelihood of Exploitation: The presence of a vulnerability doesn’t guarantee immediate exploitation. In scenarios involving massive exploitation, there are generally publicly available PoC exploitation codes for the specific vulnerability, especially when organizations fail to, or cannot, apply available patches promptly.
Efficiency of Existing Controls: Assessing how efficiently the existing security controls can mitigate or manage the risk of the vulnerability.
External Exposure: The degree to which the vulnerability is exposed to the external environment and the internet at large can also play a role in determining its priority, as vulnerabilities accessible from the internet may have a higher likelihood of being exploited.
This stage is fundamental for optimizing resource allocation and focusing efforts on substantial threats, circumventing the diversion of valuable time and resources to low-risk vulnerabilities.
The essence of the vulnerability management lifecycle focuses on
mitigation actions, and,
occasionally, acceptance of low-degree risk.
Upon identifying business-critical vulnerabilities, it is vital for organizations to proactively identify gaps and vulnerabilities in their security posture. Such proactive identification enables organizations to comprehend, through simulations, the methods adversaries use to exploit specific vulnerabilities and the manner in which the exploitation occurs in their attack lifecycle. This approach also facilitates the implementation of mitigation suggestions provided by vendors and other sources to address the identified vulnerabilities effectively.
Being aware of the core benefits of following a vulnerability management lifecycle program, the Picus Complete Security Validation platform goes beyond merely highlighting vulnerabilities and provides its customers a platform that presents one of the biggest mitigation libraries in the market.
At Picus Security, we hold the belief that the real value in proactive security assessment methods lies not in leaving our customers pondering their next steps after learning through a simulation result that their substantial investments in security controls are not performing as expected. Instead, we strive to offer applicable and efficient vendor-based solutions for mitigating possible exploitation attacks for the identified vulnerabilities, especially when immediate patching is not a viable option.
We recognize that for certain organizations, immediate remediation of identified vulnerabilities is not a feasible option, either because the patching process requires several months or because numerous systems are reliant on legacy software versions, among other reasons.
To address the risk that late-patching problem introduces, the Picus platform provides vendor-based signatures, as illustrated in Figure 4. Using these signatures, organizations can apply mitigation signatures to their preventive primitive controls, thereby directly blocking the attack.
Figure 4. Picus Complete Security Control Validation Platform Mitigation Library
Why are vendor-based signatures effective? Let us explain this in more detail.
Vendor-based signatures are essential to robust cybersecurity posture due to their precision and specialized creation. In this section, we listed the main characteristics of these signatures and how organizations may benefit from it to increase their overall security posture.
Inherent Knowledge and Precision:
When a vulnerability is detected, the security professionals within the vendor of the affected product, who have extensive knowledge of their software and systems, delve into investigating the attack lifecycle. These specifically dissect the adversaries' exploitation techniques to understand the mechanisms used to exploit vulnerabilities. By leveraging their deep understanding of their product's intricacies, they are able to precisely define patterns or signatures that characterize the vulnerability, allowing them to promptly generate effective signatures. These signatures are crucial for detecting and neutralizing the attacks, providing immediate mitigation and ensuring the security of the product.
Integration and Deployment:
The accurately developed signatures are integrated into security infrastructures like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or antivirus softwares, etc.. This enables a seamless and immediate deployment of defensive measures, detecting and blocking malicious exploit attempts effectively.
Proactive Defense Mechanism:
These signatures act as proactive defense mechanisms. When an attacker deploys a technique to exploit a vulnerability, the signature is sophisticated enough to identify the associated malicious activity and block it instantaneously, preventing unauthorized access or further exploitation of the vulnerability.
Mitigative Measure in Patching Delays:
Vendor-based signatures are crucial when immediate remediation through patching isn’t feasible. They serve as an interim defensive layer, mitigating risks associated with the vulnerabilities while more permanent solutions, like patches, are being developed and deployed.
Enhanced Preventive Measures:
Vendor-based mitigations are the culmination of intensive and focused efforts by specialized security teams from the vendors, working diligently to enhance the preventive measures and to fortify the security posture of their products against vulnerabilities.
In conclusion, the effectiveness of vendor-based signatures lies in their precision, proactive deployment, integration capability, and their role as an interim defensive measure, all stemming from the inherent knowledge and diligence of the vendors’ security teams.
Post the implementation of mitigation and remediation, the security team progresses to the fourth stage, verification and monitoring.
This step is integral to ascertain that the efforts invested in the third step have yielded the desired outcomes. The team meticulously retests and rescans the worked-on assets to verify the success in addressing the identified vulnerabilities and to ensure no new issues have been introduced during the remediation and mitigation processes.
This stage isn’t just about reassessing; it’s about broader network monitoring, a vital aspect of maintaining security integrity. It involves the detailed examination of the network for new vulnerabilities, outdated mitigations, and any other alterations post the last scan that may necessitate further actions. The insights garnered from these findings are invaluable, informing and refining the next rounds of the vulnerability management lifecycle, ensuring the security framework remains resilient and robust against evolving threats.
Reporting and improvement mark the final step of the vulnerability management lifecycle, serving as a critical phase in strengthening organizational security against various threats and vulnerabilities. In this essential stage,
security teams meticulously record actions undertaken in the most recent lifecycle phase,
encompassing identified vulnerabilities,
implemented remediation and mitigation strategies, and
the outcomes achieved.
These detailed reports are then shared with key stakeholders, such as executives, asset owners, compliance departments, to ensure a holistic understanding of the security posture.
The importance of this stage cannot be overstated as it goes beyond listing findings; it’s about analyzing them to enhance security controls and measures effectively. The Picus Complete Security Control Validation platform stands out by providing users with comprehensive reporting based on the simulation results.
Figure 5. Simulations Results with Reporting by Picus Security
In the reports Picus platform provides, each threat is precisely analyzed, featuring attack actions that mimic the corresponding threat’s attack flow. This approach provides organizations with a data-driven perspective on the effectiveness of their security controls, showing which attack actions are blocked and which aren’t.
This analysis is essential, allowing organizations to identify potential gaps in their security measures even if some actions seem to be blocked, highlighting those actions that have evaded defensive barriers and pinpointing areas needing improvement.
Figure 6. Attack Actions Mapped to MITRE ATT&CK Framework by Picus Complete Security Control Validation Platform.
Moreover, the Picus Complete Security Control Validation platform enriches its reports by aligning simulated threats and attack actions to respected frameworks like MITRE ATT&CK and the unified kill chain. This alignment offers organizations deeper insights into where their security measures and controls might be vulnerable and need closer examination and reinforcement by blue team members.
In conclusion, the reporting and improvement stage is not merely the concluding phase of the vulnerability management lifecycle; it’s a pivotal point where insights and enhancements interlink. It is instrumental for detecting existing vulnerabilities and understanding the broader security environment, allowing organizations to fine-tune their security strategies and better defend against emerging threats.
In this section, we are going to share some insights provided by the NIST Special Publication SP 800-40r4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology.
This comprehensive guide delineates a structured approach to effective patch management, encompassing a variety of key processes aimed at mitigating vulnerabilities within organizational technologies.
Asset Discovery and Management
Vulnerability Identification and Assessment
Risk Evaluation and Prioritization
Patch Acquisition and Deployment
Maintenance Planning and Monitoring
Performance Metrics Development
Validation and Verification
Reporting and Continuous Improvement
The NIST SP 800-40r4 serves as an exhaustive guide to structuring and implementing an efficient enterprise patch management program, adhering to a methodological approach that insists on a meticulous Asset Discovery and Vulnerability Assessment to uncover and comprehend vulnerabilities. It underscores the significance of assigning importance to assets and vulnerabilities, enabling the formulation of an informed and decisive Patching Program.
The document meticulously outlines the importance of Prioritizing Identified Vulnerabilities based on a structured risk assessment, leading to effective Remediation and Mitigation Actions. This approach is critical in orchestrating targeted patch deployment, with considerations on maintenance plans and exceptions, ensuring that vulnerabilities are addressed with precision.
Further, the guide elucidates the importance of Validation and Monitoring to confirm the effectiveness of the patches, complemented by robust Reporting and Improvement mechanisms that ensure the continual refinement of the patching processes.
By integrating these pivotal elements, the publication stands out as a coherent and indispensable resource, offering substantive insights and actionable metrics that empower organizations to elevate their security posture, substantiate their continuous improvement, and respond adeptly to the ever-evolving threat landscape.
 J. Vijayan, “Target attack shows danger of remotely accessible HVAC systems,” Computerworld, Feb. 07, 2014. Available: https://www.computerworld.com/article/2487452/target-attack-shows-danger-of-remotely-accessible-hvac-systems.html. [Accessed: Sep. 27, 2023]