{"id":4751,"date":"2024-08-07T17:05:00","date_gmt":"2024-08-07T22:05:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-analytics\/monitoring-kev-list-for-changes-can-guide-security-teams"},"modified":"2024-08-07T17:05:00","modified_gmt":"2024-08-07T22:05:00","slug":"monitoring-changes-in-kev-list-can-guide-security-teams","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/07\/monitoring-changes-in-kev-list-can-guide-security-teams\/","title":{"rendered":"Monitoring Changes in KEV List Can Guide Security Teams"},"content":{"rendered":"
<\/a><\/div>\n

B-SIDES LAS VEGAS \u2013 Las Vegas \u2013 Wednesday, Aug. 7 \u2013<\/span><\/span> Organizations that use the Known Exploited Vulnerabilities (KEV) catalog to prioritize patching are likely missing silent changes to the list that could indicate that an issue’s severity has changed, according to an analysis presented at the BSides Las Vegas conference on Aug. 7.<\/span><\/p>\n

The KEV catalog \u2014 which currently consists of more than 1,140 vulnerabilities that are known to have been exploited in the wild \u2014 tracks software flaws by their Common Vulnerabilities and Exposures (CVE) identifier, records the date when the vulnerability was confirmed in the wild and has a flag that indicates whether ransomware groups are using the security issues.<\/span><\/p>\n

Yet, specific changes to the data \u2014 such as uncommonly short times to remediate vulnerabilities and changes to the ransomware status \u2014 can give security teams valuable information, the analysis stated.<\/span><\/p>\n

Unfortunately, the Cybersecurity and Infrastructure Security Agency (CISA), which manages the list, does not often call out these changes and outliers, says Glenn Thorpe, senior director of security research and detection engineering at GreyNoise Intelligence.<\/span><\/p>\n

“We who are not bound by its directives forget that this is actually a to-do list,” he says, adding: “So, if folks are actually using this to prioritize remediation or some kind of process, they need to know [when] it is updated silently.”<\/span><\/p>\n

The KEV catalog, <\/span>introduced in November 2021 with 290 exploited vulnerabilities<\/a><\/span>, is maintained by CISA and gives organizations the information necessary to prioritize patching flaws that are currently under attack. The list, however, does not rank the severity of issues, and vulnerabilities are often <\/span>not added until well after the initial evidence of exploitation comes to light<\/a><\/span>.<\/span><\/p>\n

Surge From a Cyber Conflict<\/h2>\n

While less than 3 years old, the KEV catalog has already passed through three periods, Thorpe says. The original catalog had 287 vulnerabilities, which had an average age \u2014 the time between the release of the CVE and the vulnerability’s addition to the KEV list \u2014 of 591 days. Then, during a 109-day period in early 2022 and the initial months of Russia’s invasion of Ukraine, a massive stockpile of vulnerabilities was exploited, encompassing 396 issues with an average age of 1,898 days.<\/span><\/p>\n

\"Days<\/p>\n

Starting in mid- to late 2023, CISA started changing its policies on the KEV catalog, providing additional signals as to the severity of a vulnerability. Source: GreyNoise Intelligence<\/p>\n<\/div>\n

Since mid-2022, 453 newly exploited vulnerabilities have been discovered, with an average age of 567 days.<\/span><\/p>\n

“There is this thought that maybe the numbers have gone down, because the Russia-Ukraine conflict has dragged on so long,” he says. “But I [feel that] when it ends, each side will looking for vulnerabilities and stockpiling once again.”<\/span><\/p>\n

Five organizations \u2014 Microsoft, Apple, Cisco, Adobe, and Google \u2014 account for about half of all vulnerabilities on the list, demonstrating cyberattackers’ penchant for major software platforms.<\/span><\/p>\n

Pay Attention to Friday Updates<\/h2>\n

While any vulnerability in the KEV catalog should likely be patched as soon as possible, companies may want to prioritize those being used in ransomware campaigns. The list has a flag designating whether CISA has confirmed use of a particular flaw by ransomware gangs. However, at least 41 times, that flag has been changed to “known” \u2014 indicating ransomware use \u2014 after the vulnerability’s addition to the list without explicit notification.<\/span><\/p>\n

Perhaps more critical for prioritization is the “due date” for fixing a vulnerability, which informs federal agencies of the date by which the issue must be remediated. While the vast majority of vulnerabilities have a 21-day requirement, since late 2023, CISA has set shorter remediation deadlines for specific vulnerabilities. The shorter patching deadlines are typically for more critical appliances that are connected to a networks, such as the severe <\/span>Ivanti vulnerabilities<\/a><\/span>, as well as issues in <\/span>Juniper routers<\/a><\/span> and <\/span>Cisco devices<\/a><\/span> and <\/span>Atlassian’s Confluence server<\/a><\/span>, GreyNoise’s Thorpe says.<\/span><\/p>\n

In fact, another data point suggests that CISA made other changes to how it handles KEV-catalog announcements in late 2023. Around the same time that CISA had assigned shorter deadlines, the agency also began foregoing the release of any list updates on Fridays, except in two specific cases, <\/span>the analysis found<\/a><\/span>.<\/span><\/p>\n

“Either there was a decision made to prioritize these a little differently, or they … were kind of figuring out how to prioritize these differently, because the list is getting big,” Thorpe says.<\/span><\/p>\n

Organizations can use the policy changes inferred from the way CISA updates the KEV catalog to understand which issues the agency considers most critical. A KEV update released on a Friday should be considered significant, as should a vulnerability with a due date less than 21 days away. Finally, Thorpe says, updates to the known ransomware usage field are another signal that security teams should pay attention to.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

B-SIDES LAS VEGAS \u2013 Las Vegas \u2013 Wednesday, Aug. 7<\/p>\n","protected":false},"author":12,"featured_media":4752,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/monitoring-changes-in-kev-list-can-guide-security-teams.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4751"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4751\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4752"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}