Why a single source is not enough? A quantitative analysis of exploited vulnerabilities

Thursday
 
28
 
November
10:15 am
 - 
10:55 am
Topic
Application Security / Vulnerability Management
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 209
Theme
Secure by Design

Speakers

Daniel Dos Santos
Daniel Dos Santos

Daniel Dos Santos

Daniel Dos Santos

Head Of Security Research
Forescout

Synopsis

Vulnerabilities are being found, weaponised and exploited in the wild faster than ever before, with 97 0-days exploited in 2023 and already 27 in 2024. However, organisations still rely on CVEs and the NVD to catalog issues, CVSS scores to help them assess criticality and the "new kids on the block": the Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) catalog to assess exploitability.

While those sources of information are crucial, they have their limitations. Vulnerabilities with no CVE identifiers and CVSS scores that do not reflect real risk are by now well-known in the security industry, exploit predictions are useful to understand what may happen in the future, but what about currently in-the-wild exploited vulnerabilities that are not recognized as such?

The goal of this talk is to provide a real picture of what vulnerabilities are actually exploited in the wild and how, beyond the “hype” of those that get mass-exploited and the “limbo” of those that are seldom talked about.

It has been standard practice in the industry to rely on multiple sources of intelligence for indicators of compromise, but little has been discussed about sources of intelligence for exploited vulnerabilities. Overall, our research shows that there is a world of exploited vulnerabilities outside CISA KEV and defenders need other sources of intelligence to avoid the false sense of security that comes from following only the "standard" guidance.

By analysing data from different catalogs of exploited vulnerabilities and looking into databases of available proof-of-concept exploits, we will report findings such as the following:

  • We found up to 90,000 vulnerabilities without a CVE ID and this number is increasing every year.
  • There was a total of 2,087 distinct exploited vulnerabilities seen across four databases and no database alone contained all the information.
  • We saw on customer networks thousands of devices affected by 28 vulnerabilities that are not tracked as exploited by CISA.
  • OT and IoT devices are a common target but are less represented in some databases.
  • Most vulnerabilities are exploited few times by few threat actors for a limited period of time and following exactly or very closely publicly available exploits. Only some vulnerabilities stand out and get adopted into botnets or automated scanners to be used more frequently and with more variations.

We will also discuss issues such as the severity and root causes of exploited vulnerabilities and how many can be patched or affect end-of-life systems.

Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country