My notes from Chris H.'s article (https://www.resilientcyber.io/p/vulnerability-exploitation-in-the).
1. Only 5-6% of all vulnerabilities ever reported (e.g. as CVE’s) are actually ever known to be exploited in the wild.
2. Average YoY growth for CVEs published is 16%.
3. Much like fluctuating behavior of the number of CVE’s with exploitation activity in a given year, exploitation activity varies widely by both the specific CVE as well as the time of week, month and year.
4. Despite all the media and industry hype around the latest flashy zero day vulnerability, the majority of vulnerabilities being exploited are vulnerabilities that are being observed as exploited in a given period but are previously exploited as well.
5. A report from Cloudflare stated attackers are attempting to exploit some CVE’s as quickly as 22 minutes after a Proof-of-Concept exploit is made available.
6. Remediating vulnerabilities with an EPSS score of 0.6+ achieves a coverage of ~60% with 80% efficiency.
7. A report from Synopsys’ Open Source Security and Risk Analysis Report finding states:
A> 14% of codebases contain vulnerabilities older than 10 years old
B> 2.8 years being the mean age of vulnerabilities in codebases
C> 49% of codebases having no new development activity in 24 months
D> 91% of codebases containing components that are 10 or more versions behind the current version
8. Insight from “last observed” aspect of exploited vulnerabilities:
A> 50% of the 14,000 known exploited vulnerabilities have exploitation activity within the past week
B> 25% have been attacked in the last 12 months
C> The remaining 25% have been dormant or have no exploitation activity in over a year
9. Prioritizing vulnerabilities scored at 10% (EPSS Score) and above should yield about 80% coverage, 50% efficiency and 6% effort.
EPSS: The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.
Coverage: Measures the completeness of prioritizing the exploitation activity. What percentage of all known exploited vulnerabilities were correctly prioritized? If 100 vulnerabilities get exploited but only 40 of those were prioritized, the coverage is 40%.
Efficiency: Measures the accuracy of prioritizations. What percentage of vulnerabilities prioritized (for remediation) were actually exploited? If 100 vulnerabilities were predicted to be exploited but only 60 had observed exploitation activity, the efficiency is 60%.
Effort: Measures the overall workload created by the prioritization strategy and is simply the percentage of prioritized vulnerabilities out of all vulnerabilities.
Happy Learning !!
VulnerabilityManagement Cybersecurity
No comments:
Post a Comment