Outsmart SVR (and Other Bad Actors) with Risk-Based Vulnerability Management
Share with Your Network
The threat of ongoing foreign cyber-espionage campaigns is real and pervasive. On May 7, CISA (America’s Cybersecurity and Infrastructure Security Agency) joined the United Kingdom’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) in releasing a Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures. This fact sheet summarizes the advisory.
This united stance comes after the recent public shaming of SVR, Russia’s civilian foreign intelligence service, for its compromise of SolarWinds, and COVID-19 vaccine developers, along with its leveraging a Zero-day VMWare vulnerability.
And while it’s no surprise the SVR has denied its role as cyberwar actors, the group is tracked in open source as APT29,Cozy Bear, Yttrium, and the Dukes, using a variety of strategies and commonly used exploits to predominantly target overseas governmental, diplomatic, think-tank, healthcare, infotech, and energy entities for intelligence gain.
There should be no doubt these cyber threat actors are highly capable and will continue to target organizations in the UK, US, Europe, NATO member states, and Russia’s neighbors.
By knowing the tradecraft nation-state cyber actors use, and by applying relevant response actions, network defenders can focus on mitigating vulnerabilities and techniques, enabling more comprehensive protection against adversary compromise.
Protecting against SVR techniques
CISA’s Alert highlights some favorite SVR techniques, such as password spraying, leveraging Zero-Day vulnerability, WellMess Malware, and tradecraft similarities of SolarWinds-enabled intrusions. In addition, FBI investigations have revealed infrastructure in the intrusions is frequently obtained using false identities and cryptocurrencies. Other techniques employed by SVR actors include:
- Exploiting public-facing applications
- Leveraging external remote services
- Compromising supply chains
- Using valid accounts
- Exploiting software for credential access
- Forging web credentials: SAML tokens
The NSA, CISA, and FBI summary suggests the following best practices to protect public and private organizations:
- Keep systems and products updated and patch as soon as patches are released since many actors exploit numerous vulnerabilities.
- Expect the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions.
- Assume that a breach will happen.
- Enforce least-privileged access, and make password changes and account reviews a regular practice.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure to the internal network.
- Enable robust logging of Internet-facing services and authentication functions.
- Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
- Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about breaches on out-of-band channels, and uncover a breach’s full scope before remediating.
Best practices for network defenders
The multi-group advisory determined the SVR has and continues to gain initial footholds within organizations yet to patch the following vulnerabilities:
- CVE-2018-13379 Fortinet®
- CVE-2019-9670 Zimbra®
- CVE-2019-11510 Pulse Secure®
- CVE-2019-19781 Citrix®
- CVE-2020-4006 VMware®
Don’t rely on CVSS scores alone to gauge the relative risk of these CVEs. Common Vulnerability Scoring System (CVSS) scores for the vulnerabilities listed below range from 5 to 10, and the average across all is 7.8. But relying on CVSS scores alone may cause you to overlook factors that can make remediating a vulnerability a priority. The data-driven analysis that feeds Kenna Risk Scores incorporates many more attributes that determine a specific vulnerability’s risk—and the result can be stark.
For instance, CVE-2018-13379 earns a CVSS score of 5, suggesting it’s a low-risk vuln. But Kenna has assigned a risk score of 96.6, making remediation not only a priority, but a very urgent one. (Only 8% of all vulnerabilities have a higher Kenna Risk Score than CVE-2021-26858, the lowest scoring vulnerability on this list.)
|CVE||CVSS Score||Kenna Score|
Scoring risk helps provide Security, IT, and Infrastructure teams with an understanding of the urgency of the vulnerability to prioritize the remediation efforts of some over others based on real-world exploitability. This helps maximize the effectiveness of your vulnerability management program while making the most efficient use of your limited resources.
Unlike CVSS and other static scoring methods, Kenna Security’s scoring considers a comprehensive set of internal and external data sources to provide full context into the specific amount of risk for every vulnerability, enabling security analysts to truly understand the level of risk and can effectively prioritize which vulnerabilities to remediate first.
While many Security organizations prioritize their fix lists based on CVSS scores, relying on this method alone is just a good enough tactic that works until it doesn’t. Basing remediation strategies on CVSS scores alone (or on scanner prioritization, which largely just repackages CVSS) is a recipe for disaster. It leaves companies unnecessarily vulnerable.
Flex the risk-based vulnerability management muscle
A risk-based approach to vulnerability management helps isolate the organization’s top risks, eliminating the need for guesswork and wasted cycles spent chasing vulns that won’t move the needle on risk.
Risk-based vulnerability management (RBVM) is a cybersecurity strategy in which organizations prioritize remediation of software vulnerabilities according to the risk they pose to the organization. A risk-based vulnerability management strategy:
- Uses threat and exploit intelligence to identify the vulnerabilities attackers are discussing, experimenting with, or using.
- Leverages intelligence to generate risk scores based on the likelihood of exploitation.
- Takes into account the business context of various assets, because intrusion into some network segments may be more damaging or likely than others.
- Combines vulnerability risk assessment and asset criticality. Risk-based vulnerability management programs focus on patching efforts on the vulnerabilities most likely to be exploited on the most critical systems.
Large enterprise networks contain more vulnerabilities than their cybersecurity teams can fix. And if you look at the behavior of real-world hackers, they attack only a small subset of security flaws. Our research indicates only 5 percent of enterprise vulnerabilities have known exploitation events.
That’s why today’s enterprise Security and IT operations need to take a risk-based approach to vulnerability management. There are too many vulns to patch, and the standard “good enough” tools for prioritizing CVEs either leave you wasting time patching low-risk vulns, or overlooking vulnerabilities that may pose a real, urgent risk to your infrastructure.
Organizations can drastically improve their security posture and minimize risk by identifying and remediating the small subset of vulnerabilities prone to exploitation. Traditionally, organizations prioritized the vulnerabilities they needed to patch according to a mix of gut feeling, regulatory and compliance needs, and the theoretical damage a successful attack could do.
That approach no longer makes sense—not with the array of threats targeting your top vulnerabilities plentiful and growing. (In fact, in the first three months of 2021, the National Vulnerability Database (NVD) published an average of 31 new CVEs every day.)
Staying a few steps ahead of SVR requires an impermeable, persistent defense strategy that takes into account the best mitigation practices. But adding in a risk-based vulnerability management approach puts you in the driver’s seat with the ability to predict exploitability — and outsmart Russia.
A data breach can happen at any time. Don’t let it happen to you. Stop hedging your bets. Get defensive today.