CISA’s Shields Up guidance has set forth recommended best practices for organizations of all sizes to protect their infrastructure from incoming cyber threats. Among its key steps are the prioritization of mitigation and the use of updates that address known exploited vulnerabilities.
Today we’ll cover CISA’s known exploited vulnerabilities, and explore how we can detect and prioritize them through the Attack Surface Intelligence platform.
What are CISA’s Known Exploited Vulnerabilities?
The Cybersecurity and Infrastructure Security Agency (simply known as the CISA) is a United States Governmental agency that looks into cybersecurity-related security vulnerabilities and threats found in commonly used software.
The Known Exploited Vulnerabilities list is maintained and frequently updated by the CISA. It not only lists known software vulnerabilities, but also methods used to counter them.
To make tracking threats straightforward, each vulnerability is designated with a unique CVE number, a base score which helps determine how critical a vulnerability is, and reference information for the vulnerable software version as well as links to vendor websites and vulnerability fixes are given.
The CISA’s Known Exploited Vulnerabilities Catalog provides a compiled list of vulnerabilities that can be exported in various formats (such as JSON and CSV) which can be further used with other software to automate your security processes. One can also subscribe to it by email, providing valuable alerts whenever vulnerabilities are discovered.
CISA plays another key role, by providing federal civilian executive branch (FCEB) agencies with cybersecurity incident response and vulnerability management. These processes and instructions are provided to FECB agencies via the CISA Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Overall, they help to ensure that FECB agencies stay secure and safe from bad actors.
In the Shields Up guidance issued to provide advice on Russian cyber threats, detecting known exploited vulnerabilities is highlighted as one of the steps organizations can take to reduce the likelihood of a destructive cyber attack, as well as to prioritize updates and mitigation for assets affected by them.
How can you identify top exploited vulnerabilities?
The Attack Surface Intelligence (ASI) platform offers multiple ways to detect assets in your infrastructure that are impacted by security risks and/or vulnerabilities as well as potentially dangerous misconfigurations. With ASI you’ll be equipped to stay in line with Shields Up guidance and identify top exploited vulnerabilities.
Know your assets
ASI allows for persistent monitoring of your organization’s domain name and various hosts within your infrastructure, so you can stay on top of your assets.
The platform also goes one step further by categorizing this information so you get a single pane of glass view into your dynamic attack surface as it evolves. You’ll get continuous insights into different areas and assets within your external infrastructure, such as:
Modern organizations’ virtual assets and web applications are often set up over various cloud providers or with a mix of cloud and on-premises setups to ensure the highest possible reliability and availability. Knowing exactly what is hosted where further helps you streamline your security process, depending on the hosting service in use.
This helps you find what software runs on which host within your organization, as certain port numbers are frequently used by specific software. For example, port 80 is most commonly associated with web servers, port 22 with SSH, port 21 for FTP, and so on.
Tracking SSL certificates is a critical aspect of any web application. Expired SSL certificates show up with large errors in web browsers which can lead to loss of trust and income, with potential users seeing such errors and losing confidence in your application.
ASI tracks and lists every single SSL certificate used within your organization along with its status, to help you stay ahead of any upcoming SSL certificate renewals.
The Technologies tab gives you a complete overview of the software used within your organization’s public-facing assets. This includes web servers and other publicly accessible software such as OpenResty, Gunicorn, Istio, and others.
The ASI platform also handles your organization’s virtual inventory, by finding and categorizing your virtual assets into:
- With most organizations now relying on various hosting providers to increase reliability and availability, the ASI platform shows you a complete overview of where your organization’s virtual assets are hosted.
Hostnames Pointing Local
- To help with local software development and testing, as certain hostnames are set up pointing to localhost/127.0.0.1, the ASI platform allows you to easily find them.
Remote Access Gateways
- Remote access gateways are an essential component of remote work, allowing team members access to internal applications and services. Accounting for and keeping these gateways secure is essential for any organization’s safety.
- Similar to Remote Access Gateways, VPNs provide secure access to your organization’s employees, allowing them to access internal services, portals, and applications while working remotely, and the ASI platform helps you find and account for them.
This feature further helps you find and manage bits of your organization’s virtual assets that may go unnoticed or missing over time.
Persistent activity monitoring
Last but not least, the Activity tab helps you keep an eye on your organization’s virtual assets. Often with CI / CD processes, virtual assets can be created within seconds and automatically set up to run on domains/subdomains, and while these processes are automated, it helps to have an overall view of the “virtual” activity taking place within your organization.
Detect immediate risks
The Risks tab scans your organizations’ public internet-facing virtual assets for any possible known risks. The following key assets are scanned for and listed if found:
- Database Open Ports
- Database ports are usually set by default to bind onto localhost or private IPs only, but larger organizations, remote work, and load balancing-related distributed setups sometimes require databases to be accessible across the public internet.
- While most modern databases come with built-in built access control features or ACLs, it is always possible that your database ACL might be misconfigured and allowing unrestricted public access, or the database software version has a vulnerability allowing for unrestricted access to the data.
- The SecurityTrails ASI platform allows you to identify these risks and put forward measures to secure your exposed databases.
- Self-signed certificates are commonly seen with in-development software where setting up valid certificates or purchasing certificates can be an issue. These certificates are often installed in developer machines to ensure easy access to domains and hosts.
- If these certificates make their way into production environments or get stolen during the development process, they can be impossible to identify. Getting warnings by browsers or other software also becomes impossible, as the certificate is installed on the developers’ and other team members’ systems.
- The SecurityTrails ASI platform helps identify these certificates, allowing you to help mitigate such security vulnerabilities within your organization’s post-development process.
Staging and Dev Subdomains
- Staging and dev subdomains have become commonplace in almost all development environments, with CI/CD software creating custom hostnames and subdomains automatically for every test instance created.
- Since these hostnames are running in-development and unaudited software, it is highly likely that exposing them to the internet can lead to compromises and other security failings.
- The SecurityTrails ASI platform can help identify these public-facing staging and dev subdomains so that you can secure them.
Risk Rules, a game-changer to detect critical CVEs and misconfigurations
The ASI platform now incorporates a new Risk Rules module which provides you with insight into the latest CVEs and critical misconfigurations, ensuring you are following the CISA’s guidelines. With Risk Rules, you’ll be able to detect thousands of CVEs, among which are 100+ web-based critical vulnerabilities from the CISA catalog.
You’ll find the exact CVEs and other security threats that affect your organization along with the domains and subdomains affected by the CVEs, prioritized by High (red), Moderate (yellow), and Informational (gray) severity scores.
Furthermore, when reporting certain vulnerabilities which can be publicly accessible—such as remote desktops open to the public—the Risk Rules module includes a useful screenshot so you can see what it looks like.
With today’s ever-changing cybersecurity landscape and emerging threats, it’s important to stay ahead of adversaries. Ensuring the entirety of your organization follows security best practices such as the CISA-issued Shields Up advisory, which empowers you to detect, prepare for, and respond to the threat of disruptive attacks that looms over your potentially exposed infrastructure.
As one of the key steps to protecting your infrastructure is the detection of known vulnerabilities and misconfigurations on your assets, an attack surface intelligence platform such as ASI can help speed up the identification and mitigation of those risks within your organization’s attack surface.