GF - Discover the Hidden Vulnerability Intelligence within CISA's KEV Catalog

so um I'll start off thanks everyone for for coming to my talk um as mentioned I only have about 20 minutes so I'm going to speed through pretty quick and then we can have questions afterwards or if time didn't allow we can have uh hallway conversations or whatever so um a lot of there's a lot of uh visualizations on the on the presentation so afterwards there'll be a link to to grab all the data the visuals the slides everything so don't fret about the actual um slides themselves and don't fret if you don't get to kind of consume the whole the whole chart because there's a lot on some of these and I don't think you're

going to do that in like the 10 20 seconds that it's on the screen but um I'll just jump in So today we're going to dive into the hidden vulnerability intelligence that lies within the the CIS cev catalog um more specifically what you can do to prioritize when you have more than one competing bone in the Cub so in other words you know there's multiple things added to cev and you have to pick you know between one or the other there are some findings um as we look through the data that can help you make that prioritization decision and to clarify sisa is not affiliated with this talk they have not approved it um I'm just a big fan so I

hope that they appreciate it um they are in the room so I'll be nice and also that means that if you have specific questions we can have them cornered and make them answer your questions so we'll get started uh first off I have to introduce myself my name is Glenn Thorp I work for grey noise intelligence uh I lead the security research team there and I have to start off by saying there an insanely insanely talented group of people I'm very fortunate to uh to work where I do and do what I do with the group that I do um I've been in security for over 21 years different Focus areas such as detection response vulnerability management and

emerging threats um when I'm not doing cyber security things I'm usually uh studying weather patterns or scuba Dives observing sharks stuff like that that's my whole personality basically and uh yeah so just I'm underwater either literally or metaphorically so that's just how we that's how we do it in security um so we'll dive in so what exactly is the Kev catalog is anyone here not familiar with with the sisa Kev catalog okay great no no problem there so um I knew there would be people here I was ready for it um so Kev stands for known exploited vulnerabilities and I'll start by saying note that it's past tense which means it's already happened um it's not a

predictive tool it means these are known exploited vulnerabilities like it's in the name it's pretty clear but I think that there there's some confusion around that where people think maybe sometimes it's a bit more um speculative than it really is it was launched in November 21 and to be included in the Kev catalog a vul has to have three major attributes one there must be a cve assigned makes sense uh the V must be actively exploited in a way that's impactful so for example a misnomer that um I've picked up from watching some of uh the sis Todd's talks on the Kev um kind of doing my research here is there's a there's a misnomer

that if it's in the Kev that means it's attacked or affected government institutions or organizations directly and that's not necessarily true right that's not necessarily true that just means it's being done in an impactful way it could be a a you know a large organization or something with a large footprint or another country whatever but it does not imply necessarily that it has affected our government in the US um and the last attribute is there must be some kind of clear guidance on what to do about this problem otherwise you're kind of just kicking a beehive a bit um so that third one is kind of important to think about so the purpose the actual purpose of the KB is to drive

remediation and mitigation Within the government so it it has directives that back it the Kev has a um a due date within it and again so it's basically built by the government for the government but enjoyed by all for everyone to understand what's going on you know in the in our in our security landscape or a threat landscape but it's important to note that they are backed by some some regulations and directives for the government agencies um that are that are bound to them um so next question is has anyone analyzed the cev before and I say that in just because um it's been done a thousand times but don't worry I'm not going to bore you

with like the the the details of the the same old boring stuff or the same old like Topline top level findings except just a little bit because I have to paint the path paint the picture for the path that I went down to kind of unearth these like three main takeaways that I have uh today so bear with me at the beginning we're going to get somewhere towards the middle I promise so who is privileged enough to be on the Kev like what is the diversity of this list well um interestingly so right now there's about okay first off this data like I had to cut it off at some point so I cut it off the last week of June so

anything that happened in the last two weeks not my problem um but so there's 1100 entries across 180 vendors but five vendors account for half of all the entries within the C catalog kind of kind of interesting so we'll we'll come back to that um vendors that are usually in Kev include uh a lot of widely widely used software like Microsoft Adobe Oracle open source projects like Apache or major security tool sets like uh or or uh security controls like foret or Cisco juner Etc um so there's a lot of diversity in it but it's interesting that most of it is just between those five vendors another interesting thing is that 77% of the vendors that are on the

list were added within the the first 12 months of the Kev being created so this line kind of basically is the one year mark you can see you know this is the rate of new vendors being added so you know it kind of leveled off you know roughly after the first year the the rate of new vendor appearing slowed down quite a bit all right so may be interesting we'll see now is the CVSs distribution for these um for the vules that are on the Kev interesting not really um the higher CVSs scores are on the right the the height of the of the chart of the plot kind of indicates the quantity but really it's kind of as you expect higher

CVSs scores mean unof remote uh remotely exploitable and uh maybe no authentication whatever so it's not surprising that it would lie here it's maybe most surprising that there's like a three and a half um CVSs score on the Cub like that's kind of interesting but anyway so like I don't know so let's take a look at the trajectory of the Kev of basically how fast things have been added to it so again it was created late 2021 it goes up to end of July interestingly it's almost linear except for you see that Big Cliff there towards the beginning of 2021 or 2022 sorry does anyone have an idea what that might be from what maybe

was I see what maybe was happening globally that would cause a just a big dump of new vules being added to the cev okay Ry you y the answer a war a war yeah the Russia the Russian invasion of Ukraine um so we'll come back to that so basically looking for all of these little tidbits of color that that were you know maybe not lying within the Cub that we could figure out like how can we get a little bit more intelligence out of this so the kev's basically updated average every 5 Days Like H don't don't read into that much um there's been I know once maybe twice I couldn't prove it that it was updated

in the same day twice in the same day I don't know if anyone knows um but basically like the you know there's they get added as they get added you know sometimes it's every day sometimes it's once a week whatever um so H again interesting but I don't know so we keep looking does anyone have an A for what the average age of a vul that's on the cev is and don't get mad sisa I promise we're going somewhere so it's a thousand days so like if you just look at the actual average age holistically then the average age of a CV in the Kev is over a th days and just like oh that's not

feeling great weird and speaking of Ages I had to make this joke because it's too obvious but there is a 22-year-old bone on the C so that means it could play Taylor Swift 22 on repeat it could walk down Las Vegas uh or Paradise or whatever this it could walk down the strip and Gamble and drink um the vone could you know do everything that an adult can do in the US so pretty crazy but that does highlight like how integral it is for patch Management in organizations to be very thorough not just looking at what's current or what's new or what's just been released but also you have to keep checking your um your organization

for these older things because they still exist we see them all the time at gry noise like people love the old bones because if they're going to keep working people are going to keep exploiting them you got you know you got to patch it we all know that so so far this isn't really painting a very timely picture so how do we dig deeper we Dig Deeper by basically uh finding the signal and all of this noise and the good news is gray noise is all about reducing the noise so we need to accommodate for the outliers and so when I was looking through the data and digging for some way to make this more interesting than I think a lot

of I mean no offense it's just like more interesting than what we've we've already learned from the Kev like there's got to be something new here I was able to break down the data set into three different essential categories um the first category and they're time bounded by the way the first category would be the initial dump that was on November 3rd of 21 which is when the Kev was created so this plot shows like the width is the quantity the height is the is the age and so this is what the initial um dump of 280 something uh vules look like that were added to the Kev um from the age and and quantity perspective the next data set

was that really large Cliff that we saw on that earlier graph and so basically the invasion of Ukraine started on February 24th 2022 and the next 107 days there's no reason for 107 other than that's how the data kind of painted itself like as I looked at um the age of the CVS that were added or the Technologies or the rate how quickly they were being uh kind of batched together there was just a natural bookend for the 107th day afterwards so we went with that so basically I broke that down into what's referenced um for the rest of the talk as ukr conflict so this is that dump um where like I said when you saw and I'll

bring it up here again in a second that large cliff um so you can see a much bigger diversity as far as age and that's where you get that 20 something year old bone at the top um and it's just really much more scattered and then the last category is everything else so when it really gets on that Center column Center column being basically you know less than a week of of cve age um you know everything kind of comes back together so what we're looking at here is three groups the initial one like I said 287 cves 59 21 day average the second one has almost a 1900 day average so that's where you get that average of

a of a, days on Kev like very misleading it's a thousand days because this one uh 107 day period just really skewed it so you have to take that into account and then everything else and so interestingly enough the average age of the first dump and the and and the everything else category is essentially you know pretty close together so that's cool and then clearly the outlier is the uh Russia Ukraine Invasion dump okay same data different view um maybe it helps you consume it better some people don't like the viin plots and stuff so um but left to right is the age uh and and top to bottom is the quantity but same information and again this will be

all available for you afterwards so let's look at that cumulative view again like I teased um we put lines on here I hope you can see them but um basically you know marking off the beginning and the 107th day of the Ukraine and you can kind of see how that data really kind of level like literally levels out and then keeps its continued craw so the rate of addition is pretty linear which is kind of interesting um what does that mean I don't know we'll see but it's just interesting um but what we do know is that there's the first like full calendar year of um of the Cub that doesn't have like a major outlier is

2023 so we're kind of just going to say 2023 is really the B Baseline because 21 was only a month of data and and 2022 was just so heavily skewed by the by The Invasion let's check back in on the cbss scores with these data sets broken up does that look interesting I think not um they're almost all NE identical especially the top and the bottom are really really close together um and even the CVSs score of the conflict group is pretty close together so um I think I'm kind of done digging into the Cs score looking for some some interesting things there because it's it's pretty pretty well represented uh across all three data

sets so okay so those are kind of the basics right like we're going to step it up a notch so question of course it's a trick question I'm giving a presentation about it do you think the average age of tbes is increasing or decreasing over time are they getting essentially like added to the Kev closer to their um existence or their they known about date or or later does that mean sooner or decreasing okay good answer so yes they are absolutely decreasing so this shows it broken down by year 21 2 3 4 um further to the left on each one is basically the age of the cve and then again height is the quantity so again 20 the first year

little abnormal because it was the dump second year the Ukraine war like everything's crazy but then once you get to the you know quote first Baseline year of 23 you can see that the cve age is actually quite young like within the first week of their of their age um of their uh assignment and the trend continues into 2024 so now it's looking a little bit better um a couple of thoughts on this I think the the age like the age of cves being younger is part well part of it's definitely due to attackers exploting things faster because they are we know this like that's not news but I think it also speaks to a bit of you know sis has been

very serious about doing Outreach and Partnerships and info sharing and stepping that up each each year and building relationships that's why they're here um I think that's why you're here so it's it's you know I think I think it's paying off because people are sharing more earlier um and openly and so that that helps us all it it helps everyone so and there's the ability to submit to the C online soon soon so they're working on it so it's great so 2023 is the first Baseline year like you like I said you see the U major shift to very early uh or very young bones being added so Kev is again looking a bit more timely once we start

taking out those anomalies another question is the Kev data static and this one I think might be surprising to some folks so I'll tell you that it's not static and I would ask other than like the like there is an occasional removal of a vul from Kev don't worry about that but within the Kev is there a fi what field might be updated near silently I think it's silently So within the Kev I should have brought up the actual fields in the data set at the beginning but there's a field in there that is known ransomware campaign use and so this was added last October so it hasn't even been in a full year and and

it is to do what the name says is this known to be used in a ransomware campaign and so the options are Known Unknown that's it right is there one more yeah known or unknown so I started digging into this and oh well first off we know that field matters because there is data to suggest it's not our data but um there is research data out there that suggests that when a vul has the known ransomware campaign used attribute it's patched two and half times faster that makes sense um ransomware is expensive we all are very familiar with it so you know okay cool so this is a five minutes for okay oh my goodness I am behind all

right we're gonna fly so yes so basically there's a known campaign uh ransomware campaign use flag it does get updated silently and so what this looks like is is again offline uh consumption but the 40 there's been 41 times where that field has been changed um after being added to the data set and we found this by basically harvesting the the Kev every day and then doing a dip to see when something changed so as far as I know this isn't really publicly announced or uh displayed in some way so if your organization cares or utilizes this field in some way then it's important that you go back and check on it to see if it's changed

it is a one-way street from unknown to known it's never reversed again makes sense um but for the secret Intel so that's just kind of an interesting thing in case you didn't realize that um but how many people or how many organizations pay attention to the time to fix a so again on the Kev is a due date that due date minus the day that it was added is the time to fix it so a lot of folks probably don't because it's basically meant for government organizations however it can be in when the Kev started we had basically a default of 180 days or uh 14 days and then about the time of the Russia

Ukraine war you can see it standardized on 21 days and that has continued but as we get down uh to the bottom right there you'll see as of late there's been more additions um to the KB that have a shorter time to fix so that's really going to show you uh some insight into kind of the level of concern is what I'm calling it that is uh that is known about this vul based on either what they've seen or maybe the uh the threat landscape whatever and so the last deep find I think is what matters is the day of the week that something is added to the Kev I think this is super cool um basically

again left to right is your so early on kind of all over the place we're just figuring it out standardizes in 23 24 continues except it gets really quiet down there on Friday Fridays and those Fridays had had a time to fix of seven days one of those had um oh yeah time to fix of seven days one was a foret one was a Palo Alto uh Panos phone so essentially when you dig through this and you're having to look through the data to figure out like I need I got more than one thing to fix on the C what should I prioritize basically dig into what day of the week it was added that's an interesting tell um what

is the time to fix on that bone that's an interesting tell um and then lastly the the ransomware campaign use again if that's important to your organization your processes you definitely want to kind of check back on that and maybe like we can work with sisa to like flag that when it gets changed um so I got to I got to wrap up I'm somehow far behind um and oh yeah don't try to predict the Kev like it's just not a thing but if you have to look at vendors that are already on it because they got added you know that 77% number and then of course like attack Vector none user interaction none privileges Rea uh privileges

required none is a good start but anyway so here's uh my information this link will have the slide the data um how to contact me um shout out to Bob rutus he's the one that did the visuals for this you may have seen his work you probably have you just maybe not you don't know it um he's amazing he's the goat for data work um and shout out to feedle I don't know if anyone from feedle is here but um they don't know about this but um we're a customer and they just when you do a good product and you make jobs easier I'm going to call you out for it and so they have so

hopefully they'll give us a discount next year and that's it that's it thank you Glenn we have time for a couple questions okay great yeah any questions okay so if no questions um can get with Glenn um yeah after this show thanks