[UPDATE June 28, 2024: Dragos OT threat groups such as Kostovite, Kamacite, and Bentovite have a demonstrated history of rapidly tooling and exploiting ‘known exploited vulnerabilities’ (KEV). KEVs on VPN and remote access devices are a target of choice for threat actors to gain initial access into industrial asset owner networks. Dragos sampled 30 publicly facing VPN devices from Renewable Energy asset owners in the Nordic Region and found that 54 percent of the enterprise VPNs in use are Cisco SSL VPNs and 27 percent are Citrix remote access solutions.]
[UPDATE May 2, 2024:] The Verizon DBIR is now available, containing these valuable insights about CISA KEV's: "
“It is truly concerning. Even when considering only the US Cybersecurity Infrastructure and Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, it takes organizations around 55 days to remediate 50% of those critical vulnerabilities after their patches are available – a dangerous lag,” warned Verizon.
“On the flip side, the median time for detecting the first scan for a CISA KEV vulnerability is five days from publication in the Common Vulnerabilities and Exposures (CVE) database (not from the patch being available).”
I lived in Birmingham, Alabama from 1990 to 2001 and we quickly learned from our neighbors the importance of a weather radio to warn of tornados in the area. I love Birmingham in the Spring with the flowering Dogwoods in bloom, it really is a beautiful place to live, but it has frequent tornados, which are most violent during the Spring. The time around Easter is particularly bad for violent tornados that have resulted in fatalities and destruction of property, loss of electricity and other functions that can impact a comfortable life. People learn to live with the knowledge that a weather radio alarm is your friend, warning you of danger, which you should never ignore.
Likewise, the CISA Known Exploited Vulnerabilities (KEV) notification system is also your friend, warning you of dangers in the software ecosystem. These CISA KEV’s are "red flag" warnings of actual cyber-risk and cyber-attacks using software vulnerabilities that have been observed inflicting harm via a cyber-incident. Ransomware and data theft are two of the most common and egregious cyber-incidents being encountered “in the wild” that take advantage of these CISA KEV’s to carry out a cyber-attack. Hackers love CISA KEV's. Just like the weather radio warning of dangers in the area, the CISA KEV notification system, and CISA published Security Advisories are warnings of danger that should not be ignored. The "blast radius" from a CISA KEV is significantly broader than the typical BEC or phishing attack which usually affects one company when credentials are compromised. A CISA KEV coordinated cyber attack can impact hundreds of companies and inflict far more damage across multiple companies like these 22 energy companies in Denmark.
A CISA published Security Advisory (SA) is analogous to a weather radio alert, warning of danger that should illicit actions to avoid harm. SA’s are issued to inform people using the Internet of known software vulnerabilities; SA’s that are also identified as CISA KEV’s are like "red flags" warning of a “tornado on the ground alert”, observed causing harm. When a CISA KEV Security Advisory alert sounds, it is time to take action to prevent harm, IMMEDIATELY. (People interested in learning about VEX should review this article) A VEX is like receiving a weather radio alert indicating there are NO tornados in the area.
Here is an example of a CISA KEV announcement. You can subscribe to these CISA KEV announcements here. CISA has also announced plans to improve vulnerability reporting and information sharing in 2024 with this blog posting from December 18, 2023. CISA also provides specific cybersecurity guidance to small and medium businesses
CISA provides guidance for "what to do" when a CISA KEV alert sounds. "CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors."
Now that the SEC Cybersecurity Regulations go live in December 2023 it is imperative that Officers and Directors show “good faith” processes following NIST guidelines in a Form 10-K disclosure to detect and manage these CISA KEV, red flag warnings of impending danger. The US Government will soon require software producers to attest that their software development processes follow NIST Guidance, including scanning for vulnerabilities and KEV's, before shipping a product, in order to sell software to the US Government. I also spoke of the importance of CISA KEV's to help establish priorities when addressing cyber-risks during my talk at BSides CT on September 30, 2023 at Quinnipiac University.
The FDA, as of October 1, 2023, requires medical device manufacturers (MDM) to address CISA KEV's (see page 31 of FDA Guidance) as part of their medical device secure development practices before submitting an application to FDA. My slide deck describing machine readable software vulnerability disclosure reporting options from an 11/21/2023 meeting with the FDA is available online.
CISA hosted a webinar on November 15 to discuss risk management planning for small and medium businesses, including incident response planning and software vulnerability disclosures (CISA KEV).
SAG-PM (TM) can detect the presence of a CISA KEV in a product within seconds, not days, shrinking the window of hacker exploitation of a CISA KEV to hours.
European Union Agency for Cybersecurity (ENISA)European Union Agency for Cybersecurity (ENISA)
69% of operators of essential services in the EU indicate that a majority of their incidents are caused by the exploitation of vulnerabilities in software or hardware products.
Watch out for those CISA KEV's they can ruin your day.
Rooollll TIDE!