August 7, 2024 at 06:05PM
The Known Exploited Vulnerabilities (KEV) catalog, containing over 1,140 known exploited vulnerabilities, may not effectively convey changes to the severity of issues. CISA’s lack of notification on updates potentially hinders security teams’ ability to prioritize remediation. Additionally, changes in ransomware status and shorter remediation deadlines indicate evolving policies and critical vulnerabilities. Source: GreyNoise Intelligence.
Key takeaways from the meeting notes:
– The Known Exploited Vulnerabilities (KEV) catalog, maintained by CISA, currently consists of more than 1,140 vulnerabilities known to have been exploited in the wild. However, there are concerns that security teams may be missing silent changes to the list that could indicate changes in the severity of issues.
– Specific changes to the data in the KEV catalog, such as uncommonly short times to remediate vulnerabilities and changes to the ransomware status, can provide valuable information for security teams, but these changes are not always explicitly called out by CISA.
– The KEV catalog does not rank the severity of issues, and vulnerabilities are often not added until well after the initial evidence of exploitation comes to light.
– The KEV catalog has undergone policy changes, with CISA providing additional signals as to the severity of a vulnerability since mid-2022.
– Five organizations – Microsoft, Apple, Cisco, Adobe, and Google – account for about half of all vulnerabilities on the list, showing cyberattackers’ preference for targeting major software platforms.
– CISA has set shorter remediation deadlines for specific vulnerabilities since late 2023, particularly for critical appliances connected to networks.
– CISA made changes to how it handles KEV-catalog announcements in late 2023, including foregoing the release of any list updates on Fridays in most cases. Organizations can use the policy changes inferred from the way CISA updates the KEV catalog to understand which issues the agency considers most critical.