The thousand nations of the Persian Empire descend on you. Our arrows will blot out the sun.

If you have ever been responsible for vulnerability management in a large organisation, this image probably hits quite close to home. With dozens of scan results, bug bounties, penetration testing reports, and published exploits to deal with, the sheer volume of findings can sometimes appear insurmountable.

Then we will fight in the shade.

The Spartan’s were not concerned. While outnumbered, they knew that their training, equipment, and use of terrain were far superior to their enemy. The same can apply to vulnerability management; with the right strategies and tools in place it is possible to take on any number of potential issues.

Just as the Spartans used a small mountain pass to funnel their enemies towards them a few at a time, the first step to dealing with thousands of vulnerabilities should be implementing a vulnerability management system that can use effective strategies to focus them down into a more manageable number.

‍

Rating Methodologies

It goes without saying that critical-impact issues should be prioritised over high-impact, and medium-impact over low… but how do we actually make sure that the ratings are accurate to begin with?

Unfortunately there’s no magic bullet to this, especially when you’re talking about multiple business units, assets, or vulnerability types. As a result businesses often elect to develop their own unique methodologies. Some of the factors that I’ve seen businesses consider include:

• Exposure to risky control sphere (Internet, Intranet, VLAN, HSE, Local)
• Sophistication required to exploit (Nation state, org. crime, hacktivist, script kiddie)
• Impact of exploitation to organisation (P1, P2, P3)
• Value of target to attacker (Key objective, pivot point, no apparent benefit)
• Is the exploit regularly used by relevant bad actors

Whether you chose a standard like CVSS, develop an inhouse approach, or outsource to one of a number of available vulnerability prioritisation services, understanding and being confident that your rating methodology can accurately capture the risk to your business is very important. As is being able to efficiently apply your methodology to the vulnerabilities en masse.

At Cytix, we don’t like to tell you how you should rate your vulnerabilities, we like to adopt the solution that you’re most confident in, and the one that works for you.

‍

Compensating Controls

Whenever you’re looking to address a large number of vulnerabilities at once, your defence-in-depth and compensating controls are a good place to start.

We generally begin by asking “What controls are available and what vulnerabilities can they be applied to?”

Most of the controls that come to mind are likely to be technical ones, things like:

• Firewalls - Generally used to restrict access to vulnerable services
• WAFs - Which can make exploiting web vulnerabilities much harder
• EDR - To contain and eradicate a breach before it causes a high impact

Non-technical controls also have their place here. These often involve leveraging an opportunity to transfer the responsibility for dealing with a vulnerability to someone with more bandwidth. For example:

• Contractual obligations from a vendor
• Insuring against the loss associated with certain risks
• Training and education to recognise and limit the impact of a breach

By creating a register of available controls, we can begin to address vulnerabilities in a few ways…

Firstly we can ensure that the controls conform to best practices (e.g. only allowing necessary ports through the firewall). This can be much faster than going through each vulnerability one-by-one.

Secondly, we can separate vulnerabilities into groups. We can then go from group-to-group and see if any of the controls in the register can be used to mitigate them. As far as short-term solutions go, half of the OWASP-10 vulnerabilities can be managed through a WAF, for example.

Finally, we can refer back to the mitigating controls on a more granular per-vulnerability level. When exploring remediation, consider whether a compensating control might actually be the pragmatic short-term solution.

Tip: One option that often gets forgotten is simply turning something off. Asking the asset owner if they really need that piece of software, or the CTO if that feature is essential to the release, can avoid pumping the breaks on a major release because of one small element.

‍

Validate Out the Noise

It often seems that the further left you shift your security testing, the more false positives you end up with. SAST, for example, is over 100x more likely to inaccurately report an issue than a manual tester.

Having said that, noise isn’t just about false positives. It’s also about issues that lack context and actionable information, or include far too much jargon and boilerplate information. That means shifting right, with lazy bug bounty reports and duplicate scan results, creates plenty of noise too.

Validating vulnerabilities to reduce the noise does come at a cost though. It requires specialist skills and time, which is why you might be better off exploring things like our validation-as-a-service offering rather than trying to address that problem yourself.

It goes without saying that validating issues should only be done where the cost of validation is less than the cost of fixing the issue, but when used correctly it can be a valuable tool to save yourself from wasting a lot of time trying to fix something that wasn’t a real risk to begin with.

‍

Map The Attack Paths

Above all else, what made the Spartans so effective in the battle was their ability to figure out the routes the offending army might take, so they could select the best place to focus their strengths in defending.

Attack path mapping does exactly this. Instead of looking at vulnerabilities in isolation, it looks at how a bad actor might chain together vulnerabilities to achieve their objectives.

The way I look at it, there are three key benefits to doing effective attack path mapping.

The first is probably the most obvious… we can identify “bottleneck” vulnerabilities that can be remediated to make several other vulnerabilities impractical to exploit; If there are several local privilege elevation issues but only one authentication weakness, it would normally make sense to address the auth first.

The second is that we can often identify “low cost” wins. Where there is a very expensive to fix vulnerability, that might take months, in the same chain as a cheap and quick fix vulnerability it’s easy to see which one should be bumped up the queue.

Finally, it allows us to detect themes across the organisation. Where a framework, like MITRE ATT&CK is used, the volume of issues at a particular stage in an attack path can be a clear indicator of where a business needs to focus on maturing.

‍

Operational Capability

We’ve now got a list of vulnerabilities with accurate severity scores, none of which can be easily mitigated by compensating controls. They’re all fully validated, contextualised, and you know which are the most useful to an attacker… But there’s still a lot to do.

Now is the time to start looking at the operational capability to actually address the issues. As in, to consider the capability of the team to be able to treat the issues.

We start by asking “What can’t I fix”… because there’s little point dwelling on things that are out of your control. Don’t forget about them, because they will need some TLC at some point, but don’t waste energy fighting a battle you know you can’t win at the moment.

For what remains, we should apply quantified metrics to the costs of who, what, when, where, why, and how.

‍

Return On Investment

With an understanding of what vulnerabilities are a priority, how they will be fixed, and what it will cost, scoring the expected return on investment is penultimate step in the process.

It’s difficult to prescribe an exact method of arriving at this figure, because it depends so much on how we quantify the metrics in the previous steps… but we can always help support you in developing a method.

Once you’ve arrived at a metric and sorted the vulnerabilities into it, it’s time to look to the pareto principle; If 20% of your effort is going to produce 80% of the results, take the highest ROI issues and sort them into those that will take a fifth of the effort, and what remains.

Work through that first fifth first, and then apply the same principle over the remaining.

‍