Vulnerabilities are a major risk for organizations, and a major attack vector for threat actors. There were over 29,000 vulnerabilities published in 2023, amounting to over 3,800 more common vulnerabilities and exposure (CVEs) identifiers being issued last year than in 2022. But that doesn’t mean these most recent vulnerabilities are the only ones in a threat actor’s toolbox.
According to the Arctic Wolf Labs 2024 Threats Report, in nearly 60% of the incidents we investigated in which a threat actor exploited a vulnerability, that vulnerability was assigned a CVE before 2023. In other words, these incidents could have been avoided altogether had the vulnerabilities been remediated in a timely manner.
With so many vulnerabilities in play there’s plenty of potential reward for threat actors. It’s troubling, then, that organizations seem reluctant to make proper patch management and vulnerability remediation a priority. Only 18% of organizations surveyed by Arctic Wolf in 2023 plan to implement or improve their patch management system within the next year, even this when recent research from the Ponemon Institute on vulnerability response states that 60% of breaches could have been prevented with a proper patch.
As it stands now, vulnerabilities remain a grave danger that many organizations can’t control. But it doesn’t have to be that way. Vulnerability management, particularly vulnerability remediation, can drastically reduce risk and harden the attack surface.
What is Vulnerability Remediation?
Vulnerability remediation is the act of removing a vulnerability through patching or another process, thereby hardening your environment. It is part of the vulnerability management lifecycle, an ongoing process of identifying, assessing, and remediating vulnerabilities within your network or systems.
The four stages of the vulnerability management lifecycle are:
1. Discover: Identify assets in your environment and define your attack surface across network, perimeter, host, and accounts.
2. Assess: Contextualize your attack surface coverage with risk policies, asset criticalities, and SLOs (service level objectives) to assess the risk priorities in your environment.
3. Harden: Take remediation and/or mitigation actions, ensuring you are benchmarking against configuration best practices and continually hardening your security posture
4. Validate: Confirm that the vulnerability has been mitigated or remediated in your environment.
Vulnerability management may be a linear process for a single vulnerability, but within the context of your proactive cybersecurity framework, it is a cycle where multiple stages can be happening simultaneously.
What is the Difference Between Vulnerability Remediation and Vulnerability Mitigation?
Both are key components of hardening your security posture, the third stage of the vulnerability management lifecycle, but they are not the same thing.
Mitigation = Developing a strategy to minimize a threat’s impact if remediation is not possible.
Remediation = The eradication of a vulnerability.
Most organizations’ vulnerability management strategy will involve both remediation and mitigation, as it is nearly impossible to remediate every possible vulnerability.
The Importance of Vulnerability Remediation for System Security
Vulnerability exploits have long been a popular attack vector for cybercriminals, and they’ve only gained in popularity since 2017, when the rate of vulnerabilities began to explode. These year-over-year increases can create massive risk for organizations, as every vulnerability is a potential unlocked backdoor into their environment for a threat actor to walk through.
As severity increases, so does organizational risk, and this sharp rise is a trend that organizations need to pay attention to as they create and conduct their own vulnerability management. It’s crystal clear now that if tools alone were enough to solve the problem, they would have. Unfortunately, most organizations aren’t properly staffed or trained to make use of the tools they already have, which means vulnerabilities can end up going ignored.
By focusing on remediation, organizations can greatly reduce their cyber risk and prevent threat actors from utilizing vulnerability exploits as an attack vector. However, it’s easier to see vulnerabilities than it is to remediate them.
Challenges of Vulnerability Remediation
There are four main questions an organization needs to ask itself as it sets out to conduct vulnerability remediation:
- Which vulnerabilities should I remediate first?
- How can I efficiently remediate those vulnerabilities?
- How do I prioritize vulnerabilities based on my resources and business risk tolerance?
- How do I set realistic deadlines for my vulnerability remediation plan?
Of course, those questions are easier to ask than answer, and for many organizations that lack resources, time, or budget, vulnerability remediation can seem like an endless mountain to climb.
It is difficult to determine which vulnerability to remediate first if you don’t have a clear understanding of your overall attack surface. And efficient remediation is all but impossible without contextualization of your entire environment. Unfortunately, that contextualization — including your risk policies, asset context, and SLOs (service level objectives) — is not easy to achieve when you have limited resources and an overwhelmed IT team. Not to mention the time and resources needed to conduct security scans and do the actual remediating.
That is why remediation should just be one part of a full vulnerability management program, which prioritizes continuous vulnerability remediation and assessment, with other components of the program complimenting and assisting overall remediation and mitigation.
Threat Intelligence’s Role in Vulnerability Management and Remediation
Because every organization has different security and business needs that can change, the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that reduces risk over time. That’s where a third-party solution provider that offers threat intelligence expertise founded on a risk-based approach can be a major benefit.
Threat intelligence is crucial for effective vulnerability management. Solutions that employ vulnerability management — the ongoing process of identifying, assessing, remediating cyber threats — utilize threat intelligence to inform that process. Think of threat intelligence as the data and vulnerability management as the actions that depend on that data. The first part of vulnerability management, identifying and assessing, relies heavily on threat intelligence. You can’t patch if you don’t know the vulnerability exists.
One way to conduct vulnerability management and remediation backed by threat intelligence and founded on a risk-based approach is to look for the five riskiest kinds of vulnerabilities that can appear. They are:
1. Remote Code Execution
2. Hardcoded Credentials
3. Denial of Service
4. Directory Traversal
5. Privilege Escalation
All five of these vulnerabilities can be leveraged together at different stages of an incident to further the attack and lead to a full-fledged breach.
At each of the four vulnerability management lifecycle stages listed above, your organization is making security decisions and deciding on actions, and often that means deciding on how much risk to accept. The reality is you can’t patch every vulnerability that appears. A threat intelligence solution provider can help you put a regular patching process in place and proactively work with you on vulnerability management that focuses on remediating the vulnerabilities that can make a major difference in your cybersecurity architecture, reducing the risk of a breach.
How a Third-Party Solution Provider Can Help
Because vulnerability remediation is best managed by incorporating it into a successful and efficient vulnerability management program, it’s important to consider whether your organization has the budget, staffing, and time available to manage such a program. For most organizations already stretched thin trying to monitor an ever-expanding attack surface, that’s an unlikely scenario. Too many of these organizations choose to let the problem lie. Instead, proactive, security-mature organizations should look to partner with a third-party who can provide a fully managed, robust vulnerability management solution. When considering a third-party provider, consider ones who offer these key components:
1. Total attack surface coverage: Providers should be able to identify all assets in your environment and define your entire attack surface to understand the entirety of where your risk lies.
2. Contextualization of your attack surface: Providers should have the experience and expertise to understand your risk policies, asset criticalities, and SLOs (service level objectives) to prepare your environment against cyber risk and be able to judge which vulnerabilities present the most risk to your organization and industry.
3. Prioritization of risk: Providers should work with you to assess the risk priorities in your environment according to information they gather from their contextualization of your environment and asset identification, as well as the input you offer, and then provide prioritization recommendations on which vulnerabilities need to be remediated first.
4. Hardening of your environment: They should partner with you to continuously evaluate and track internal security metrics as you work together through the vulnerability remediation process.
Explore the most impactful vulnerabilities of 2023 with our Most Exploited Vulnerabilities on-demand webinar.
Discover more about the threat vulnerability posed to organizations in 2023 and what you can do to protect your organization in the Arctic Wolf Labs 2024 Threats Report.
