In today’s rapidly evolving cyber landscape, effective vulnerability management remains a daunting challenge for organizations. At the forefront of addressing this issue is the concept of prioritizing the 1% of exploits that pose the most significant risks. In this video, Mike Summers from ThreatConnect delved into this topic, offering critical insights into better managing vulnerabilities in an age of constant cyber threats.
Understanding the Scale of the Vulnerability Problem:
The deluge of vulnerabilities disclosed daily presents an overwhelming task for cybersecurity teams. In 2024 alone, over 29,000 CVEs were published, and by mid-2025, that number had risen to over 35,000. Despite this, statistics reveal a silver lining: only about 1.5% to 6% of these vulnerabilities are actively exploited. By narrowing focus on these, security teams can enhance efficiency and impact.
Why CVSS Can’t Be Solely Relied Upon:
The Common Vulnerability Scoring System (CVSS) has long been used by organizations to rank vulnerabilities in terms of severity. However, Mike points out several limitations. CVSS is static; it does not evolve along with the threat landscape. This can lead to over-prioritizing vulnerabilities with high scores that are not exploited, thereby wasting valuable resources. CVSS 4.0 brings improvements, like metrics for attack requirements and threat maturity, but real-time adaptability remains a challenge.
Enhancing Prioritization with Better Data Sources:
In addition to CVSS, Mike advocates for incorporating diverse data inputs to achieve a more nuanced understanding of risks. Tools like EPSS, which utilize machine learning to predict exploitation likelihood, offer dynamic insights. Threat intelligence feeds and platforms like Shodan or Censys provide crucial exposure context, while GitHub, Exploit DB, and community sources highlight available proof of concepts or exploit codes.
A Practical Prioritization Model:
To adequately prioritize threats, Mike suggests a comprehensive model that integrates intelligence from various sources. This should include:
- CVE and Exploit Inclusion: Rapid identification through platforms like Sysaketh and VolmCheck.
- Community and Exploit Awareness: Tracking mentions in public forums, blogs, and platforms to gauge awareness levels.
- Threat Actor Activity: Understanding if known ransomware groups are exploiting these vulnerabilities.
- Asset Context: Continuously evaluating exposure from internal and external perspectives.
Case Studies: Real-World Applications and Lessons Learned:
Several real-world cases highlight the importance of timely and accurate vulnerability management:
– Citrix Bleed: Despite early identification, slow patching and underestimated exploitation allowed significant breaches.
– MoveIt SQL Injection: Exploitation occurred before advisories were released, emphasizing the need for threat intelligence fusion with vulnerability scanning.
– Fortinet SSL VPN Vulnerability: A “zombie CVE” demonstrates the lasting threat of unpatched legacy systems.
Recommendations for Moving Forward:
To effectively manage vulnerabilities, Mike encourages starting with available resources, gradually building a robust intelligence framework. Prioritize exposure assessment, integrate threat actor intelligence, and, crucially, embrace automation to reduce manual workloads and enhance focus on analysis rather than merely gathering data.
Prioritizing the most dangerous 1% of vulnerabilities isn’t just about reducing workloads; it’s about safeguarding critical assets from potential exploitation. Cybersecurity teams must employ a multifaceted approach that encompasses timely intelligence, strategic prioritization, and efficient operational practices. As Mike Summers underscores, the key is to start with what you have and build from there, ensuring that every step taken is towards enhancing the organization’s overall security posture.