The Known Exploited Vulnerabilities (KEV) Catalog, managed by the Cybersecurity and Infrastructure Security Agency (CISA), is a valuable resource for identifying vulnerabilities actively exploited in the wild. While it serves as a critical tool for security teams, a new paper titled ‘KEVology’ by Tod Beardsley aims to enhance understanding and utilization of this catalog.
Understanding the KEV Catalog
Introduced with the Binding Operational Directive (BOD) 22-01 in November 2021, the KEV Catalog provides a prioritized list of over 1,500 vulnerabilities. Despite its utility, the catalog has limitations in terms of range and detail. Its primary goal is to notify Federal Civilian Executive Branch (FCEB) agencies about urgent and fixable vulnerabilities, not to serve as a comprehensive solution for all businesses.
Beardsley, former chief of CISA’s KEV section, highlights how the catalog’s strict inclusion criteria can leave out many vulnerabilities. Each entry must have a Common Vulnerabilities and Exposures (CVE) number, be actively exploited, have an available patch, and be relevant to U.S. federal interests. These criteria inherently narrow the scope of the catalog.
Addressing Catalog Limitations
Beardsley’s paper, ‘KEVology’, provides insights into navigating these limitations. He emphasizes that a vulnerability’s absence from the KEV does not imply safety. Many vulnerabilities in legacy systems remain exploited but unlisted due to the catalog’s criteria. The paper advocates for a broader approach to vulnerability management beyond KEV reliance.
To aid security teams, the paper evaluates various enrichment signals like the Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), and MITRE ATT&CK mappings. By combining these diverse metrics, organizations can better assess the urgency and prioritization of vulnerabilities.
Introducing the KEV Collider Tool
Alongside the paper, Beardsley has launched the KEV Collider web application through runZero. This tool allows security teams to interactively filter KEV vulnerabilities based on specific criteria, such as CVSS scores or the presence of exploit modules. This interactive approach helps align KEV entries with organizational security priorities, enhancing decision-making in vulnerability management.
The KEV Collider tool streamlines the process of understanding and prioritizing vulnerabilities, freeing up security resources to address issues outside the KEV Catalog. This approach encourages a more comprehensive defense strategy, focusing on vulnerabilities that may not be immediately apparent but pose significant risks.
As the KEV Catalog continues to evolve, tools like KEVology and the KEV Collider provide essential frameworks for optimizing its use. By understanding the catalog’s limitations and leveraging additional resources, security teams can enhance their defensive strategies and better protect their organizations from cyber threats.
