The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new vulnerability enrichment program that aims to fill the gap that opened earlier this year when the National Institute of Standards and Technology (NIST) suddenly scaled down its involvement with the National Vulnerability Database (NVD).
Under the new "vulnrichment" program (on GitHub), CISA analysts will add Common Vulnerability Scoring System (CVSS) scores and other information. The CISA wrote about the new program on LinkedIn, noting:
"We understand that timely and accurate information about Common Vulnerabilities and Exposures (CVEs) is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability.
"Today, we want to inform organizations of an enrichment effort we are calling "Vulnrichment," which focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched. We ask all CVE Numbering Authorities (CNAs) to provide complete CVEs when making initial submission to CVE.org."
Here's what your team needs to know about the CISA's vulnerability initiative — and what it means for the usefulness of the NVD for vulnerability management.
[ Special report: The State of Software Supply Chain Security (SSCS) 2024 ]
CISA takes over the reins from NIST
Enrichment information such as CPEs, CWEs, and CVSS scores is critical for vulnerability management because it provides a standardized way to identify, categorize, and assess security vulnerabilities. CWE data, for instance, provides a common taxonomy for describing the root cause for a security vulnerability. The CVSS score describes the severity of a vulnerability, and CPEs identify the systems and platforms that a vulnerability might impact.
Automated tools for application security testing (AST) use CVSS, CWE, and CPE information to identify, categorize, and prioritize vulnerabilities and to assess their potential impact in a particular environment. Patch management systems use CVE identifiers and CPE information to apply patches to appropriate systems. CISA's KEV, meanwhile, is a catalog that aims to raise awareness of vulnerabilities that threat actors are actively exploiting. This allows organizations to prioritize the mitigation of these vulnerabilities to reduce their exposure to potential cyberattacks.
NIST provided this CVE enrichment data via the NVD for more than 15 years. But in early February, the agency said it was scaling down its involvement with the effort, citing a lack of resources and staff. The sudden decision caused an almost immediate pileup of CVEs in the NVD without any of the contextual data required for proper vulnerability management and risk mitigation. In April, for instance, NIST analysts provided enrichment data for just 223 of the 3,704 CVEs published to the NVD.
Sarah Jones, cyberthreat intelligence research analyst at Critical Start, said the CISA's decision to take over from NIST should come as a relief for organizations.
"'Vulnrichment' focuses on enriching CVEs with essential metadata. [It] enhances the prioritization of vulnerability remediation efforts, facilitates a deeper understanding of vulnerability trends, and incentivizes vendors to address broader vulnerability classes."
—Sarah Jones
Vulnerability categorization gets stakeholder-specific
The CISA will adopt a stakeholder-specific vulnerability categorization (SSVC) approach to CVE enrichment. SSVC is a decision-tree model that the CISA uses to prioritize vulnerabilities based on factors such as their exploitation status, technical impact, prevalence, and automatability. The CISA will use the model to determine whether a stakeholder should "track" a vulnerability because it does not pose an immediate threat, "track*" a CVE that might require closer monitoring, "attend" to a vulnerability by, for example, notifying internal stakeholders about it, or "act" to mitigate a vulnerability as soon as possible.
Based on its initial SSVC analysis, the CISA will determine if there's enough information about a CVE to add a CVSS score, CPE string, and CWE identifier. In situations where a CVE Numbering Authority (CNA) — an organization that has been authorized under the CVE program to assign CVE identifiers — already has added CWE, CPE, and other enrichment data, the CISA will not overwrite that data with its own.
Since launching the vulnrichment program, the CISA has already enriched more than 1,300 CVEs and is working on doing the same with all submitted CVEs submitted to CVE.org.
Ken Dunham, cyberthreat director at Qualys, said the new CISA program helps to provide security teams with the timely context and metadata required to prioritize vulnerabilities and make sound risk-based decisions. By working with CNAs, software vendors, and other stakeholders, the CISA is helping foster a more efficient and effective vulnerability management ecosystem, he said.
"It's easy to suffer from alert angina in a world with thousands of vulnerabilities, metadata points, scoring systems, and various forms of risk."
—Ken Dunham
CISA builds on its efforts toward cybersecurity resilience
The new vulnrichment program marks a continued expansion of the CISA's efforts to promote cybersecurity resilience across U.S. government and private-sector entities. Earlier this year, the agency announced a service called Malware Nex-Gen, which allows any U.S. organization to submit suspicious files and potential malware samples to the CISA for analysis. The CISA will use dynamic and static tools to analyze submitted files and determine if the files are malicious or potentially harmful.
The CISA launched Malware Nex-Gen last November for government and military organizations. The service already has over 400 registered .gov and .mil users, has analyzed more than 1,600 file submissions, and has identified some 200 of them as being potentially malicious or suspicious. In April, the CISA opened up Malware Nex-Gen to all organizations, security researchers, and individuals. Anyone U.S. person or entity can now submit a file or malware sample to the CISA for analysis. But only registered users will get the results of the analysis.
A critical time for vulnerability management — and application security
The CISA's expanded efforts around CVE enrichment and malware analysis come at a crucial time. Reports by Mandiant and other security vendors have shown a steady increase in exploit activity targeting software vulnerabilities in recent years.
Some 38% of intrusions that Mandiant analyzed in 2023 involved a CVE exploit. A study by VulnCheck found CVE disclosures growing at an average rate of over 14% per year between 2014 and 2023. Over this period, the number of unique CVEs with known exploits increased nearly 12% per year, while the number of CVEs with known exploitation surged by 19.7% annually. VulnCheck said in its report:
"As we analyze CVE data, a clear pattern emerges: a surge in vulnerability disclosure, publicly available exploits, and known exploitation. This exponential growth underscores the pressing urgency of vulnerability management."
Jeremy Long, a principal engineer at ServiceNow and founder and project lead of the OWASP Dependency Check Program, said at Black Hat last year that if organizations want to properly defend against today's software supply chain attacks, they will have to move beyond tooling and measures that detect and mitigate malicious threats.
He recommended modern tooling that uses binary validation, which can detect threats such as malicious build-time dependencies. This type of protocol can provide a comparison of build versions, showcasing anomalies that traditional testing misses and that further analysis may deem malicious, Long said.
While the NVD is still useful, it's not equal to the challenge of managing the risk from the rise of software supply chain attacks. Rather than focusing on remediation of vulnerabilities to manage modern risk, teams need to shift their focus to active malware — and modern attack techniques such as software tampering.
