CVE backlog update: The NVD struggles as attackers change tactics


In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.

Three months later, the problem persists. While NIST has a plan to get back on track, the current state of common vulnerabilities and exposures (CVEs) isn’t keeping pace with new vulnerability detections. Here’s a look at what’s behind the backlog, why CVEs may no longer be the Holy Grail of IT defense and how security teams can stay ahead of attacker efforts.

What’s behind the backlog?

Budget cuts are partially responsible for CVE analysis issues. As noted by Security Magazine, NIST funding was cut by 12% this year, making it more difficult for the agency to identify and analyze CVEs.

The sheer number of reported vulnerabilities also poses a problem for analysis efforts; Flashpoint research found that NIST reported 33,137 vulnerabilities in 2023. In part, rising numbers are tied to improved detection capabilities. As companies expand security efforts with cloud-based technologies and AI-enabled tools, they’re better able to pinpoint potential threats. As a result, bigger numbers aren’t always indicative of increased risk, but they do speak to a growing number of potential attack paths.

NIST does have a plan to clear the backlog. According to USASpending.gov, the government has awarded an $860,000 contract to Analygence for cybersecurity analysis and email support. Analysis efforts were slated to start June 3, and NIST hopes to be back on track by September 2024. While the contract is slated to end as of December 2024, the agency has an option to extend services into July 2025.

The changing face of cyber threats

Concerns around the NVD backlog are understandable. The longer it takes NIST to analyze CVEs and suggest effective countermeasures, the greater the risk for enterprises.

As noted by Cybersecurity Dive, however, the cybersecurity landscape is changing. During the virtual Gartner Security and Risk Management summit, principal analyst Mitchell Schneider noted that while the total number of vulnerabilities continues to increase, critical CVEs aren’t outpacing their high, medium and low counterparts.

What’s more, attackers aren’t using CVE severity as the criteria for compromise. “There’s no inherent correlation between the vulnerability and if threat actors are exploiting them in terms of those severity ratings,” says Schneider. Instead, attackers are prioritizing the most exploitable vulnerabilities, which are often those ranked as medium or low severity.

In practice, this creates a forest-for-the-trees scenario: If companies are too focused on critical CVEs, they can miss middle-of-the-road exploits that allow attackers to gain network access and then move laterally into more critical systems.

The result? While the common vulnerability database remains a critical part of effective security, it’s not a silver bullet. Cyber threat tactics are changing, and security teams must be prepared to change in response.

How security teams can stay ahead of attackers

So what does this change look like in action?

Four considerations can help companies build better defenses in a post-CVE world.

1) Prioritize visibility

With attack methods and patterns diversifying, businesses need to prioritize IT visibility. Consider a company using on-premises storage for critical data, public clouds for testing and development and private clouds for easily scalable application resources.

In the new threat landscape, attacks can come from any source at any time. If undetected, attackers can bide their time gathering data and pinpointing ideal attack pathways. As a result, complete visibility is critical. The more companies know about what’s happening across their environments, the better prepared they are to detect, identify and mitigate attacks.

2) Focus on exploitability

As Gartner makes clear, exploitability is now the top priority for attackers. While more severe vulnerabilities may be more valuable targets in the short-term, exploitable medium- or low-severity weaknesses can set attackers up for ongoing success.

For example, suppose malicious actors can exploit a medium-severity vulnerability at the edge of business networks. In that case, they may be able to create and maintain backdoors that provide permanent access to enterprise systems. From there, they can carry out reconnaissance and bide their time until security teams are focused on other vulnerabilities.

By targeting the most exploitable rather than the most severe vulnerabilities, security teams can reduce the chance of successful attacks.

3) Share the burden

Security is no longer the exclusive burden of IT teams. Operations, finance, marketing, sales and customer service teams all have a role to play in keeping companies safe. While the ultimate responsibility for security still lies with technology professionals, sharing the burden across teams can both improve detection rates and reduce the time between identification and action.

4) Leverage available resources

With CVEs backlogged, it’s important for security teams to find and leverage alternative resources. Potential security sources include:

  • CISA Vulnrichment: CISA has taken on some of NIST’s CVE burden with their “Vulnrichment” program. A list of known vulnerabilities can be found on GitHub, and companies can contact CISA at VULNRICHMENT@CISA.DHS.GOV with any questions.
  • The CVE Program: The CVE Program (formerly the Mitre CVE repository) identifies, defines and catalogs publicly disclosed cybersecurity vulnerabilities. There are currently more than 240,000 CVE records that security teams can download or search.

What’s next for NIST?

NIST hopes to eliminate the CVE backlog by September 2024, but there’s no guarantee that its efforts will succeed. As noted by The Record, Senator Mark Warner (D-VA) and Thom Tillies (R-NC) have proposed legislation that would restore funding to NIST and increase its focus on new risks, such as AI-enabled threats, but the bill is in its infancy.

In other words, while the agency and Federal lawmakers recognize the critical impact of CVE analysis and enrichment, enterprises can’t rely on the NVD to deliver up-to-date vulnerability data.

Instead, businesses are better served changing their approach to align with evolving attacker efforts. By implementing tools that help improve visibility and identify exploitability, companies can prioritize high-risk threats. By sharing the security burden across departments and expanding their use of available security resources, meanwhile, enterprises can more effectively respond to shifting attack priorities.

The post CVE backlog update: The NVD struggles as attackers change tactics appeared first on Security Intelligence.