Romolo Tavani - stock.adobe.com
CVE volumes set to increase 25% this year
The number of reported Common Vulnerabilities and Exposures is likely to grow significantly in 2024, hitting a new high of almost 35,000, according to Coalition, a cyber insurance specialist
The total number of Common Vulnerabilities and Exposures (CVEs) reported in IT hardware and software products and services looks set to continue to grow in 2024, according to figures published by active cyber insurance specialist Coalition, which predicts CVE volume will increase by 25% to 34,888 vulnerabilities – approximately 2,900 every month.
CVEs are the unique identifiers attached to newly disclosed security flaws, including zero-days. They follow the same format – CVE-2024-XXXXX – where the first set of digits represents the year, and the second is a number assigned out of a block.
The CVE programme is overseen out of the US by the Mitre Corporation, with support from the Cybersecurity and Infrastructure Security Agency (CISA). Mitre does not always assign CVE numbers – this is more usually done by a CVE Numbering Authority (CNA), of which there are many, including suppliers such as Cisco, IBM, Microsoft or Oracle, and security firms and researchers.
The system is designed to give security professionals and defenders a quick, easy and reliable way to recognise vulnerabilities, and for the security community, helps coordinate the development of patches and other solutions.
However, the system is not perfect. The number of CVEs is growing exponentially and security teams are stretched thin enough as it is, added to which, the system is not equipped to highlight practical real-world exploitation, so users must often rely on researchers and media coverage of “celebrity CVEs” – such as those behind the MOVEit incident or Citrix Bleed – to make sense of such issues.
“New vulnerabilities are published at a rapid rate and growing. With an influx of new vulnerabilities, often sprouting via disparate flagging systems, the cyber risk ecosystem is hard to track. Most organisations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk,” said Tiago Henriques, head of research at Coalition.
“In today’s cyber security climate, organisations can’t be expected to manage all of the vulnerabilities on their own; they need someone to manage these security concerns and help them prioritise remediation.”
Tiago Henriques, Coalition
Coalition said there were a number of drivers contributing to the surge of vulnerabilities. These include the commercialisation and professionalisation of cyber criminal activity, and the ever-growing use of underground forums where exploit kits, credentials and access to compromised networks are sold.
There has also been an increase in the number of CNAs, which has increased the number of vulnerabilities noted.
Additionally, the growing popularity of bug bounty programmes may also be having an impact, as ethical hackers are incentivised to look for problems that may otherwise go unnoticed.
Coalition noted that the growing number of vulnerabilitiess was also leading to an increased focus on finding new ones among threat actors.
All this is adding up to a headache for security teams, being frequently under-resourced as they are, as one cannot possibly expect them to respond to up to 3,000 issues every month.
Coalition claims the breadth of data it collects from around the web, including a network of honeypots, enables it to make sense of cyber risk and share actionable insights with its customers and the security community.
It has also developed its own exploit scoring system, which it hopes will ease some of the pressure and enable its policyholders to adopt a more risk-based, prioritised approach to their unique vulnerability profile, rather than patching in a blind panic on the second Tuesday of the month.
MDR: An early warning system for defenders
Coalition’s report additionally highlighted how its network of honeypots and other threat-tracking tools has become particularly adept at spotting threat actor exploitation of impactful CVEs before they are disclosed.
The firm said that in the case of CVE-2023-34362, which led to the mass abuse of Progress Software’s MOVEit managed file transfer tool by the Clop/Cl0p ransomware gang from the end of May 2023, its honeypot network identified activity targeting MOVEit over a fortnight before Progress Software issued its first advisory.
It said events such as MOVEit, but also Citrix Bleed, could well have been much less problematic had more organisations had dedicated managed detection and response (MDR) solutions in place.
Coalition’s general manager for security, John Roberts, said he believed MDR could reduce attack response time by half.
“We’re at the point where just setting and forgetting a technology solution is not enough anymore, and experts need to be involved in vulnerability and risk management,” he said.
“With MDR, after technology detects suspicious activity, human experts can intervene in numerous ways, including isolating impacted machines or revoking privileges. Coalition has experience doing exactly this to stop cyber criminals mid-attack.”
Read more about MDR
- Adopting extended detection and response and employing managed detection and response services may be the missing pieces of the SOC modernisation puzzle.
- Explore the differences and similarities between EDR vs XDR vs MDR and the role they play to help improve behavioural analysis for better threat response.