Tackling the Most Exploitable Vulnerabilities: Prioritization in a Sea of Risks (Exploitability in Cloud Series - Part 1)

Tackling the Most Exploitable Vulnerabilities: Prioritization in a Sea of Risks (Exploitability in Cloud Series - Part 1)
October 10, 2024
Author:

In today's rapidly evolving cybersecurity landscape, security teams face an overwhelming challenge: thousands of new vulnerabilities are reported each year—23,000 in 2023 alone. This surge is primarily due to increased software complexity, the widespread adoption of cloud-native technologies, and the exponential growth of open-source dependencies.

Not all vulnerabilities are created equal. While some can inflict severe damage on an organization, others may be benign. The real challenge lies in prioritizing which vulnerabilities to address first, ensuring that the most critical ones are patched before attackers can exploit them. Without effective prioritization, security teams may waste valuable resources patching less significant vulnerabilities while leaving critical gaps open.

Typically, enterprises deploy vulnerability scanners to detect vulnerabilities and prioritize them based on CVE severity. However, several critical factors should be considered to refine this prioritization further.

In this blog, we introduce a new framework proposed by Deepfence to help organizations focus on the most exploitable vulnerabilities. This will be the first in our Exploitability in Cloud Series of posts where we explore how looking at cloud security risk through the lens of exploitability greatly changes our operational approaches and critical security metrics such as MTTD and MTTR. Stay tuned for future posts that look at malware, secrets, and other cloud security risk through the lens of exploitability.

Deepfence's Approach to Prioritizing Vulnerabilities

Deepfence's Most Exploitable Vulnerabilities framework enhances prioritization by combining data from multiple sources:

  • Network-Exploitable Vulnerabilities: Identifying vulnerabilities that can be exploited over the network.
  • Vulnerability Severity and Exploitability: Assessing based on CVSS scores and the Exploit Prediction Scoring System (EPSS).
  • CISA Known Exploitable Vulnerabilities: Incorporating authoritative data on vulnerabilities known to be exploited in the wild.
  • Vulnerabilities in Live VMs and Nodes: Focusing on processes accessible over the network, especially those exposed to the internet.
  • Vulnerabilities in Running Applications: Identifying files and libraries actively loaded by processes (e.g., dynamic libraries, JAR files, Python scripts).

By considering these factors, Deepfence enables organizations to zero in on vulnerabilities that pose the greatest risk.

Below is a step-by-step guide on how to identify the most exploitable vulnerabilities and patch your system using Deepfence.

Step 1: Installing and Setting Up the Deepfence Agent

To begin, install the Deepfence Agent on your Kubernetes cluster. Follow the official Deepfence documentation, or use the following Helm commands:

helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise

helm install deepfence-agent deepfence/deepfence-agent \
 --set imagePullSecret.username="YOUR_USERNAME" \
 --set imagePullSecret.password="YOUR_PASSWORD" \
 --set managementConsoleUrl="YOUR_MGMT_CONSOLE_IP" \
 --set deepfenceKey="YOUR_DEEPFENCE_APIKEY" \
 --set clusterName="prod-cluster" \
 --set global.imageTag="2.4.0" \
 --namespace deepfence \
 --create-namespace

Replace the placeholders (YOUR_USERNAME, YOUR_PASSWORD, etc.) with your actual Deepfence credentials and configuration details.

Once deployed, the Deepfence Agent will begin collecting runtime data, including open files, network activity, and other critical metrics.

Step 2: Identifying Vulnerabilities in Live VMs, Nodes, and Running Applications

The Deepfence Agent continuously monitors processes, the files they access, the libraries they load, and their network activity. This real-time information is aggregated and displayed in the Deepfence ThreatStryker console.

The Challenge with Traditional Methods

Traditional vulnerability management techniques, while essential, often fall short in the dynamic and distributed environments of modern enterprises. These methods typically rely on cloud configuration data, which can lead to inaccuracies and false positives, especially when attempting to identify internet-exposed VMs or nodes. Cloud configuration tools may not have access to the full scope of what is actually exposed or in use, making it difficult to pinpoint where the real risks lie.

Furthermore, most offline vulnerability scanners focus on static analysis, providing a snapshot of the system's state at a single point in time. They lack the ability to dynamically observe how applications and processes behave in real-time. As a result, these tools might flag vulnerabilities in software that is technically present on a system but not actively running or exposed to the network—leading security teams to waste resources addressing theoretical risks instead of critical live threats. This disconnect between what is detected and what is genuinely exploitable creates significant inefficiencies in managing vulnerabilities, especially in fast-paced, cloud-native infrastructures.

Deepfence's Unique Capability

Deepfence introduces a groundbreaking solution to this problem by focusing on the actual runtime behavior of your infrastructure, rather than just relying on static analysis or configuration data. By continuously monitoring processes, network activity, and file access in real time, Deepfence can detect which VMs, nodes, and applications are genuinely exposed to the internet, significantly reducing the risk of false positives. This provides an actionable, up-to-the-minute view of which systems are truly at risk.

Deepfence’s unique approach integrates live vulnerability scanning with real-time data on running applications and services. It tracks which libraries, files, and processes are actively in use, helping security teams prioritize patching efforts based on real-world exposure. For example, it can detect if a vulnerable library is being loaded by a critical service like nginx and whether that service is accessible from the internet. This capability enables teams to focus their resources on mitigating the vulnerabilities that pose the greatest threat, drastically reducing the attack surface and improving overall security posture. By aligning vulnerability management with actual operational risks, Deepfence empowers organizations to be more proactive and efficient in safeguarding their infrastructure.

Viewing Open Files and Processes

For example, if you have nginx running on your system, Deepfence allows you to see the files and libraries it is using:

| Process | File Path               | Access Type | File Type | Loaded Library Version |

|---------|-------------------------|-------------|-----------|------------------------|

| nginx   | `/usr/lib/libssl.so.1.1`    | Read        | Library   | 1.1.1g                 |

| nginx   | `/etc/nginx/nginx.conf`     | Read        | Config    | N/A                    |

| nginx   | `/usr/lib/libcrypto.so.1.1` | Read        | Library   | 1.1.1g                 |

This detailed data enables you to track precisely which libraries are being used by running processes like nginx, helping you connect vulnerabilities to active services.

Step 3: Matching Open Files with Vulnerability Scan Results

Deepfence integrates runtime data with vulnerability scanning results, providing a comprehensive view of your system's security posture.

Vulnerability Scan Example

After performing a vulnerability scan, you might receive a report like this:

| Software           | Version | CVE ID         | Severity |

|--------------------|---------|----------------|----------|

| OpenSSL            | 1.1.1g  | CVE-2021-3450  | High     |

| glibc              | 2.29    | CVE-2021-3326  | Medium   |

| `libcrypto.so.1.1` | 1.1.1g  | CVE-2021-3449  | High     |

If nginx is using vulnerable versions of libssl.so.1.1 and libcrypto.so.1.1, these should be prioritized for patching to mitigate the risk of exploitation.

Step 4: Patching Vulnerabilities

After identifying and prioritizing the most exploitable vulnerabilities, the next step is to patch them. The method for patching may vary depending on your environment and the specific vulnerabilities.

Updating Libraries in Your Images

For containerized applications running on Kubernetes, you may need to update the base images or libraries and redeploy the containers.

For example, to update OpenSSL in a Debian/Ubuntu-based image:

1. Update your Dockerfile to include the latest versions.

2. Rebuild your Docker image:

docker build -t your-image-name:latest .

3. Push the updated image to your container registry:

docker push your-image-name:latest

4. Update your Kubernetes deployment to use the new image:

kubectl set image deployment/your-deployment your-container=your-image-name:latest

Restarting Services

After patching, ensure that services using the vulnerable libraries are restarted so they load the updated versions.

For example, to restart an nginx deployment:

kubectl rollout restart deployment/nginx

Verifying Patches

Deepfence will automatically update its runtime view of open files and processes. After patching, verify that the vulnerable versions are no longer in use by checking the updated data in the ThreatStryker console.

Conclusion

By leveraging Deepfence's unique capability to detect processes and libraries that are part of internet-exposed applications, combined with robust vulnerability scanning, you can focus on addressing the vulnerabilities that pose the greatest risk to your environment.

Implementing a vulnerability management workflow using Deepfence not only strengthens your security posture but also optimizes your patching efforts, safeguarding your critical infrastructure effectively. Join us in our next technical seris blog post on using exploitability as a framework for evaluating cloud security risk and operationalizing your response towards those risk items. We'll show you how our malware and secret workflows work and more!

Happy securing!

About Deepfence

Deepfence offers end-to-end cloud-native workload protection. For more information, visit Deepfence.