CISA’s Known Exploited Vulnerabilities Catalog and Splunk

TL;DR: Accompanying today’s announcement from CISA (BOD 22-01) and their new Known Exploited Vulnerabilities Catalog, SURGe and Splunk Threat Research Team (STRT) have coordinated to add functionality into Enterprise Security Content Updates (ESCU). This added functionality will help network defenders understand vulnerability context alongside relevant ESCU detections.

Splunk’s SURGe team is always looking for new ways to improve capabilities around cybersecurity. We work closely with government and industry partners as well as internal teams, such as STRT. How do our team efforts help make cyber defenders’ lives easier? In response to CISA's announcement regarding vulnerability risk awareness, we'd like to highlight the work of STRT to add Common Vulnerability and Exposure (CVE) tags to relevant ESCU detections.

At Splunk, STRT is a talented team focused on ensuring Splunk Enterprise Security, User Behavioral Analytics, and Behavioral Analytics customers have top-tier detections and defenses for the latest threats targeting their users and infrastructure. They spend countless hours researching, writing, and optimizing queries and methodologies to help improve the security and capabilities of network defenders around the globe. Many of these efforts are released via ESCU updates. If you aren’t into browsing through code repositories, you can also explore all of this content on the Splunk Security Content site.

Know Thy Attack Surface

With today’s announcement from CISA (BOD 22-01), we are excited to highlight some of STRT’s work. But first, let’s go over the significance of CISA’s announcement. CISA’s Known Exploited Vulnerabilities Catalog is a great resource to understand what vulnerabilities are currently being used, and have historically been used in adversarial campaigns. One of CISA’s primary goals is to empower organizations to better prioritize vulnerability management in order to limit their attack surface. Initially, CISA is publishing a list of approximately 290 known exploited vulnerabilities.

This obviously isn’t a comprehensive list of every vulnerability assigned a CVE ID, and that is not the intent. Rather, CISA’s goal is to evaluate vulnerabilities through a well-defined methodology and provide reliable content that organizations can leverage to minimize their attack surface. How, you ask? By giving organizations the tools and evidence they need to prioritize patching from a trusted and reliable source.

Now, how does all this play into some of our efforts here at Splunk?

Security Content and CVE Tags

STRT has added CVE tags for all relevant detections in ESCU to date, and as the team develops new detections, more will be added. Not all detections are mapped to CVEs, however. Detection content can be atomic and aimed at alerting on attempts to exploit a specific vulnerability. Other times it will be aligned to adversary tactics, techniques, and procedures (TTPs).

To help understand the overlap between the data CISA released and ESCU, we created a matrix. The following is a breakdown of Splunk ESCU coverage of named CVEs rated from medium to critical based on their CVSS score, and more importantly, their potential impact to organizations. 

Want to explore all detections in the ESCU library by CVE? No problem, you can easily view them at STRT’s website and browse by CVE tag.

Looking Ahead

Many organizations ingest vulnerability scan results into Splunk. Splunk Enterprise Security (ES) can help keep tabs on vulnerabilities using several out-of-the-box reports and dashboards. The Vulnerabilities data model in the Splunk Common Information Model (CIM) ensures a normalized view of vulnerabilities regardless of their source. Ingesting vulnerability scan results is most often used for patch management and compliance purposes, but increasingly we can use them to provide more insight. Forward-thinking Splunk customers have already tied vulnerability data to their detections through the use of Risk-Based Alerting (RBA). 

Let’s take a look at the Correlation Search of Print Spooler Adding A Printer Driver. It contains a pair of CVEs that are part of an unmanaged annotation. Annotations were introduced in Enterprise Security version 6.4 and provide the ability to map correlation searches to MITRE ATT&CK, NIST, CIS 20, and Kill Chain, while providing organizations with the ability to map detections to additional annotations, such as CVEs.

Security is a Team Sport

CISA’s effort to release this content is a huge help to many organizations that feel underwater in trying to parse the constant barrage of information that may or may not be relevant to them, their risk profile, and attack surface. Splunk’s effort to map CVEs to ESCU detections is part of our ongoing commitment to bring timely information to blueteams, and to help maximize the value to our customers and the community as a whole. We’re excited to help make our detections more consumable and to raise awareness about CISA’s work.

At Splunk we believe that security is for everyone. It’s a driving factor behind Splunk’s open source projects like ESCU, attack range, attack_data and the recent release of Melting Cobalt. We are also focused on delivering in-depth and consumable research, such as our recent work on Detecting Supply Chain attacks with JA3/s. SURGe continues to build upon existing relationships and forge new ones, across industry, academia, and our public sector leaders like CISA. We have several additional projects in the works, so keep an eye out for those as well. 

Authors and Contributors: As always, security at Splunk is a family business. Audra Streetman, Drew Church, Rod Soto, James Brodsky, Bill Wright, Jose Hernandez, Dave Herrald, Tamara Chacon, John Stoner and Mick Baccio.