Deployed 59f098c with MkDocs version: 1.5.3

Author: Crashedmind

print_page/index.html

@@ -5683,7 +5683,15 @@ <h2 id="risk-rbp_schemes-risk-based-prioritization-summary-against-requirements"
 </div>
 <div class="admonition success">
 <p class="admonition-title">Takeaways</p>
+<h3 id="risk-takeaway-prioritize-vulnerabilities-by-exploitation-to-reduce-cost-and-risk">Prioritize vulnerabilities by Exploitation to Reduce Cost and <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr><a class="headerlink" href="#risk-takeaway-prioritize-vulnerabilities-by-exploitation-to-reduce-cost-and-risk" title="Permanent link">&para;</a></h3>
+<p>Only about 5% or fewer of all <a href="#risk-understanding_risk-what-vulnerabilities-are-being-exploited">CVEs have been exploited</a>.</p>
+<p>Prioritizing vulnerabilities that are being exploited in the wild, or are more likely to be exploited, reduces the</p>
+<ul>
+<li>cost of vulnerability management</li>
+<li>risk by reducing the time adversaries have access to vulnerable systems they are trying to exploit    </li>
+</ul>
 <h3 id="risk-takeaway-use-a-risk-based-prioritization-scheme-that-supports-exploitation-evidence-and-likelihood-of-exploitation-epss">Use a <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization Scheme that supports Exploitation Evidence and Likelihood Of Exploitation (<abbr title="Exploit Prediction Scoring System">EPSS</abbr>)<a class="headerlink" href="#risk-takeaway-use-a-risk-based-prioritization-scheme-that-supports-exploitation-evidence-and-likelihood-of-exploitation-epss" title="Permanent link">&para;</a></h3>
+<p>“The focus should be given to those known to be <a href="#vendors-qualys">exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available</a>”</p>
 <p><img alt="Exploitation Known evidence or activity" src="../assets/images/threat.png" width="400" /></p>
 <ol>
 <li>For those using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Scores and Ratings, using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E) that <strong>supports Exploitation</strong> evidence is a small step with a relatively small (de)prioritization of CVEs.</li>
@@ -5696,7 +5704,11 @@ <h3 id="risk-takeaway-use-a-risk-based-prioritization-scheme-that-supports-explo
 <h3 id="risk-takeaway-refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data">Refine the <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme based on your environment and your data.<a class="headerlink" href="#risk-takeaway-refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data" title="Permanent link">&para;</a></h3>
 <ol>
 <li>Use CVEs detected in your Incident Response, Bug Bounty, PenTesting findings) to inform your <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr>.</li>
-<li>Start by picking an <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Threshold around 10%, and adjust based on your <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data and your capacity to <abbr title="The neutralization or elimination of a vulnerability or the likelihood of its exploitation.">remediate</abbr> the CVEs above that Threshold (in conjunction with <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity or other <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> factors) per [Remediation Policy for an Enterprise](../epss/EPSS_Thresholds.md#remediation-policy-for-an-enterprise</li>
+<li>For <abbr title="Exploit Prediction Scoring System">EPSS</abbr>:<ol>
+<li>Assess <a href="#risk-epss-applying_epss_to_your_environment-epss-for-your-environment"><abbr title="Exploit Prediction Scoring System">EPSS</abbr> for YOUR Environment</a></li>
+<li>Start by picking an <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Threshold around 10%, and adjust based on your <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data and your capacity to <abbr title="The neutralization or elimination of a vulnerability or the likelihood of its exploitation.">remediate</abbr> the CVEs above that Threshold (in conjunction with <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity or other <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> factors) per <a href="#epss-epss_thresholds-remediation-policy-for-an-enterprise">Remediation Policy for an Enterprise</a></li>
+</ol>
+</li>
 </ol>
 <h3 id="risk-takeaway-be-careful-with-proprietary-risk-based-prioritization-schemes">Be Careful with Proprietary <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization Schemes<a class="headerlink" href="#risk-takeaway-be-careful-with-proprietary-risk-based-prioritization-schemes" title="Permanent link">&para;</a></h3>
 <p>If you <strong>implement</strong> a proprietary <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme, keep the following in mind:</p>

risk/Takeaway/index.html

@@ -1275,6 +1275,15 @@
     </label>
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+        <li class="md-nav__item">
+  <a href="#prioritize-vulnerabilities-by-exploitation-to-reduce-cost-and-risk" class="md-nav__link">
+    <span class="md-ellipsis">
+      Prioritize vulnerabilities by Exploitation to Reduce Cost and Risk
+    </span>
+  </a>
+  
+</li>
+      
         <li class="md-nav__item">
   <a href="#use-a-risk-based-prioritization-scheme-that-supports-exploitation-evidence-and-likelihood-of-exploitation-epss" class="md-nav__link">
     <span class="md-ellipsis">
@@ -1441,6 +1450,15 @@
     </label>
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+        <li class="md-nav__item">
+  <a href="#prioritize-vulnerabilities-by-exploitation-to-reduce-cost-and-risk" class="md-nav__link">
+    <span class="md-ellipsis">
+      Prioritize vulnerabilities by Exploitation to Reduce Cost and Risk
+    </span>
+  </a>
+  
+</li>
+      
         <li class="md-nav__item">
   <a href="#use-a-risk-based-prioritization-scheme-that-supports-exploitation-evidence-and-likelihood-of-exploitation-epss" class="md-nav__link">
     <span class="md-ellipsis">
@@ -1517,7 +1535,15 @@ <h1 id="takeaway">Takeaway<a class="headerlink" href="#takeaway" title="Permanen
 </div>
 <div class="admonition success">
 <p class="admonition-title">Takeaways</p>
+<h3 id="prioritize-vulnerabilities-by-exploitation-to-reduce-cost-and-risk">Prioritize vulnerabilities by Exploitation to Reduce Cost and <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr><a class="headerlink" href="#prioritize-vulnerabilities-by-exploitation-to-reduce-cost-and-risk" title="Permanent link">&para;</a></h3>
+<p>Only about 5% or fewer of all <a href="../Understanding_Risk/#what-vulnerabilities-are-being-exploited">CVEs have been exploited</a>.</p>
+<p>Prioritizing vulnerabilities that are being exploited in the wild, or are more likely to be exploited, reduces the</p>
+<ul>
+<li>cost of vulnerability management</li>
+<li>risk by reducing the time adversaries have access to vulnerable systems they are trying to exploit    </li>
+</ul>
 <h3 id="use-a-risk-based-prioritization-scheme-that-supports-exploitation-evidence-and-likelihood-of-exploitation-epss">Use a <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization Scheme that supports Exploitation Evidence and Likelihood Of Exploitation (<abbr title="Exploit Prediction Scoring System">EPSS</abbr>)<a class="headerlink" href="#use-a-risk-based-prioritization-scheme-that-supports-exploitation-evidence-and-likelihood-of-exploitation-epss" title="Permanent link">&para;</a></h3>
+<p>“The focus should be given to those known to be <a href="../../vendors/Qualys/">exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available</a>”</p>
 <p><img alt="Exploitation Known evidence or activity" src="../../assets/images/threat.png" width="400" /></p>
 <ol>
 <li>For those using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Scores and Ratings, using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E) that <strong>supports Exploitation</strong> evidence is a small step with a relatively small (de)prioritization of CVEs.</li>
@@ -1530,7 +1556,11 @@ <h3 id="use-a-risk-based-prioritization-scheme-that-supports-exploitation-eviden
 <h3 id="refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data">Refine the <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme based on your environment and your data.<a class="headerlink" href="#refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data" title="Permanent link">&para;</a></h3>
 <ol>
 <li>Use CVEs detected in your Incident Response, Bug Bounty, PenTesting findings) to inform your <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr>.</li>
-<li>Start by picking an <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Threshold around 10%, and adjust based on your <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data and your capacity to <abbr title="The neutralization or elimination of a vulnerability or the likelihood of its exploitation.">remediate</abbr> the CVEs above that Threshold (in conjunction with <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity or other <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> factors) per [Remediation Policy for an Enterprise](../epss/EPSS_Thresholds.md#remediation-policy-for-an-enterprise</li>
+<li>For <abbr title="Exploit Prediction Scoring System">EPSS</abbr>:<ol>
+<li>Assess <a href="../epss/Applying_EPSS_to_your_environment/#epss-for-your-environment"><abbr title="Exploit Prediction Scoring System">EPSS</abbr> for YOUR Environment</a></li>
+<li>Start by picking an <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Threshold around 10%, and adjust based on your <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data and your capacity to <abbr title="The neutralization or elimination of a vulnerability or the likelihood of its exploitation.">remediate</abbr> the CVEs above that Threshold (in conjunction with <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity or other <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> factors) per <a href="../../epss/EPSS_Thresholds/#remediation-policy-for-an-enterprise">Remediation Policy for an Enterprise</a></li>
+</ol>
+</li>
 </ol>
 <h3 id="be-careful-with-proprietary-risk-based-prioritization-schemes">Be Careful with Proprietary <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization Schemes<a class="headerlink" href="#be-careful-with-proprietary-risk-based-prioritization-schemes" title="Permanent link">&para;</a></h3>
 <p>If you <strong>implement</strong> a proprietary <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme, keep the following in mind:</p>