On November 12, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”), National Security Agency (“NSA”) and certain international partners (including the Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team, and the United Kingdom’s National Cyber Security Centre) published a joint Cybersecurity Advisory identifying the top routinely vulnerabilities exploited by malicious threat actors in 2023.
The advisory finds that compared to 2022, malicious threat actors have exploited more zero-day vulnerabilities (unknown vulnerabilities for which no fix or patch is available) in 2023, permitting them to conduct operations against higher-priority targets. Threat actors continue to obtain success exploiting vulnerabilities within two years after public disclosure of the vulnerability, which heightens the importance of patching and replacing systems.
The advisory recommends vendors, designers, developers, and end-user organizations implement mitigating actions against vulnerability exploitation, including:
- Implementing security by design in each stage of the software development lifecycle by following the SP 800-218 Secure Software Development Framework. As patching software vulnerabilities (particularly zero-day) can be a lengthy and costly process, implementing threat modeling and using stronger testing environments may reduce overall product vulnerabilities.
- Requesting information from software providers about their security by design program, including how they are working to remove classes of vulnerabilities and set secure default settings.
- Prioritizing secure default configurations, including removing default passwords and not requiring additional configuration changes for product security enhancement.
- Increasing incentives for vulnerability disclosure. For example, organizations may institute vulnerability reporting bug bounty programs that would enable users to receive compensation for identifying and reporting vulnerabilities.
- Applying timely patches to systems.
- Implementing a centralized patch management system.
- Using sophisticated security tools, including endpoint detection and response (EDR) tools that would improve the detection rate of zero-day vulnerability exploitations. The advisory notes that at least three of the 15 vulnerabilities in 2022 were detected when an end user or EDR tool reported unusual device malfunctions or suspicious activity.