NVD Meltdown: Three Ways CISOs Can Fill a Growing Gap in their CVE Awareness

Vulnerability exploitation accounts for 14% of all breaches. With the National Vulnerability Database (NVD) at crisis point, how can CISOs mitigate the risk of vulnerability exposure? Phil Muncaster offers three potential options

Threat actors have plenty of tools in their arsenal. But increasingly, they’re favouring vulnerability exploitation as an initial access vector. Mandiant claims 38% of intrusions in 2023 started with an exploit, up six percentage points from the previous year. That would be worrying news for CISOs at any time, given the inexorable growth of vulnerabilities over recent years. But the situation has arguably reached crisis point after a slowdown in the processing and enrichment of CVEs at the National Vulnerability Database (NVD).

The question for IT and security leaders is what can be done to fill gaps in situational awareness and mitigate cyber risk while the NVD crisis hopefully abates?

Why the NVD matters

According to Verizon, detections of vulnerability exploitation as an initial access vector for data breaches soared by 180% annually last year. It now accounts for 14% of all breaches. This is a concern in a world where mandates like NIS 2, DORA, and new SEC reporting rules increasingly demand systematic awareness and management of cyber risk. It makes resources like the NVD even more critical because organisations can’t manage what they can’t see.

“Many organisations and security tools rely on the NVD to automate aspects of their security processes” Mike Walters

The NVD has been described as the world’s most widely used source of vulnerability information. Since the early 2000s, the US National Institute of Technology (NIST) has been vetting, testing and adding crucial metadata to the CVEs it receives from various approved authorities before listing them in the NVD. It’s a repository of continually updated CVE information that network defenders arguably took for granted over the years as it became an indispensable part of their vulnerability management processes and tooling. As the ‘go-to’ source of enriched CVE data, it is also built into government mandates as a source of truth for vulnerability management.

“Because the NVD follows standardised naming conventions and taxonomies, it facilitates clear communication and understanding across organisations, security tools and professionals, promoting a unified approach to vulnerability management,” Action1 president, Mike Walters, tells Assured Intelligence.

“Many organisations and security tools rely on the NVD to automate aspects of their security processes, including patch management and risk assessment. This database helps prioritise vulnerabilities that need immediate attention based on severity and exploitability. It is very easy to retrieve information about CVEs, vulnerable software versions, and CWEs via the NVD API, even using custom scripts.”

What went wrong at NIST?

On February 12 2024, the NVD began slowing the processing and enrichment of new vulnerabilities. A few days later, on February 15, NIST announced that users may experience “delays in analysis efforts”. However, few predicted how bad the drop-off in activity would be. According to VulnCheck, between February 12 and May 20:

• 93% of new vulnerabilities were not analysed by the NVD
• 51% of Known Exploited Vulnerabilities (KEV) in the namesake CISA catalogue were not analysed
• 82% of CVEs with a proof-of-concept exploit were not analysed

Various theories have circulated regarding the sudden slowdown in CVE processing, including budget problems, the end of a contract with a third-party contractor, and potential changes to the standards used in the enrichment process. It’s also true that the number of CVEs NIST has to process each year has hit record highs in the past seven years, topping 29,000 in 2023.

NIST hinted at this overwhelming workload in a brief April statement.

“There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on various factors, including an increase in software and, therefore, vulnerabilities and a change in interagency support,” NIST explains.

“Tools that rely solely on the NVD for vulnerability data become blind to new threats, as they depend on the NVD to assign the CPE that links vulnerabilities to specific software” Brian Fox 

“Currently, we are prioritising analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analysing vulnerabilities and have reassigned additional NIST staff to this task as well.”

What is not in doubt is the potentially significant risk the slowdown presents to enterprise security.

“Tools that rely solely on the NVD for vulnerability data become blind to new threats, as they depend on the NVD to assign the CPE that links vulnerabilities to specific software. Without this association, even public CVEs become difficult to locate and act upon,” Sonatype CTO, Brian Fox, tells Assured Intelligence.

“This delay impairs an organisation’s ability to assess and prioritise risks accurately, extending the exposure window to potential attacks. Additionally, compliance challenges arise as timely vulnerability data is crucial for meeting regulatory requirements, further exacerbating the risk landscape,” Fox continues.

Three coping mechanisms

NIST says it is “looking into longer-term solutions to this challenge”, including establishing a consortium of industry, government and other stakeholders to research ways to improve the NVD.

“NIST is committed to its continued support and management of the NVD. Currently, we are focused on our immediate plans to address the CVE backlog, but plan to keep the community posted on potential plans for the consortium as they develop,” it explains.

However, it’s unclear exactly how long the current situation will last. So what can CISOs do to fill gaps in CVE awareness and mitigate the risk of vulnerability exploitation? The experts we spoke to suggest three strategies:

1: Alternative sources of intelligence

“There are several alternative sources of CVE information organisations can use, including CISA Vulnrichment, through which the agency adds enrichments to higher-risk CVEs, and VulnCheck’s NVD++, a free community resource that adds CPE information to CVEs, as well as VulnCheck exploit intelligence, a commercial service,” VulnCheck security researcher, Patrick Garrity, tells Assured Intelligence.

Dustin Childs, head of threat awareness at the Zero Day Initiative, adds that “direct engagement” with “reliable and up-to-date sources” should also include the CVE Programme – run by MITRE. Several experts also argue that direct engagement with individual tech vendors would be a good idea.

“Maintain open lines of communication with software and infrastructure vendors to ensure timely notification and patching of known vulnerabilities. Many vendors have their own advisories and patches that can be addressed independently of the NVD cycle,” says Action1’s Walters.

“Automated scripts and tools can help pull relevant data from sources such as social media platforms, security forums, and other public databases.”

2: Reduce the digital attack surface

Best practice cybersecurity also posits that organisations reduce the number of vulnerable devices and software assets running in their environment so that there’s less to patch and less for threat actors to target. This would effectively minimise an attack surface, which over two-fifths of organisations believe is “spiralling out of control.” VulnCheck’s Garrity argues that security teams should “prune end-of-life assets and unused technology.”

3: Proactive risk mitigation

Aside from reducing the attack surface and finding alternative sources of intelligence to the NVD, security teams can take other steps “while waiting for official patches”, argues Sonatype’s Fox. He cites virtual patching, application whitelisting and enhanced threat hunting as key.

Nucleus Security COO, Scott Kuffer, tells Assured Intelligence that traditional vulnerability scanners could also be helpful at this time, even if their signatures are slower than usual.

“This is one of the areas where these types of tools shine, specifically Tenable, Qualys, and Rapid7. They all have plugin libraries where their scan findings are not 1:1 mappings with CVEs, so you can expect they will continue to research and pump out scanning signatures regardless of what happens with NVD,” he explains.

“There will likely be a transition time, but this is where the biggest positive sign comes from. Other scanning tools will have a tougher time transitioning, such as EDR vendors who use the NVD as the basis for their vulnerability identification system.”

Given current cyber skills shortages and surging threat levels, the NIST slowdown couldn’t have happened at a worse time. But IT and security leaders have options available. Now is the time to start figuring out which to choose.