We might have mixed up the priorities of our safety work

As security leaders, our daily work is largely defined by the tools we use and the intelligence we receive. We open vulnerability scan reports to see hundreds of new CVEs; we access threat intelligence platforms to read TTP analyses of the latest APT groups. Then, our team’s work revolves around these inputs – responding and remediating.

However, this operational model may contain a fundamental misalignment. We invest significant resources tracking theoretical threats, while potentially overlooking the more direct and commonly used tactics that attackers actually employ.

Below are two observations derived from real-world attack and defense data that may cause us to reassess our daily operational priorities.

1. Regarding Vulnerabilities: We’re Chasing CVEs, While Attackers Are Exploiting KVEs

Our daily vulnerability management primarily revolves around CVEs. A medium to large enterprise can easily face over ten thousand new CVEs annually. Our work involves painstakingly determining remediation priorities within this massive list based on dimensions like CVSS scores and asset criticality.

But let’s examine another dataset: the KEV (Known Exploited Vulnerabilities) catalog maintained by the US CISA. This catalog contains vulnerabilities that have been confirmed to be exploited in real-world attacks. As of now, the total number of vulnerabilities in the KEV catalog stands at around one thousand.

Let’s compare: total CVEs exceed 200,000, while KEVs number only slightly over a thousand.

This stark numerical difference reveals a crucial fact: the vast majority of theoretically existing vulnerabilities never become attackers’ conventional weapons. Attackers tend to use vulnerabilities that are stable in exploitation, reliably effective, and already market-validated.

This leads to a significant resource misalignment in our work. We expend enormous human and material resources, holding countless review meetings to address those 200,000+ CVEs. But for those critical 1,000+ KEVs, have we given them the appropriate, highest priority? Do we have a process that ensures risk validation of our environment within 24 hours of CISA updating the KEV list?

If the first step in our vulnerability management process wasn’t sorting by CVSS, but rather cross-referencing all vulnerabilities with the KEV catalog, our to-do list might immediately shrink from thousands of items to just dozens. Our work focus would instantly become crystal clear.

2. Regarding Threats: We’re Defending Against TTPs, While Attackers Are Purchasing IABs

Our defense systems increasingly focus on detecting advanced TTPs. We deploy EDR, NDR, XDR, hoping to capture attackers’ behavioral characteristics during privilege escalation and lateral movement.

But let’s examine how attackers actually initiate operations in the real world. What are the highest-volume, most active commodities in underground forums? Not 0-days, but Initial Access Brokers and Stealer logs.

  • IABs: Specialized groups that obtain access to corporate internal networks through various means (such as phishing emails, credential stuffing, exploiting simple vulnerabilities) – like a VPN account or a bastion host account. They then price and sell these ‘access privileges’ as commodities to downstream ransomware groups or other attackers.
  • Stealer logs: Credential information like browser cookies and saved passwords extracted from personal computers through information-stealing malware on a massive scale. Attackers purchase these logs and filter through them for valuable enterprise system credentials.

This means the starting point of many attacks doesn’t involve complex TTPs at all. Attackers aren’t breaking in – they’re walking in using purchased, legitimate employee credentials.

This raises an even more critical question for our defense systems: What is the detection probability of our existing systems, which primarily rely on behavioral anomaly detection, for an attacker using legitimate credentials to log in during normal hours from normal locations? Have we over-invested in defending against sophisticated thieves while underpreparing for the insider with keys?

3.Shifting Work Focus: From Theoretical to Empirical

These two observations point to the direction in which our work focus needs to be adjusted. We need to shift from managing theoretical risks to managing empirical risks.

  1. For vulnerability management, the core work should be quickly validating the exploitability of vulnerabilities in the KEV list within our own environment.
  2. For threat defense, the core work should be assuming that “credentials have been compromised” and continuously validating whether internal permissions controls, network segmentation, and data access policies remain effective in such scenarios.

To accomplish these two core tasks, we need a platform that can accurately replicate these real-world attack scenarios.

The work principle of ATLAS Security ValidationPlatform is closely aligned with this empirical principle:

  • Our attack playbook library prioritizes coverage of all KEV vulnerabilities and the latest, validated attack techniques, ensuring that every validation customers perform addresses the most realistic threats.
  • We support numerous assumed breach scenarios, enabling customers to easily validate the blast radius of attackers within their internal networks once initial access is compromised, and identify which control

Our daily work should not be held hostage by the overwhelming volume of CVEs and theoretical TTPs.

Instead, we should focus our efforts on two fundamental tasks: validating the exploitability of KEV vulnerabilities and verifying the effectiveness of internal controls after credential compromise. By solidifying these two foundational efforts, we are likely to achieve far greater security benefits than by purchasing any expensive platform that claims to defend against unknown threats.