Understanding the Triangles Model for Evidence-Based Prioritization

If you’re a fan of the show Silicon Valley, you probably remember the “conjoined triangles of success.”

Ok, this isn’t that, it’s just one triangle. But now that I’ve got your attention…

‍

The mission of vulnerability management has always sounded simple: find the vulnerabilities and patch them before our adversaries find and exploit them.

‍

This was a lot easier when there were fewer vulnerabilities. Many years ago, the number of CVEs was manageable, networks were simpler, and you could actually believe it when someone said, “We patched everything.” Those days are long gone and never to return.

‍

The reality is most every company is buried under thousands, often millions, of vulnerability reports to sift through. And while security teams drown in alerts, adversaries only use a handful.

‍

Here’s the uncomfortable truth:

Only about 1% of all known CVE vulnerabilities have ever been exploited in the wild. And as was discussed at the cyber-insurance summit at BlackHat, there is evidence that the subset of vulnerabilities that lead to financial loss is actually much lower. Like 0.1%.

‍

If we were prioritizing vulnerability remediation correctly, adversaries would be forced to burn through a larger percentage of them. Like even 2% of all known vulnerabilities, or better 5% on up, but they’re not. Adversaries are reusing the same few, year after year, because we’re leaving them open.

‍

Meanwhile, new CVEs are coming in like a firehose, growing at ~40% annually, now topping 300,000 total. Trying to “patch everything” is a fantasy. It wastes time, money, and goodwill from every business unit you disrupt along the way. We don’t have infinite patch capacity. We never will. So we can’t afford to spend cycles on vulnerabilities that do not matter, and will likely never matter. But, “what vulnerabilities matter?”, is the most vital question.

‍

A different approach: follow the evidence

If we stop chasing ghosts and focus on vulnerabilities that have already proved that they’re dangerous, we can turn the tables. This means looking at the evidence in terms of vulnerabilities, 3 types to be specific. 1) Evidence of exploitability 2) Evidence of adversary activity 3) evidence of breach and financial loss. 

‍

This forms the Triangle of Evidence-Based Prioritization.

‍

1) Evidence of Exploitability

Is there evidence that the vulnerability can be exploited? This is the first obvious red flag. You might think if it’s called a ‘vulnerability’, then exploitability is implied, but that’s not always the case. Some vulnerabilities only lead to denial of service, or only exploitable in rare circumstances, or may not lead to reliable system compromise.

‍

2) Evidence of Adversary Activity

Is there evidence that the vulnerability has been exploited in the wild? Threat intel, honeypots, and monitoring can help tell us this. But it’s only part of the picture. Sometimes exploitation goes unseen, or targets aren’t obvious yet, or the targets may not matter in a real sense. Not all targets are equal after all.

‍

3) Evidence of Breach and Financial Loss

This is the clincher: Is there evidence the vulnerability has been confirmed as the root-cause in a breach and led to financial loss? Downtime, ransom, lawsuits, lost revenue. When a CVE graduates to “we can measure the damage in dollars,” that’s when technical risk becomes boardroom risk.

‍

Context is everything

Not every critical CVE is critical for you,even if a given vulnerability possesses all 3 forms of evidence. Asset value, exposure, business criticality, compensating controls and yes, the cost to fix all shape the real risk. If remediation costs more than the damage it might prevent, that’s a conversation worth having.

‍

The triangle in practice

• A vulnerability with all 3 types of evidence goes to the very top of the remediation list.
• If a vulnerability has evidence of exploitability and adversary activity, this is essentially a Known Exploited Vulnerability, such as what’s found on CISA KEV. These should be the next tier to be fixed.
• If a vulnerability has evidence of exploitability, perhaps with high criticality ratings, that's where CVSS and EPSS come in handy, as an attempt to predict the future based upon what’s been historically seen.

‍

Sometimes there’s no prior exploit chatter. 

‍

Maybe the vulnerability was a zero-day, or maybe we just weren’t looking at network traffic in the right way. Whatever the case, once a vulnerability is tied to a breach, it jumps the queue.

‍

Why this matters

The Triangle of Evidence doesn’t waste time on hypothetical threats. It zeroes in on the small, high-risk set that causes real breaches and real losses. Fixing those before the adversary gets to them could wipe out the root cause of roughly half of today’s breaches.

‍

That’s not just better vulnerability management, that’s actual progress. And it’s how we start making the attacker’s job more expensive than ours.