CEWL is the CVE Early Warning List. CEWL is the list of CVEs that threat actors are using in the wild or about to use.
Better Outcomes with CEWL
If you knew a person would break into your building through your ground-floor window tomorrow, you would take this actionable intelligence and determine how to detect or prevent this from happening. This is the same concept of using CEWL - if you know what the threat actors are doing, you would determine what to: patch, mitigate, detect, threat hunt, what features to enable in products, and if you need new security products to address these types of attacks.
CEWL will help you be more effective and produce better outcomes across the organization. Doing less work and being a lot more effective. Concentrating on what threat actors are doing significantly reduces the risk of being compromised while reducing the amount of work effort in protecting the organization. Instead of concentrating on 1,000s of possible things a day, it allows you to focus on what is really being used in attacks. It’s like a Jedi-mind laser-focus that quickly allows you to stop your attacker.
Figure 2, Using CEWL for better outcomes across the organization
Effective Value from CEWL
CEWL can be implemented in several ways.
Value in five minutes
You can get value from CEWL in the first five minutes by:
Treat new entries added to CEWL as critical CVEs. This makes it easy to determine what to patch, makes a junior analyst a senior analyst when using this list.
Trusted Advisor - instead of your department taking the blame for having to patch again, say that CTCI said to patch; that’s our focus. We have big shoulders and are up to taking on this burden.
Uplift your internal threat intelligence team with the information in CEWL.
For previous CEWL entries, run a Vulnerability Management scan and match these with CVEs in the list. Assign a higher ranking for critical assets that have CVEs in CEWL that are not patched. (CVSSv4 standard will make this integration a walk in the park, as external Threat Intelligence is mandated in the product.)
Buy partner licenses and ensure these attacks are not compromising your supply chain/partner network. With CEWL, you can integrate what CVEs your supply chain/partner network has patched using the processed visibility feature.
Setup different groups that need to be notified for new CEWL entries, be it vendor, product, CVSS score, etc.
Value in 1-4 hours
CTCI for some CEWL entries releases flash alerts, called FAST (Flash alert for Security Threats). These Flash Alerts usually have some detections, mitigations, and preventions. Implement a control based on this information. For example, for a malicious URL, put in a block on a WAF/IPS, a security alert for the detection of this malicious URL (IDS, Devo, Splunk), determine if your EDR/MDR product would block this attack, or a patch to the software to prevent this bad URL from being effective.
Also, see if you have already been compromised perform historical searches within your log management solutions for the detections outlined in FAST or within the NVD CVE information / NVD CVE references.
CEWL UI and Features
Value in 1-2 days
For some attacks that don’t have flash alerts, there will need to be more investigation. Sometimes, it’s self-evident what the solution is. It may need to research what your security products provided compared to what the threat actor is exploiting.
Get ahead of the game.
Some of the ways you can be strategic with CEWL:
Be proactive, knowing a CVE is in CEWL, plan downtime instead of reactive, and bring systems down during inopportune times.
Use the CEWL information in an intelligence-driven cycle and gain as much intelligence from CEWL and your environment to make important changes to technologies, processes, structure, and people.
Use SOC tickets on what prevented/detected/mitigated compared to the CVE threats within CEWL - determine the effectiveness of the controls and see what to do about the breadth and depth of your security controls. Do you have too much in one area, not enough in another?
Some regulatory controls are coming into this space. Use CEWL today so that you can meet these emerging regulatory controls.
Uplift your internal threat intel team when it comes to CVE Actionable Intelligence.
It’s hard to get and retain excellent security peeps. This information can uplift your team and help improve the outcome of less skilled personnel.
Set yourself up for success with CEWL
To be successful in using CEWL, you need to create a repeatable process. The process should also be designed to have some KPIs, such as how fast the new CEWL entry is actioned and how long it took to process. Longer-term, you could also track how many: detections/preventions/mitigations/threat hunting was put in place due to CEWL.
An example of a simple yet effective process
For every new CEWL entry, create a Jira Ticket.
This Jira ticket starts an automation workflow that has workflow steps, notify, assign, in-process, and done. KPIs are key to improving a process. These can be run through metrics on transitions. Also, further Jira tickets or tasks can be created for detections/mitigations/patching/hunting to track the respective different group's activities. You could then track how long a detection takes to write and put in production from the CEWL entry coming within Jira.
The done workflow triggers a webhook request to provide feedback that the CEWL entry has now been processed. This data can be hidden or grayed out within the UI using the eye icon for processed entries. This makes it easy to track where everything is at and to ensure no double work is performed.
CEWL delivery supports email, Teams, Slack, Jira, and webhooks. This can give you lots of different options. CEWL is also API-driven so that you could create the process of notification in a completely different way.
Also, you can create notification groups, which are one or more notification filters, which you can think of a department that needs its own notifications for its own CVEs (such as network team with Cisco products). Each different network group can get the notification in any of the delivery ways.
Remember, with CEWL comes great power and with that great responsibility, use your supercewl powers for good and not evil. (Also, remember there are some terms and conditions for using this data, like not publishing this information in the public domain and such.)
Core Concepts with CEWL
A Notification group can be thought of as a group/department/logical group that needs to be notified the same way - as a notification delivery. More information on Notification Groups.
A notification group can have one or more notification filters.
A Notification filter is a search expression or a keyword search, the returns data in the CEWL list. If a notification group has a notification filter, then if there is more than one entry that matches the response then the entry notifies based on the notification delivery set. More information on https://ctci.atlassian.net/wiki/spaces/CTCIDOC/pages/325517390.
Notification delivery can be one of the following: