CEWL is the CVE Early Warning List, what CVEs threat actors are currently exploiting in the wild or about to exploit.
Which CVEs are critical?
If it is on the list, it is classed as a critical CVSS score for us. (In CVSS 3.0 it would be classed as a temporal score for Vulnerability Management, in CVSS 4.0 it is a Threat confidence score). Naturally, matching this with your environmental score is important to determine your risk.
All entries within CEWL are classed as being used by threat actors?
In use or proactively about to be used. In the list, we don’t differentiate at the moment.
What is the difference between honeypot, intel, and research columns?
Honeypot is the first date that it was seen on our honeypot, Intel is our automated collection and threat determination first date, and research is when there is manual work involved, the first date that work was performed.
Why don’t you keep updating the last time it saw a honeypot and such?
It’s the same reason Microsoft doesn’t add changes to their CVEs, we add what we know at that point in time and focus on the new stuff, what threat actors are doing or about to do.
How should I prioritize?
As an organization, preferably the CVEs that have the overall highest environment scores in your environment.
Is an older CVE in the list more important than the most recent?
The most recent you can get ahead of the game. However, what we find is that threat actors go more after longevity, so they prefer CVSS scores that are lower, hence about 80% of our CVES in CEWL are non-critical.
Is the first date the real date?
for hiding from threat actors sometimes we can this date in time to not exactly match when
Should I just patch what is in CEWL?
I would love to say yes, however, the world is not this simple. If you have a technology that is less mainstream or so, and there is a vulnerability, then patch. What we would love, if you told us about this technology so we could add it to our monitoring/collection/threat determination processes.
What if something isn’t on the list and I think it should be?
Let us know, we can search through our intelligence collection for it, and/or add it to our threat collection processes.
What if there is a technology we don’t cover?
Let us know so we can cover this.
How do you do handle Line of Business (LOB) Applications?
We can work with you to simulate this or take the common vulnerabilities and build an application that can simulate these common vulnerabilities.
What about IoT devices?
We cover a number of libraries that can be found in millions of devices. The problem with IoTs is that they are using old technology and things like buffer overruns are common problems now. If there is a specific type of IoT that is pertinent to your business, let us know and we will add it to be monitored and such.
How can we get a list of vendors/products you support?
Since we follow what the threat actors are focusing on, it’s harder to say which vendors and products we are focusing on. However, if there is a certain technology such as a database or technology such as Node, then let us know and we will make sure that is in our monitoring/collection processes.