11 January 2023

Introducing KEV Bot, Our Known Exploited Vulnerabilities Bot

An introduction to Aquia's KEV notification system

Will Lindsey
Will Lindsey Information System Security Officer LinkedIn

We are excited to announce the release of Aquia’s Known Exploited Vulnerabilities (KEV) notification system, KEV Bot! KEV Bot periodically checks the Cybersecurity and Infrastructure Security Agency’s (CISA’s) KEV catalog for new entries. When KEV Bot detects a new entry to the catalog, it sends an announcement of the new entry to an alert channel in Slack. Being aware of new KEV catalog entries is a critical component of many organizations’ vulnerability management process and we believe KEV Bot can be of service to you. If you are interested in staying up to date on the latest KEV catalog entries, fork and configure KEV Bot to make announcements in your own Slack environment!!

What is the KEV catalog?

The KEV catalog is a list of vulnerabilities identified by CISA as having been exploited in the wild. CISA adds a vulnerability to the KEV catalog when it meets all three of the following criteria:

  1. A Common Vulnerabilities and Exposures (CVE) ID has been assigned to the vulnerability.
  2. There is reliable evidence that an actor has exploited or attempted to exploit the vulnerability on a system without permission of the system owner.
  3. Remediation action for the vulnerability exists.

CISA maintains the authoritative source of KEV in the CISA KEV catalog. All U.S. federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within the timeframes outlined in the catalog. CISA recommends that all organizations expedite the remediation of KEV catalog entries. The KEV catalog is publicly available and CISA provides an API endpoint for the KEV catalog.

How does KEV Bot work?

KEV Bot is hosted on Amazon Web Services (AWS), utilizing serverless services to deliver notifications. An Amazon EventBridge Rule periodically triggers an AWS Lambda Function called kev_lambda. The Lambda function pulls the KEV catalog from CISA’s API endpoint. Next, the Function pulls previously saved KEV entries from Amazon DynamoDB for comparison with the current KEV catalog. When new KEV entries are detected, kev_lambda retrieves KEV Bot’s Slack Webhook URL from AWS Systems Manager Parameter Store and Slacks an announcement of the new entries. The Lambda function saves the new entries to Amazon DynamoDB for future comparisons. For more details checkout KEV Bot’s github repo.

Why KEV Bot?

KEV Bot provides value by quickly getting the message out about which CVE’s are being actively exploited and have a remediation available. By using KEV Bot, cybersecurity professionals can monitor their alert channel for new KEV catalogs entries directly in Slack. KEV Bot also serves as a working example of how to programmatically interact with the KEV catalog. The main objective is to reduce KEV identification time for organizations.

KEV Bot is one of many examples of Aquia’s commitment to giving back to the cybersecurity community. It was created as a small token to assist the community we serve. We look forward to hearing how this service has added value to your organization as you navigate the ever-changing landscape of vulnerability management.

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.

Categories

AWS Security Vulnerability Management IaC