11 January 2023

Introducing KEV Bot, Our Known Exploited Vulnerabilities Bot

An introduction to Aquia's KEV notification system

Will Lindsey
Will Lindsey Information System Security Officer LinkedIn

Meet KEV Bot!

We are excited to announce the release of Aquia’s Known Exploited Vulnerabilities (KEV) notification system, KEV Bot! KEV Bot periodically checks the Cybersecurity and Infrastructure Security Agency’s (CISA’s) KEV catalog for new entries. When KEV Bot detects a new entry to the catalog, it tweets an announcement of the new entry from its Twitter handle, @KEV_bot_1. Being aware of new KEV catalog entries is a critical component of many organizations’ vulnerability management process and we believe KEV Bot can be of service to you. If you are interested in staying up to date on the latest KEV catalog entries, follow KEV Bot on Twitter!

What is the KEV catalog?

The KEV catalog is a list of vulnerabilities identified by CISA as having been exploited in the wild. CISA adds a vulnerability to the KEV catalog when it meets all three of the following criteria:

  1. A Common Vulnerabilities and Exposures (CVE) ID has been assigned to the vulnerability.
  2. There is reliable evidence that an actor has exploited or attempted to exploit the vulnerability on a system without permission of the system owner.
  3. Remediation action for the vulnerability exists.

CISA maintains the authoritative source of KEV in the CISA KEV catalog. All U.S. federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within the timeframes outlined in the catalog. CISA recommends that all organizations expedite the remediation of KEV catalog entries. The KEV catalog is publicly available and CISA provides an API endpoint for the KEV catalog.

How does KEV Bot work?

KEV Bot is hosted on Amazon Web Services (AWS), utilizing serverless services to deliver notifications. An Amazon EventBridge Rule periodically triggers an AWS Lambda Function called kev_lambda. The Lambda function pulls the KEV catalog from CISA’s API endpoint. Next, the Function pulls previously saved KEV entries from Amazon DynamoDB for comparison with the current KEV catalog. When new KEV entries are detected, kev_lambda retrieves KEV Bot’s Twitter API keys from AWS Systems Manager Parameter Store and Tweets an announcement of the new entries. The Lambda function saves the new entries to Amazon DynamoDB for future comparisons. For more details checkout KEV Bot’s github repo.

Why KEV Bot?

KEV Bot provides value by quickly getting the message out to a wide audience about which CVE’s are being actively exploited and have remediations available. By using Twitter, cybersecurity professionals can subscribe to KEV Bot and be notified of new KEV catalogs entries directly from their phone. KEV Bot also serves as a working example of how to programmatically interact with the KEV catalog. The main objective is to reduce KEV identification time for organizations and to reach more people.

KEV Bot is one of many examples of Aquia’s commitment to giving back to the cybersecurity community. It was created as a small token to assist the community we serve. We look forward to hearing how this service has added value to your organization as you navigate the ever-changing landscape of vulnerability management.


AWS Security Vulnerability Management IaC