Align Your VM Priorities With the Biggest Threats
Vulnerabilities and their exploitation are still the primary source of security breaches. IT security leaders need to pay attention to how vulnerabilities are managed and track this metric to reduce the chances of being breached.
- The exploitation of known, but unaddressed, vulnerabilities is the main cause of most cyber threats. Although "zero days" generally account for only 0.4% of vulnerabilities over the past decade, their threat to most companies is disproportionately high.
- Align Your VM Priorities With the Biggest Threats 2 Vulnerability remediation processes are not taking into account the biggest risks. Data from breach reports and Gartner research demonstrate that only a small percentage of vulnerabilities are actually exploited in real-world attacks.
- The goal of always patching every vulnerability everywhere is not only difficult to achieve, it also creates tension between IT security and IT operations.
- Traditional vulnerability severity rating systems, such as First's Common Vulnerability Scoring System score or the classical "critical, high, medium and low" rankings, can give an indication of the criticality and impact of vulnerabilities; however, they don't reflect what is actually being exploited in the wild.
- Attackers can easily and cheaply use existing vulnerabilities to mount successful, profitable attacks that are difficult to detect.
Introduction - At M87, we prioritize patching of vulnerabilities exploited in the wild.
The top challenge with vulnerability management (and, in general, IT security operations) is that organizations are having difficulty determining the difference between "what can we fix" and "what will make the biggest impact, with the limited time and resources at our disposal." The answer to this is to use a risk-based approach. There is now a considerable amount of research that supports this, such as the Verizon Data Breach Investigations Report (DBIR). Most attackers do not use complex methods to achieve their goals.
The traditional method of vulnerability management, which tries to address a large number of vulnerabilities in total, is logical, but it has caused conflicts between IT security and operations teams. This is due to the amount of effort needed to "patch everything," considering the large number of vulnerabilities in most organizations. Furthermore, this method has not been successful in improving security, as breaches keep occurring at a consistent rate.
Einstein famously said, "The definition of insanity is to keep doing the same things, but expect different results." This has never been truer than when it comes to vulnerability management in enterprises. It's time for a change and focus on what will make the biggest improvements, while still recognizing and striving for the ideal.
Vulnerabilities are prime targets for attackers due to their ease of exploitation and prevalence in widely used software. Exploits for such vulnerabilities can quickly spread across public and private forums and are easily accessible via attack creation tools. This makes it unnecessary for attackers to invest in new methods or purchase expensive zero-day vulnerabilities, as one vulnerability is often enough. Our research suggests that a technology stack typically contains 50 to 300 vulnerabilities that should be considered critical per year. These vulnerabilities, while being the most common targets of various threat actors, are what define the exploitation mainstream. Vulnerability assessment tools can detect many more than these high-risk vulnerabilities, and organizations are often faced with tens of thousands of vulnerabilities that need to be managed.
First, let's review the problem a little deeper
The fundamental idea of information security is to protect the privacy, accuracy, and accessibility of your company's IT resources. A breach can be a dramatic example of the effect on all three of these aspects. It can be damaging to individuals, organizations, customers, and business partners. Studies have revealed that too much attention is paid to "exploits" and "malware" instead of the real reasons behind them, which are the weaknesses that are exploited. Although not all breaches are caused by a weakness being abused, most are, and most of them are created by already known weaknesses, not "zero days".
- During the past 10 years, an average of 8,000 vulnerabilities have been identified each year, but the amount of malware and other threats has grown exponentially.
- Organizations must cope with the cumulative effect of these vulnerabilities, which may number in the tens or hundreds of thousands.
- Some of these vulnerabilities may not have a patch available, or require commercial support to obtain the patch. Embedded systems, such as OT equipment, tablets, and phones, may not receive patches from their manufacturer.
- The Common Vulnerability Scoring System (CVSS) can provide an effective ranking of a vulnerability, but does not consider which vulnerabilities are exploited in the wild nor the scale of exploitation. Over the past decade, only about 12.5% of disclosed vulnerabilities have been verified as exploited.
- The most commonly exploited vulnerabilities are those categorized as "medium," such as SQL injection (SQLi) and cross-site scripting (XSS).
- Attack path modeling and an understanding of the kill chain reveal that vulnerabilities can be chained together for more complex exploits. For example, a combination of local and network-based vulnerabilities, or those of various levels of severity were used in an attack that led to the release of iOS v.9.3.5.
It has been traditionally assumed that patching software should be done in order of the severity of the vulnerability, with critical vulnerabilities being patched first, then high, medium and so forth. However, this is not always possible, and it is far from a reality that everyone can follow. To get a better understanding of the problem, we asked a simple, binary question: "How many vulnerabilities go on to be recorded as publicly exploited?"
It is evident that over the last decade, only around 12.5% of the identified vulnerabilities have been actively exploited. Interestingly, the number of exploited vulnerabilities has remained stable despite the increasing number of breaches and threats. This indicates that a small set of vulnerabilities are being leveraged by more threats.
If organizations focus their efforts on patching or establishing compensating controls for the vulnerabilities that are actually being exploited,
- It is a highly effective way to reduce risk and prevent breaches. This is because a smaller number of vulnerabilities are easier to handle and organizations can put more effort into addressing them for a greater benefit.
The number of available targets and the difficulty of exploiting a vulnerability both factor into whether a vulnerability will be exploited or not. For example, a vulnerability with a CVSS rank of 5 affecting an internet-facing system in the DMZ that is already being exploited in the wild is a bigger concern than a CVSS rank of 10 vulnerability on an internal system that has segmentation and other controls applied, and has never been exploited in the wild in the past four years.
On the other hand, a vulnerability in Adobe PDF that affects hundreds of millions or even billions of endpoints is more likely to be exploited than a vulnerability in OpenBSD. Attackers prefer reliable and easily exploitable vulnerabilities, so if exploitation is difficult or the target is limited, the vulnerability is less likely to be exploited.
What to Do About It
The solution is relatively straightforward: prioritize patching or remediation for known vulnerabilities that are already being exploited. This will help prevent attackers from gaining access to your organization. Having mitigating controls in place can also be beneficial.
What If I Can't Patch, or There's No Patch Available
Our VM Program has several advantages over other solutions. Unlike other solutions, our system accounts for zero-day vulnerabilities and allows for mission-critical systems to remain available when patching is required. To help mitigate these issues, our system includes application whitelisting, identity and access monitoring, and privileged user monitoring. Additionally, we use IPS for Virtual Patching, a technology that has been proven for over 20 years to help prevent and detect the exploitation of vulnerabilities.
Statistically speaking, this a good news story for us. Why?
This means that over the past decade, patching only 50-300 vulnerabilities per year could have prevented exposure to hundreds of millions, if not billions, of malicious samples and other threats. It may seem counterintuitive, but this is actually a positive statistic. Despite the fearmongering from some vendors, the reality is that a small number of vulnerabilities are still responsible for a large number of threats. With the right data and analysis, we can see that this is the case.