So far, the disclosure of the Heartbleed vulnerability in the OpenSSL library has been the biggest event to hit the security industry in 2014. But according to the third edition of the 2014 IBM X-Force Threat Intelligence Quarterly, one of the lessons learned comes in the form of threat mitigation and patch management—much of the Heartbleed damage came directly after its disclosure.
“Much emphasis has been placed on preparing for and mitigating zero-day attacks, but in the case of Heartbleed, a more interesting study occurs after disclosure, when both attackers and enterprises are racing against the clock,” said Leslie Horacek, worldwide threat response manager for the IBM X-Force security research group. “Attackers want to capitalize on the vulnerability as much as possible before there is a widespread patch campaign, while the enterprise is racing to ensure there are protections in place.”
These essentially become one-day attack vectors for the bad guys, wherein they take advantage of the short exposure window between when the patches are announced and when the patches are usually deployed. This was played out in the Heartbleed saga: Just one day after the disclosure, a proof-of-concept tool capable of exploiting the Heartbleed bug began to circulate, exposing unpatched systems to skilled and unskilled attackers alike.
IBM’s Managed Security Services (MSS) division in particular witnessed attackers immediately retooling and exploiting the bug on a global scale. Once the major vendors for intrusion detection and prevention systems created protection signatures, MSS was able to see just how bad the situation had become. On April 15, MSS witnessed the largest spike in activity across the customer base, with more than 300,000 attacks in a single, 24-hour period. That is an average of 3.47 attacks per second for hundreds of customers.
Outside of Heartbleed, in the first half of 2014, IBM reported just over 3,900 new security vulnerabilities affecting 926 unique vendors—plenty of surface area for one-day attacks to wreak havoc. That said, a piece of good news in the report is the fact that fewer vulnerabilities seem to be coming to light.
“If this trend continues through the end of the year, the total projected vulnerabilities would fall below 8,000 total vulnerabilities for the first time since 2011,” Horacek noted.
IBM laid out six strategies companies can use to mitigate one-day attacks: Keep up with threat intelligence; have a patching solution that covers an entire infrastructure; implement up-to-date detection systems; maintain a current and accurate asset inventory; and implement mitigating controls, like firewalls, intrusion prevention systems and endpoint protection.
“When a critical vulnerability is publicized, you don’t have time to try to figure out where your vulnerable, exposed assets are located,” Horacek said. “Attackers are engaged in the same pursuit, and effective defense should not be a race toward discovery. As a defender, this is one area where you should have the upper hand.”
Companies should also create and practice a broad incident response plan. “All activities related to vulnerability disclosures and active attacks must be guided by processes involving all levels of your organization and guided by clear procedures for a variety of situations,” Horacek counseled. “Test the procedures often to make sure you aren’t working out the kinks when an actual emergency arises.”