In examining what we’ve seen in the first six months of this year, 2020 has the lowest ratio ever recorded for vulnerabilities that have active exploits in the wild.
Will a lower percentage of a higher number mean more or less work for vulnerability management teams? The FortiGuard Labs team has just completed an analysis of the threat landscape for the first half of this year, and there are some valuable insights that security professionals can leverage to make their networks more secure.
Trends in exploitation
A review of the CVE List that identifies published vulnerabilities shows that the numbers of vulnerabilities being added has been rising over the last few years, culminating in the record number of vulnerabilities discovered in 2020. This has sparked ongoing discussion about the prioritization of patching by organizations.
Interestingly, 2020 so far also has the lowest rate of exploitation among vulnerabilities ever recorded in the 20-year history of published CVE lists. The ratio of CVEs published each year for which exploit activity was detected during the first half of 2020 stands at six percent, but more recent CVEs show lower rates of exploitation.
There are a number of explanations for this. First, the pandemic has created a new “low-hanging fruit” opportunity for cyber-criminals, enabling them to leverage low-cost, high return attacks using things like social engineering to exploit people’s concerns about COVID-19.
Second, new exploits can be expensive. Why take time and money to develop a new exploit when existing ones are still effective. This has always been true, as older exploits always top the lists of active threats, but never more so than now when organizations are relying on home workers using largely unsecured and unpatched home networks.
In our latest analysis, exploits targeting vulnerabilities reported in 2018 have claimed the highest prevalence so far this year, at 65%. Perhaps more telling is that more than a quarter of organizations registered attempts to exploit 15-year old CVEs, and while there is always a certain amount of fishing going on, trends like this tend to exist because cyber-criminals are having success and others are jumping on the bandwagon.
The lesson here is: don’t assume old vulnerabilities can’t cause new problems, but also don’t forget to also patch systems against the latest round of CVEs, because we fully expect cyber-criminals to get around to developing exploits for all of these vulnerabilities now that efforts to exploit COVID-19 have begun to subside.
Prediction is essential
There’s been a renewed interest in efforts to model and predict the exploitation of vulnerabilities. This goes back, in part, to the long-standing defender’s dilemma of not having enough time or resources to fix everything that turns up in the latest vulnerability scan. If the most likely avenues of attack can be identified, organizations know how to prioritize their defense resources.
The challenge is that while more comprehensive tracking of CVEs is a good thing, it can also mean that the list of things organizations need to fix only gets longer. As a result, prioritizing vulnerability remediation has become increasingly important.
One reason why the number of published vulnerabilities being added to the CVE list has risen so steeply in the last few years is that MITRE has expanded the list of organizations authorized to assign CVEs to vulnerabilities.
Prediction is part science and part art. It requires the collection of threat intelligence feeds, a deep understanding of how applications and workflows move through your network, and which transactions touch critical resources. This needs to include collecting and tracking IOCs, mapping them to existing resources, and then cross-referencing them against the most critical points in your network – especially those devices or applications that have access (directly or indirectly) to valuable data.
Prioritize vulnerability remediation
It takes time for cyber adversaries to develop exploits at scale and then distribute them using either legitimate or malicious hacking tools. However, there is a window of opportunity that begins to close once a vulnerability is announced and the first round of organizations begin to apply patches, which is why criminals are still attempting to maximize fresh vulnerabilities as much as possible, and why so organizations have to prioritize remediation.
However, that window rarely closes entirely, which means that older vulnerabilities can still be exploited, often for a decade or more, and still need to be addressed.
One part of this strategy is to prioritize vulnerabilities that have actually been exploited in the wild, with an even higher priority for those that are actively being detected. The challenge with this, of course, is that knowing which CVEs have been exploited requires an expansive deployment of sensors to detect that exploitation. Which is why a subscription to threat feeds cross-referenced against constantly updated IOC lists are an essential part of any security toolkit.
Also threat reports and threat updates are helpful for organizations that don’t have access to threat feeds.
Cut off the low-hanging fruit
Whether you’re an IT security team member or a hacker, why work harder than you have to? While malicious actors do develop new exploitation vectors, all of the data shows that existing vulnerabilities remain a favorite – primarily because they require fewer resources.
Criminals operate on the same ROI principles as any business. Adding some new evasion and penetration techniques to existing code is significantly more cost-effective than building a new attack from scratch.
All of this points to the fact that defenders not only have to now contend with addressing greater numbers of vulnerabilities across their networks, since the reporting of CVEs has been widened, but even with more exploits actively being exploited in the wild every year, older exploits are still not aging out.
As a result, the prioritization of vulnerability remediation is not only an important skillset utilized by security professionals, but one that needs to be increasingly accurate. Remediation not only requires visibility across the entire IT landscape, but across dynamically changing global trends that can provide insights into which resources need the most attention.
Building the skills and resources needed to make this happen will significantly reduce exposure and help prevent embarrassing and damaging breaches.