Isolating active vulnerabilities for better cybersecurity
In the world of cybersecurity, it’s critical to know some key things. How many vulnerabilities are possible in your systems, for one. How many vulnerabilities are likely, for another. How to defend against them, for a third, and in particular, how fast you patch your systems when you know there are vulnerabilities are there.
The Threat Research Unit at Qualys, a cybersecurity specialist firm, recently conducted some large-scale research into exactly these questions – what’s out there, how vulnerable organizations are, and especially how fast those organizations are to patch their systems when threats rear their ugly, annoying heads.
We sat down with Travis Smith, Vice President of the Unit, to discuss the “state of the digital nation.”
A very big number.
So, let’s rip off the Band-Aid. How many vulnerabilities are out there?
The short answer is more than 25 million.
Ouch. Is the long answer any less painful?
Sort of. It’s important to remember this is a big, big study. We collected a tremendous amount of anonymous detection data from our global platform. We looked at detection statistics across vulnerability management, web applications, security, policy, compliance, cloud security, posture management, and more. We gathered as much data as we could, just to understand as much as possible what the threat landscape ultimately looks like from our viewpoint, and then provide some analysis on it.
Still kinda focusing on the big, big number.
We broke the number down into five categories, to tell the story of the threat landscape that we have. The way that story shaped up, we looked at vulnerability data first, because that’s what we’re known for. We’ve just surpassed 200,000 vulnerabilities known and published by the NVD (National Vulnerability Database).
Much smaller number. Feels like we should be relieved, and yet… still a big number when it comes to vulnerabilities.
Right? That’s too much to look at under one lens, so we kind of scoped it down to the vulnerabilities that were published last year.
The CISA list.
25,000 vulnerabilities. Published last year. But which ones introduced the most risk to an organization? We defined that under one of a few different categories. So then we narrowed the focus down to things that had been added to the CISA (Cybersecurity & Infrastructure Security Agency) Known Exploited Vulnerability list, those that were attributed to a threat actor, those that we’ve had evidence of being included into a piece of malware, and then specifically ransomware as another subcategory. We added anything for which there was some type of exploit made available on the Exploit DB published to GitHub.
Please tell us that resulted in a significantly less terrifying number…
163 specific vulnerabilities that we wanted to look at, which were published last year. So we looked at the detection system statistics of those, how often they were not only detected, but remediated. And also how quickly they were remediated.
These risky, weaponized vulnerabilities were remediated at a pace of 57.7% throughout the year, so just over half of them were remediated throughout the year, at a pace of roughly 30.4 days.
That’s what the defenders are looking at.
The speed of threat.
While we were there, we looked at intelligence of how quickly threat actors are leveraging those vulnerabilities – so how quickly the vulnerabilities are weaponized.
Tell us what we already know.
Threat actors are moving much faster. They’re weaponizing these vulnerabilities in an average of 19.4 days. That’s almost exactly 11 days difference between how quickly threat actors are moving versus how quickly defenders are remediating those vulnerabilities across the board.
11 days of advantage, to go through and exploit these vulnerabilities before, on average, organizations are able to remediate them. Looking at the scope of all these dangerous vulnerabilities, they’re not all things like Windows and Chrome and some of those that spread across network devices, web apps and so on. And there was a large disparity between how quickly some of these were actually remediated.
Some were remediated in single digit days, while others were published in maybe January of 2022, and in the last year, were still patched at a rate of single digits. 5-10%. That’s a huge disparity. So we broke it down, to look at which ones were doing well, being patched quickly, patched more often, versus the ones that were not.
The power of automation.
That led us down a rabbit hole to focus on the vulnerabilities which could be automated for the remediation, because those were those ones that trended higher. Obviously, that makes sense – if you can automate something, it goes a little bit faster – but we dug down and looked at things like Windows and Chrome, because those are the number one web browser and the number one operating system, and they have very mature patching processes.
Organizations trust those quite a bit. You can either use their internal built-in tooling or you can easily automate it with a patch management tool.
Those vulnerabilities were patched twice as fast and twice as often as everything else.
So – all hail automation?
Clearly, there’s a disparity between the vulnerabilities that can be automated and the ones that can’t. From our side, we were looking at a group of threat actors that are known as initial access brokers (IABs), or affiliates. These are the groups that will break into an organization and either sell that access or leverage the access themselves. And whether they leverage it themselves or whether they sell it, typically, the end game is ransomware.
So what we looked at was, what were the vulnerabilities that they were adding to their toolkit last year, and which were vulnerabilities which were released last year?
Obviously, they’re going to leverage old vulnerabilities if they find them, but what was the new stuff they were adding?
A much smaller number.
The evidence we had was that the top vulnerabilities they were adding were primarily web apps type vulnerabilities looking at externally facing systems exchanges. None of the top vulnerabilities they were leveraging were Windows or Chrome. And if we looked at the patch rate of those, how quickly they were patching, the mean time to remediation for the vulnerabilities associated with these affiliates or IABs were patched in 45.5 days, 15 days slower than the average.
Do we know exactly what the vulnerabilities were?
Yes, there are 17 specific vulnerabilities that we were looking at by the time we got down to the ones that IABs were using most – none of which were in things like Windows and Chrome.
Defenders are definitely making a difference by patching things like Windows and Chrome. The optimist in me is saying, “Hey, defenders are doing the right thing, they’re changing the tactics of the threat actors.”
And if you look at specifically something like Chrome, it was ravaged with 8 or 9 zero days last year. While that’s not the biggest problem, there are other problems that organizations can take a look at.
So shifting the lens from that the narrative, web apps were something that these threat actors were taking a look at. We took a look at a lot of the detection statistics we had from our web applications, and tied all of those to the OWASP Top 10 controls. We found that the biggest category they fell under was a 04 or 05, the misconfiguration bucket. So a third of every web application that we scanned had some sort of MIS configuration within it.
In itself, that’s not going to lead to a breach in the web application. But the risk there is that it exposes these misconfigurations or exposes information.
Worst case scenario, they expose something like PII (Personal Identifiable Information), but more typically, they expose the back-end systems, the databases behind it.
And a lot of these vulnerabilities are a risk to the organization, or give the attacker additional information to further stage their attacks within that environment.
In Part 1 of this article, we’ve come down from 25 million potential vulnerabilities to 17 core specific vulnerabilities that bad actors are likely to be using right now.
In Part 2, we’ll find out what can be done to improve the patch rates for those 17, and make companies objectively less vulnerable.
22 February 2024
22 February 2024
21 February 2024