Vulnerabilities and misconfigurations – narrowing the focus

How a narrower focus can help you prioritize your protection and patching regime.
3 May 2023

There are vulnerabilities, and then there are vulnerabilities. Knowing which are which can be crucial.

In Part 1 of this article, we sat down with Travis Smith, Vice President of the Threat Research Unit at Qualys, a cybersecurity specialist firm, to get a handle on exactly how many active vulnerabilities were out there being used by cybercriminals.

It’s safe to say we had our minds well and truly blown at how continually refocusing the lens of active threat took us from millions of potential vulnerabilities down to 17 that were actively being used and recently launched.

While we had Travis in the chair, it seemed only fair to go deeper into those 17 active threats.

Configuration error.

THQ:

Talk to us about misconfiguration vulnerabilities, because they seem to be a prominent way in for bad actors.

TS:

Knowing that you’ve got misconfigurations in the first place is the biggest thing there. And once you know, you have to ask what the misconfiguration status looks like across the rest of the infrastructure. We wanted to look at what misconfigurations look like in the cloud, and what they look like on-premises, so we pulled the data points on all of those.

From the cloud side, we specifically looked at the Center for Internet Security auditing benchmarks for AWS and GCP. We looked at what the pass-fail rates associated with those cloud providers were. There are 30 individual categories, and if you’re familiar with the CIS benchmarks themselves, 13 of those categories across the board are failing at a rate of more than 50% of the time.

And there were some definitely concerning failures at a high-level grouping. So for example, S3 (Simple Storage Solution) and AWS, the controls associated with S3 were failing more than 50% of the time. And anybody who’s read any news articles knows that, if you see something about an AWS breach, you’re gonna find the word S3 somewhere in that breach report. So if you look at the individual control, as far as S3 buckets exposed to the internet are concerned, that one’s actually passing it up more than 50%. But the other supporting configurations associated with that draw that down to where they’re passing much, much lower.

On the on-premise side, we pulled CIS, pulled all the configurations we have there. There’s much more for the on-premise configurations, because that’s a more mature configuration checking market. And we found that the ones that were failing more often were grouped into one of three categories: password controls; user permissions; and Windows Update Settings.

We’re not too concerned with the Windows Update Settings issues, because organizations can turn those off and then leverage an SCCM patch management type solution. So that left us with passwords and user permissions.

Threat Informed Defense.

But across the board, we looked at everything that was failing more than 50% of the time for both cloud and on-premise, and leveraged a project that was done by the MITRE Center for Threat Informed Defense, in which it mapped CIS controls to the MITRE attack techniques. So we looked at the controls which were failing more than 50% of the time, and what techniques were associated with those. And from the cloud perspective, the techniques which bubbled up to the top three were exploitation, encryption and exfiltration. So, exploitation of remote services, data for encrypted for impact, and data exfiltrated from a cloud storage object.

Put those three together and you have the story of ransomware.

THQ:

Beginning, middle, and end.

TS:

Exactly, right. From the on-premise sides, that was brute force, using credentials, RDP and an abuse control elevation mechanism. You’re already exposed because RDP is a major problem, whether they’re exploiting it or not. Credentials are something that threat actors are after, that’s one of the first things that they’re trying to target, and then obviously elevate their privileges. That’s how most threat actors operate.

But more particularly, if you look at something like initial access brokers, affiliates, things like that, that’s their prime way to get into an organization. So, across the board, these misconfigurations are being tied to ransomware.

At Qualys, we have a specific control from our policy compliance tool, which is our on-premise one, which looks at the configuration there, which is looking at individual controls that are associated with ransomware, which in the case of these specific configurations would reduce the likelihood or impact of ransomware in your environment. The pass-fail rate of those was right at 50%.

That could be concerning, at the first level. If you look at the default Windows installation of Windows 10, it passes at 34% for that same set of controls. So organizations are improving it. They’re going from 34 to 50%. So that’s a good sign. But you know, we have the data in the report looking at the specific controls that organizations are changing from a failure rate by default to passing rate. What are the ones they’re paying attention to?

But also, on the flip side, what are the ones that were passing by default that they are intentionally misconfiguring? And what are the impacts with some of those types of things?

The takeaway.

THQ:

So, Sum up the vulnerabilities situation for us in a couple of sentences. What should companies be taking away from your research?

And also what would your prescription be for all the active vulnerabilities there are?

TS:

The takeaway from all this is that if you’re looking at vulnerabilities and the threat landscape for the first time, it looks like a mountain to climb. 25,000 vulnerabilities released last year, close to 200,000 in the relatively unknown space. How do you tackle that challenge?

But if you can you shape the lens so you’re focusing on only the things that you need to prioritize and follow your threat intelligence back through the Threat Informed Defense line to find out what the threat actors are actually leveraging, the vulnerabilities that they’re actually exploiting, and overlay that with the intelligence you have of your own environment, you should be able to adequately protect the crown jewels in your environment.

Prioritize what is most important to take a look at, because a vulnerability that is a medium severity on a critical asset is going to be more important to patch than a high severity vulnerability on a test machine in a lab.

THQ:

And what actions can we take to improve the situation from here?

TS:

What we’re trying to do with this report is shed light on the risks in the environment. Not only which ones are being leveraged, but which are being leveraging by initial access brokers, affiliates, things like that.

Now we know what that threat landscape looked like in 2022 – and how that can shape what is important to look at in 2023, not only from the vulnerability side, but also from the misconfigurations side, too.