Reduced Time to Exploit Is a Threat – What You Can Do
We need an opportunity to achieve our cybersecurity goals. The tighter this window, the harder it becomes to do our cybersecurity jobs. Recent reports stating that the time to exploit is still narrowing is, therefore, not good news.
In this article, we’ll outline how the window between vulnerability identification and exploitation has reduced, what that means for cybersecurity, and what you can do about it.
There Is Still a Window…
There are plenty of security flaws (vulnerabilities) in existing software code that nobody knows about – until a researcher or threat actors discover the flaw. In fact, it can take a decade before a flaw hiding in plain sight is discovered, as shown by a Sudo vulnerability that was introduced into the code in July 2011 but only discovered and fixed in 2021.
In most cases, a vulnerability is discovered much sooner than that, then subsequently documented and assigned a CVE. Once the vulnerability is documented, it is well and truly out in the open. Yes, users can now protect themselves – but threat actors can exploit the vulnerability in systems that are not protected.
There is, therefore, a time difference between when a vulnerability is discovered and documented – and when the first instances of threat actors exploiting the vulnerability are happening. It could be zero – in the case of a zero-day exploit.
It’s often a bit longer – from a couple of days to a few weeks or months, depending on how easy the vulnerability is to exploit, what a threat actor can achieve with the vulnerability, and how widespread it is.
… But the Statistics Are Alarming
The Rapid7 2022 Vulnerability Intelligence Report highlights a concerning trend where the time between vulnerability disclosure and exploitation is decreasing. The report shows that 56% of vulnerabilities were exploited within seven days of public disclosure. That’s a clear majority of vulnerabilities that are exploited within a week of disclosure.
It’s concerning of course, but so is the rate of change: 56% is a significant increase (12%) from 2021, and 2021 was an even larger increase (87%) from 2020. It’s an upward trend if nothing else.
The limited resources for triaging and remedying vulnerabilities mean that security teams are struggling to keep up with the influx of vulnerabilities. And it’s worth asking this question: with most vulnerabilities now exploited within 7 days, how quickly are companies patching?
It varies from survey to survey. For example, a 2022 Edgescan survey suggested that it’s about two months. The Infosec Institute, in turn, suggests it’s anywhere between 60 to 150 days, saying that “security teams take at least 38 days to push out a patch”.
How long it takes to patch probably depends to some degree on the severity of the vulnerability and the level of press it gets – but, either way, there’s clearly a gap between the “means.” The mean time to patch is much longer than the mean time to exploit.
Why Is the Exploit Window Closing?
It’s been a long haul and a slow build-up… but times have changed. Decades ago it could have taken months and months for a vulnerability to be exploited, if ever, and – where an exploit was possible – it usually required inside access.
The internet has brought unprecedented opportunities for businesses, individuals, and governments alike. But, with the evolution of the internet, the threat of cyberattacks has increased dramatically. Hackers are now much quicker to exploit newly discovered vulnerabilities. Why?
- Increased connectivity and information sharing made it easier for hackers to exploit vulnerabilities quickly.
- Growing numbers of hackers and hacking groups also worsened the situation. With so many actors looking for vulnerabilities, it’s no surprise that they are being discovered much more quickly.
- There’s also an increased sophistication of hacking tools and techniques – including the ability to automatically scan thousands of systems for vulnerabilities.
- Increased connectivity of devices (e.g. IoT) also contributes to the reduced time to exploit a vulnerability.
Overall, it means more actors acting across a larger attack surface. As a result, it’s become easier for hackers to find vulnerabilities and exploit them quickly.
What this Means in Practice
The net result is that organizations need to act faster and harder to protect their systems. It’s always a competition between priorities and resources… but with the time to exploit reducing, the pressure is just so much greater.
In theory, at least organizations should have enough time to patch a vulnerability. However, for determined threat actors, vulnerabilities for which there are no fixes, or which have not been fixed by the user carry huge appeal. Some of the biggest and most well-known cyberattacks relied on the gap between discovery and fix, for example:
- Stuxnet Worm: In 2010, the Stuxnet Worm was discovered, which was designed to target and disrupt Iran’s nuclear program. It used a zero-day vulnerability in Microsoft Windows to infect the system and spread through networks.
- Equifax Data Breach: In 2017, Equifax, one of the largest credit bureaus in the US, suffered a massive data breach that affected over 147 million people. The hackers used a zero-day vulnerability in Apache Struts to gain access to Equifax’s system.
- Pegasus Spyware: In 2021, the Pegasus spyware was found to be used to target journalists, activists, and politicians. The spyware used a zero-day vulnerability in Apple’s iMessage to infect devices and steal sensitive information.
With threat actors now exploiting vulnerabilities faster and faster, we are likely to see more and more successful attacks, unless organizations manage to respond faster.
Responding To A Tightening Window
Throw more resources at it, act faster, and act more efficiently. It’s as simple as that, but as we all know by now, cybersecurity theory is one thing – but execution is a different matter.
The Rapid 7 report suggests that security teams need to prioritize vulnerabilities based on their potential impact and likelihood of exploitation, rather than focusing solely on the latest and most hyped vulnerabilities.
They also recommend that organizations invest in technologies that can automate vulnerability scanning and patching to help reduce the workload on security teams. As always, it’s a concerted effort: hitting as many of the right points as you can as thoroughly as you can:
- Continuous monitoring: If you didn’t know about a threat or otherwise couldn’t mitigate it, at least watch out for something bad happening. Establish 24/7 monitoring that continuously scans for threat actor activity so you can detect anomalies or suspicious activity as soon as they occur, enabling you to take proactive steps to mitigate them.
- Prioritize vulnerabilities: Not every vulnerability is the same, that’s why CVE scores exist. If the cybersecurity press says it’s alarming, then it probably is, but also do your own homework so you don’t waste precious time. Don’t get stuck fixing less threatening vulnerabilities.
- Organize it: Companies should have a robust, organized patch management program in place to quickly deploy security updates and patches as soon as they become available. Consistency and persistency can help mitigate vulnerabilities and reduce the MTTE window.
- Use the best tools available: Security automation is key, from security information and event management (SIEM) tools to security orchestration, automation, and response (SOAR) platforms. Likewise for patching – automate where you can, and apply live patching to any and every system that is compatible with live patching.
Employee training is and will always be another important tool. Even zero-day exploits sometimes require a “little help” from somebody internal to the organization. Training to educate users about common social engineering scams can be very effective.
Match Thoroughness with Thoroughness
Hackers are taking less time to exploit vulnerabilities because they’re being more thorough in what they’re doing. Organizations need to be just as thorough by remediating vulnerabilities even faster than they used to. Thankfully, the tools are out there.
Automation is a big help, and so are niche tools. For example, TuxCare’s live patching technology ensures more consistent patching because it reduces workforce strain and minimizes the planning and disruption associated with patching. It also enables companies to forget about prioritizing which vulnerabilities to patch, as all released patches are automatically applied in the background without downtime.