If you want to defeat an attacker, you need to think like an attacker, not a defender. It’s an approach that many Armed Forces colleges around the world teach. It is also an approach that is taught to cybersecurity red teams. The problem for most organisations is that they view their cybersecurity as a defensive measure. That means the focus is on building bigger walls, moats, ways hide from the outside rather than looking for the chinks in their defence.
WhiteSource and CYR3CON, have released a joint report entitled: “Vulnerability Prioritisation Through The Eyes Of Hackers” (registration required). The report looks at how attackers exploit, and defenders remediate, vulnerabilities.
The underlying position is simple. Defenders are faced with too many vulnerability reports and patches to secure everything effectively. At the same time, attackers are cherry-picking their attacks. Therefore, if you understand which attacks are the most valuable to the attacker, you can prioritise your time in patching and protecting systems.
Rami Sass, CEO and co-founder of WhiteSource, said: “As development teams face an ever-rising number of disclosed vulnerabilities, it becomes impossible to fix everything and it’s imperative that teams focus on addressing the most urgent issues first.
“Our research can help organisations adopt a solid prioritisation method, and ensure they look beyond just the most accessible data to the data that can best help them fix the security vulnerabilities that could cause the greatest impact, and in turn save them valuable time.”
Why vulnerability prioritisation needs to change?
The challenge for most organisations is the ability to do a realistic assessment of the known security alerts versus what is likely to be exploited. As the press release says: “As technology constantly advances, software development teams are bombarded with security alerts at an increasing rate.” This has made it nearly impossible to remediate every vulnerability, rendering the ability to properly prioritise remediation all the more critical.”
The report goes further and looks at why the issues that attract developers are not the same as those that attract attackers. It lists three key things:
Software development teams tend to prioritise based on available data such as vulnerability severity score (CVSS), ease of remediation, and publication date. Hackers don’t target vulnerabilities based on these parameters.
Hackers are drawn to specific vulnerability types (CWEs), including
- CWE-20 (Input Validation),
- CWE-125 (Out-of-bound Read),
- CWE-79 (XSS), and
- CWE-200 (Information Leak/Disclosure).
Organisations tend to prioritise “fresh” vulnerabilities, while hackers often discuss vulnerabilities for over 6 months following exploitation, with even older vulnerabilities re-emerging in hacker community discussions as they reappear in new exploits or malware.
The difference a proper assessment can make
The size of the challenge, when it comes to deciding what should be patched, came out in a recent Enterprise Times podcast. When talking with Marco Rottigni, Chief Technical Security Officer for EMEA at Qualys, he said: “I was doing an exercise this morning on a demo environment, and it came out with 401 assets. What was scary was that the total amount of vulnerabilities detected in this space was 104,000. If I relied only on traditional metrics for scoring the risk like the CVSS, of those 104,000, 41,000 were critical, 39,000 high, and the rest was medium and low. How can I concentrate on 41,000s, only the critical ones? I just can’t.
“After I made the choice of choosing active attacks, wormable, weaponised with malware and part of exploit kits, the number is lowered to 18,500 instances. After discovery, the 18,500 vulnerabilities were just 350 unique vulnerabilities. Those were remediated by applying 39 patches.”
While Rottigni describes how he reduced the number of patches, he is still looking at this from a defenders perspective. Attackers, as shown in the report, are looking for very specific types of vulnerabilities. It is likely that using that data set, Rottigni could have reduced his patching further.
Why targeted threat intelligence is critical
In addition to viewing security through the eyes of an attacker, the report also shows why targeted threat intelligence is critical. The intelligence gathered here looked at what attackers were explicitly interested in. It allows for refinement in the patching and remediation process by removing noise and clutter.
However, it is also important to ensure that this does not create its own myopic view of the attack surface. COVID-19 has seen a lot of older attacks resurface. One of the reasons for that is users who are Working From Home (WFH) are doing so on unmanaged machines. The patch levels on those machines will vary greatly from user to user. It helps create gaps in the security that can also be exploited.
In the recent NTT GTIR report, it found that old vulnerabilities were increasingly popular with attackers. The top five vulnerabilities that it saw in the last year were several years old. These had not been patched and had slipped out of the visibility of IT operations and security teams. It goes to the third point (above) in this report. Attackers are not always interested in new and shiny. To use an analogy, it’s easier to pick an old lock than one with all the latest anti-pick technologies.
Enterprise Times: What does this mean
There is a lot here that needs to be thought through. Retraining developers and operations teams to think like attackers will not be easy. A more effective solution is to make better use of red teams. These can highlight weaknesses and provide the basis for training. They are best placed to interpret the threat intelligence coming from WhiteSource and CYR3CON and determine what it means for the organisation.
Perhaps the biggest lesson here is that we are often too focused on tools and reacting to the latest problem. The majority of skilled attackers will take their time to select an attack vector not rush to exploit the latest vulnerability. That way, they stay under the radar. It’s time for everyone from developer to IT security to stop reacting and to think, what would I do to attack this system.
