Most people don’t consider 15 minutes as a lot of time or as particularly valuable.
For cybersecurity professionals, though, 15 minutes has enormous value. It can literally spell the difference between safety and disaster. The reason? According to one security research firm, threat actors start scanning the web for vulnerable endpoints within 15 minutes of a given CVE being made public.
A CVE is born. What next?
What is a CVE? The Common Vulnerabilities and Exposures (CVE) program assigns unique IDs to publicly disclosed vulnerabilities.
When a vulnerability — defined as potentially exploitable code with possible adverse effects on confidentiality, integrity, or availability — is identified, the process kicks in. First, by checking that the vulnerability is not already on the CVE list. If it’s new, a CVE ID is assigned, shared with affected vendors and ultimately a public vulnerability announcement is prepared.
From the moment this public announcement is released, the 15 minute countdown clock starts ticking. So, what do defenders and threat actors do next?
What defenders do
In an ideal world, when any new CVE is announced, cybersecurity professionals immediately assess the impact and relevance of the CVE to their ecosystem. They check if patches or mitigations are available and promptly apply them to minimize exposure. They conduct vulnerability scanning and pen testing, then inform relevant stakeholders about the potential risks. But the world is not always ideal. In the real world, 66% of security organizations have a vulnerability backlog of over 100,000 vulnerabilities, and are able to patch less than 50% of these. This means that in the first 15 minutes, defenders can’t do all that much. And this is what makes effective preparation so important.
What hackers do
When a new CVE is announced, hackers have the luxury of acting swiftly. They scour the CVE’s details to identify vulnerabilities that can be exploited in target systems, then develop or adapt exploit tools to take advantage of these weaknesses. Then they actively search for systems that have not yet applied patches or mitigations — making them easy targets for intrusion. They can also share information about the CVE within the hacking community, potentially widening the circle of exploitation. And in the end, they attack — with all too well known results.
Ten tips to close the 15 mnute window
To reduce the likelihood of hackers exploiting a new CVE, security stakeholders are taking a more proactive and layered approach to cybersecurity. Here are ten tips to closing the 15-minute window:
Subscribe to security mailing lists and CVE databases to receive immediate notifications when new vulnerabilities are disclosed. This little action can give security leaders a big jump on potential threats.
Patch, patch and PATCH
Implement a continuous, robust and aggressive patch management process with prioritization to unauthenticated RCEs. As soon as patches or updates are released for vulnerable systems, apply them promptly. Leverage automated patch deployment tools to do so.
Scan for vulnerabilities
Scan systems and networks regularly for vulnerabilities, including CVEs. Leverage automated scanning tools to identify weaknesses that may have been missed.
Make sure to segment the network to limit the spread of attacks, so a breach in one area can’t compromise the entire network.
Deploy intrusion detection and prevention systems (IDPS) to detect and block suspicious activities, including attempts to exploit CVEs.
Double check that the first layers of defense, firewalls and access controls, are filtering incoming and outgoing traffic and limiting access to only authorized personnel.
Train all employees in basic cybersecurity, notably how to recognize phishing attempts, suspicious links and emails that could lead to CVE exploits.
Implement secure coding practices and regularly audit and test applications for vulnerabilities.
Monitor the network
Continuously monitor the network for signs of unusual or malicious activity, including monitoring logs and setting up alerts for potential incidents.
Implement zero trust
Zero trust is not just a buzzword. Adopt a zero-trust security model that includes access controls, even within the network.
The bottom line
In cybersecurity, every second counts. Time is not on the side of defenders in the infamous 15-minute window after a new CVE is announced. Yet defenders can win this race against the clock with the right strategies and tools. To close this perilous window, cybersecurity stakeholders need to stay informed, patch relentlessly, scan vigilantly, segment wisely, configure diligently, educate comprehensively, code securely, and more. By remaining vigilant, cyber defenders can tilt the scales in favor of security.