COVID made “flatten the curve” a household phrase in 2020, but did you know the concept also applies to vulnerability exploits? It turns out that what’s past is prologue in exploit trends. By tracking which attacks are being exploited the most, organizations discover important information to help proactively determine their vulnerability and risk.
But it is also important to track attacks where activity has increased the most within a specified timeframe. It only takes one critical exploit to cause significant damage and, once inside the network, the attacker will need to move laterally and probably deploy additional exploits. That’s why understanding which exploits have the greatest likelihood of arriving on the network’s doorstep helps organizations prioritize patch management and risk assessment. This remains top of mind as cyber adversaries continue to maximize vulnerabilities, as we have recently seen with DearCry ransomware, for example.
Examining the most prevalent exploits
In looking at 1,500 different exploits tracked in the wild in the past two years, FortiGuard Labs researchers have been actively participating in and collaborating with organizations like FIRST and their EPSS model, which is a Special Interest Group. This has enabled FortiGuard Labs to observe a number of different trends that help address patching priority questions.
Previous research found that while 2020 was expected to be a record-breaker in terms of the number of vulnerabilities identified and published in one year, these vulnerabilities also have the lowest rate of exploitation ever observed in the 20-year history of the CVE (Common Vulnerabilities and Exposures) list. Rather, vulnerabilities from 2018 showed the highest exploitation prevalence (65%). In addition, over 25% of firms have reported attempts to exploit CVEs from 2005.
FortiGuard Labs researchers found that in the second half of 2020, exploits against the ELFinder arbitrary file upload bug, a CMS plug-in, surged to between 12% to 20% of organizations, depending on the region. That’s significant, since less than 1% of exploits reach that level of prevalence. Another notable global gainer is a privilege escalation vulnerability affecting multiple Windows Server and Desktop versions.
How do you set priorities?
Speed and time-to-attack vary greatly, and those are the uncertainties organizations have to prepare for. Some exploits methodically plod across a smaller population of organizations. And then there are exploits which start out at a crawl but shift into high gear later into the lifecycle.
If it’s your job to help protect your organization from the onslaught of cyber threats, you’ve probably asked some variation of the question, “How long until we get attacked?” And perhaps you’ve been frustrated by the lack of helpful answers. That frustration is understandable, because knowing how long you have until exploits targeting the latest vulnerability spread to your assets is critical in order to prioritize remediation efforts and/or deploy compensating controls to minimize risk.
The good news/bad news
While this may sound like a rarity in the cybersecurity world, there is some good news to take away: most exploits have a low probability of being used against organizations. FortiGuard Labs has found that very few vulnerabilities see widespread exploitation in the wild. Among all exploits logged by our sensors over the last two years, only 5% were detected by more than 10% of organizations. Three out of four exploits didn’t reach one in 1,000 firms.
So, if you pick a vulnerability at random, the data demonstrates that there’s about a one in 1,000 chance that any given organization will be attacked via that vulnerability. Only 6% of exploits hit more than 1% of firms within the first month; even after one year, 91% of exploits haven’t crossed that 1% threshold. It’s even less common that exploits reach 10% of the population in those time frames. In fact, most exploits don’t spread very far very fast.
That said, this doesn’t mean you have carte blanche to ignore these vulnerabilities. Some organization has to be that one in 1,000. Cybersecurity teams don’t typically strategize to the middle, or average, scenario in cybersecurity. They focus on the extremes. And the above statistics may not hold true for your organization. Your organization could be one that routinely falls among the targeted (or unlucky) few. And in that case, the stats begin shifting against you.
The maxim “better safe than sorry” applies here. Unless you have reason to believe you won’t see certain exploits, don’t make assumptions. Focus remediation efforts on vulnerabilities with known exploits, and among those, prioritize the ones propagating most quickly in the wild and that are most relevant to your specific footprint. Pay special attention to threats that could affect your mission-critical, high-risk assets. Data routinely shows that you are at risk from only a small fraction of the multitude of vulnerabilities.
Data-based security strategy
The echoes of 2020 continue to reverberate into 2021 in both the physical and digital worlds, and they have valuable lessons to teach us if we’ll listen. That’s why it is necessary to look back at the second half of 2020 and gain strategic intel from what the data reveals. It’s also necessary to remember that just one missed patch can rain down all manner of network destruction. Prioritizing exploits comes down to understanding current threat patterns and addressing exploits that are moving the fastest. This strategy will help you move forward into a better, more secure future.