How to prioritize patching in the exploit storm

<a href='https://www.freepik.com/photos/technology'>Technology photo created by pressfoto - www.freepik.com</a>

COVID made “flatten the curve” a household phrase in 2020, but did you know the concept also applies to vulnerability exploits? It turns out that what’s past is prologue in exploit trends. By tracking which attacks are being exploited the most, organizations discover important information to help proactively determine their vulnerability and risk.

But it is also important to track attacks where activity has increased the most within a specified timeframe. It only takes one critical exploit to cause significant damage and, once inside the network, the attacker will need to move laterally and probably deploy additional exploits. That’s why understanding which exploits have the greatest likelihood of arriving on the network’s doorstep helps organizations prioritize patch management and risk assessment. This remains top of mind as cyber adversaries continue to maximize vulnerabilities, as we have recently seen with DearCry ransomware, for example.

Examining the most prevalent exploits

In looking at 1,500 different exploits tracked in the wild in the past two years, FortiGuard Labs researchers have been actively participating in and collaborating with organizations like FIRST and their EPSS model, which is a Special Interest Group. This has enabled FortiGuard Labs to observe a number of different trends that help address patching priority questions.

Previous research found that while 2020 was expected to be a record-breaker in terms of the number of vulnerabilities identified and published in one year, these vulnerabilities also have the lowest rate of exploitation ever observed in the 20-year history of the CVE (Common Vulnerabilities and Exposures) list. Rather, vulnerabilities from 2018 showed the highest exploitation prevalence (65%). In addition, over 25% of firms have reported attempts to exploit CVEs from 2005.

FortiGuard Labs researchers found that in the second half of 2020, exploits against the ELFinder arbitrary file upload bug, a CMS plug-in, surged to between 12% to 20% of organizations, depending on the region. That’s significant, since less than 1% of exploits reach that level of prevalence. Another notable global gainer is a privilege escalation vulnerability affecting multiple Windows Server and Desktop versions.

How do you set priorities?

Speed and time-to-attack vary greatly, and those are the uncertainties organizations have to prepare for. Some exploits methodically plod across a smaller population of organizations. And then there are exploits which start out at a crawl but shift into high gear later into the lifecycle.

If it’s your job to help protect your organization from the onslaught of cyber threats, you’ve probably asked some variation of the question, “How long until we get attacked?” And perhaps you’ve been frustrated by the lack of helpful answers. That frustration is understandable, because knowing how long you have until exploits targeting the latest vulnerability spread to your assets is critical in order to prioritize remediation efforts and/or deploy compensating controls to minimize risk.

The good news/bad news

While this may sound like a rarity in the cybersecurity world, there is some good news to take away: most exploits have a low probability of being used against organizations. FortiGuard Labs has found that very few vulnerabilities see widespread exploitation in the wild. Among all exploits logged by our sensors over the last two years, only 5% were detected by more than 10% of organizations. Three out of four exploits didn’t reach one in 1,000 firms.

So, if you pick a vulnerability at random, the data demonstrates that there’s about a one in 1,000 chance that any given organization will be attacked via that vulnerability. Only 6% of exploits hit more than 1% of firms within the first month; even after one year, 91% of exploits haven’t crossed that 1% threshold. It’s even less common that exploits reach 10% of the population in those time frames. In fact, most exploits don’t spread very far very fast.

That said, this doesn’t mean you have carte blanche to ignore these vulnerabilities. Some organization has to be that one in 1,000. Cybersecurity teams don’t typically strategize to the middle, or average, scenario in cybersecurity. They focus on the extremes. And the above statistics may not hold true for your organization. Your organization could be one that routinely falls among the targeted (or unlucky) few. And in that case, the stats begin shifting against you.

The maxim “better safe than sorry” applies here. Unless you have reason to believe you won’t see certain exploits, don’t make assumptions. Focus remediation efforts on vulnerabilities with known exploits, and among those, prioritize the ones propagating most quickly in the wild and that are most relevant to your specific footprint. Pay special attention to threats that could affect your mission-critical, high-risk assets. Data routinely shows that you are at risk from only a small fraction of the multitude of vulnerabilities.

Data-based security strategy

The echoes of 2020 continue to reverberate into 2021 in both the physical and digital worlds, and they have valuable lessons to teach us if we’ll listen. That’s why it is necessary to look back at the second half of 2020 and gain strategic intel from what the data reveals. It’s also necessary to remember that just one missed patch can rain down all manner of network destruction. Prioritizing exploits comes down to understanding current threat patterns and addressing exploits that are moving the fastest. This strategy will help you move forward into a better, more secure future.

As chief of security insights and global threat alliances at FortiGuard Labs, Derek Manky formulates security strategy with more than 15 years of cybersecurity experience. His ultimate goal is to make a positive impact towards the global war on cybercrime. Manky provides thought leadership to the industry and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cyber security. He is actively involved with several global threat intelligence initiatives, including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST, all in an effort to shape the future of actionable threat intelligence and proactive security strategy.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.