There are patches or remediations for all the top vulnerabilities, but they’re still being exploited in the wild. Why is that? Well, if you were the attacker, would you go through all the trouble of inventing a new zero day exploit (just for some street cred), or instead leverage an off-the-shelf one?
A joint security advisory issued on July 28th by several cybersecurity agencies from the US (CISA), the UK (NCSC), and Australia (ACSC) reveals the top 30 publicly-known, most-targeted security vulnerabilities of the last two years. This comes only a week after MITRE shared its top 25 list of most-dangerous weaknesses and the NSA published its cybersecurity advisory listing of the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors.
Shockingly, organizations worldwide are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible. Gee… thanks for the heads up!
I know, a feeling of déjà vu, right? Me too. Now don’t get me wrong, vulnerabilities need to be patched, period. But while we all understand it, security utopia has long passed from this world and a Patch ‘em all approach leads to no-purpose patch-a-mole.
Vulnerability-Fatigue is Real
If we look to the other side of the security street, would it help if we told SecOps teams to investigate every single alert triggered by one of their 25-ish security tools? Well, we tried, but it didn’t work. Period. Security Operation Center (SOC) or Critical Incident Response (CIRT) teams have learned throughout the years that it’s a zero-sum game and the best way forward is to better prioritize and accept risk where possible. No team, regardless of size or maturity, can address each and every alert.
On the vulnerability management side, this is not the case. While reality tells us there are and will continue to be gaps in time-to-remediate, best-practice and assumption continue to expect organizations to be patch-perfect. As an industry, we have yet to properly recognize ‘vulnerability-fatigue.’ Vulnerability-centric tools are failing to equip organizations to focus on true risk-prioritization.
In this post, I’ll dive deeper into the topic of vulnerability fatigue and what guidance should look like in 2021. But first, let’s discuss vulnerabilities and exploitation from the attacker’s point of view. I want us to expand beyond the “Top 10” vulnerabilities to misconfigurations and post-exploitation actions that malicious adversaries have in their arsenal that we rarely pay attention to. Since… they are not on the “top xx vulnerability list.”
Understand the Complete Attack Operation
According to research conducted by PenteraLabs, developing an exploit (setting aside making sure it is safe – in the case of the Pentera platform), takes between 4-6 months and (hope you are sitting down) *not* every attack starts with a CVE. Most of the time, a campaign won’t abuse even a single CVE. Going back to those “off-the-list” tactics and techniques adversaries use, there are a couple of points I would like to make:
- Know every possible path of the attack lifecycle — We already concluded that the attack lifecycle doesn’t necessarily start with a vulnerability exploitation and even if it did, the questions we should be asking ourselves are: How did the attacker get there? Where will he go next? What is the possible impact? How deep and wide can the attacker expand? And will my security controls be effective? In order to detect the attacker across the attack lifecycle, you need to know the attack lifecycle.
- Static vs. dynamic — A lot of emphasis is given to static vulnerabilities and new zero-day findings. Not to take away from their importance, but the use of dynamic post-exploitation techniques is as, if not more, important. Not enforcing security controls, not limiting netBIOS or LLMNR protocols, relay attacks, elevation of privileges, network misconfigurations, weak or reused passwords and many more that can compromise environments beyond a static vulnerability scan.
- Focus on symptom or problem — Looking at these CVEs in isolation, regardless of their assigned CVSS score, does not expose the overall impact and root weakness causing the problem in the first place. What other low or medium CVEs allowed the attacker access in the first place? Maybe it was a network misconfiguration that allowed access to a remote host? In security, due to limited staffing and an increased attack surface, we tend to treat the symptom and not surgically deal with the problem.
To conclude, it frustrates me when I read notes like “attackers are able to continue exploiting these vulnerabilities because businesses haven’t yet applied patches,” as they ignore the brutal truth that security teams are busy, like really busy, keeping the lights on against an increasing attack surface and a sophisticated attacker. These top exploited vulnerabilities are valuable input, among others, to be taken into a risk-weighted approach to reduce cybersecurity exposure and increase readiness.
Get started Now
Understand today if you are vulnerable. Not only to these top reported security vulnerabilities, but to all TTPs malicious actors have in their arsenal. Start exposing vulnerable assets, apply real and safe exploitation, and uncover and prioritize every possible attack path. Focus on root vulnerabilities that can truly reduce risk when remediated. Pentera scans for vulnerabilities as a means to solving the problem rather than highlighting the symptom.
Want to learn how Pentera can help you validate your security program? Schedule a demo today.
Pentera high-risk achievement to pinpoint the root vulnerability
Remediation Priority defined by Pentera to several of the safe exploits Pentera leverages to understand the full attack operation (Pulse Connect Secure CVE 2019-11510, FortiOS CVE 2018-13379, BIG-IP CVE 2020-5902, Microsoft CVE-2020-0787, Citrix CVE-2019-19871, etc.)
The Greatest Hits of 2020
The Greatest Hits of 2020 Who doesn’t love some good old nostalgia? Ok, it’s true, many of us are glad to see the back of 2020. But as we start 2021 strong, let’s take a moment to remember some of the community’s favorite content, including our top-read blog, our most-watched webinar, and a chance to...
A Big Step Toward Making a Vision Come True
In the world of startup innovation, funding is the jet fuel that thrusts founders and entrepreneurs to move forward and fulfill their dreams, as bold and ambitious as they may be. The saying “an army marches on its stomach” may be lent to “a startup marches on its funding”. Our end in mind when raising...
CEO Thoughts Post Round A – There’s No Stopping Us Now!
Almost two years have passed since I began my role as Pcysys CEO, joining Arik Liberzon, our Co-founder & CTO and Arik Faingold our Co-founder and Chairman, on this great mission to revolutionize Cyber Risk Validation, together with industry veteran Ran Tamir, our VP of Product, and Aviv Cohen, our visionary CMO. Being an enterprise...