There are patches or remediations for all the top vulnerabilities, but they’re still being exploited in the wild. Why is that? Well, if you were the attacker, would you go through all the trouble of inventing a new zero day exploit (just for some street cred), or instead leverage an off-the-shelf one?
A joint security advisory issued on July 28th by several cybersecurity agencies from the US (CISA), the UK (NCSC), and Australia (ACSC) reveals the top 30 publicly-known, most-targeted security vulnerabilities of the last two years. This comes only a week after MITRE shared its top 25 list of most-dangerous weaknesses and the NSA published its cybersecurity advisory listing of the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors.
Shockingly, organizations worldwide are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible. Gee… thanks for the heads up!
I know, a feeling of déjà vu, right? Me too. Now don’t get me wrong, vulnerabilities need to be patched, period. But while we all understand it, security utopia has long passed from this world and a Patch ‘em all approach leads to no-purpose patch-a-mole.
Vulnerability-Fatigue is Real
If we look to the other side of the security street, would it help if we told SecOps teams to investigate every single alert triggered by one of their 25-ish security tools? Well, we tried, but it didn’t work. Period. Security Operation Center (SOC) or Critical Incident Response (CIRT) teams have learned throughout the years that it’s a zero-sum game and the best way forward is to better prioritize and accept risk where possible. No team, regardless of size or maturity, can address each and every alert.
On the vulnerability management side, this is not the case. While reality tells us there are and will continue to be gaps in time-to-remediate, best-practice and assumption continue to expect organizations to be patch-perfect. As an industry, we have yet to properly recognize ‘vulnerability-fatigue.’ Vulnerability-centric tools are failing to equip organizations to focus on true risk-prioritization.
In this post, I’ll dive deeper into the topic of vulnerability fatigue and what guidance should look like in 2021. But first, let’s discuss vulnerabilities and exploitation from the attacker’s point of view. I want us to expand beyond the “Top 10” vulnerabilities to misconfigurations and post-exploitation actions that malicious adversaries have in their arsenal that we rarely pay attention to. Since… they are not on the “top xx vulnerability list.”
Understand the Complete Attack Operation
According to research conducted by PenteraLabs, developing an exploit (setting aside making sure it is safe – in the case of the Pentera platform), takes between 4-6 months and (hope you are sitting down) *not* every attack starts with a CVE. Most of the time, a campaign won’t abuse even a single CVE. Going back to those “off-the-list” tactics and techniques adversaries use, there are a couple of points I would like to make:
- Know every possible path of the attack lifecycle — We already concluded that the attack lifecycle doesn’t necessarily start with a vulnerability exploitation and even if it did, the questions we should be asking ourselves are: How did the attacker get there? Where will he go next? What is the possible impact? How deep and wide can the attacker expand? And will my security controls be effective? In order to detect the attacker across the attack lifecycle, you need to know the attack lifecycle.
- Static vs. dynamic — A lot of emphasis is given to static vulnerabilities and new zero-day findings. Not to take away from their importance, but the use of dynamic post-exploitation techniques is as, if not more, important. Not enforcing security controls, not limiting netBIOS or LLMNR protocols, relay attacks, elevation of privileges, network misconfigurations, weak or reused passwords and many more that can compromise environments beyond a static vulnerability scan.
- Focus on symptom or problem — Looking at these CVEs in isolation, regardless of their assigned CVSS score, does not expose the overall impact and root weakness causing the problem in the first place. What other low or medium CVEs allowed the attacker access in the first place? Maybe it was a network misconfiguration that allowed access to a remote host? In security, due to limited staffing and an increased attack surface, we tend to treat the symptom and not surgically deal with the problem.
To conclude, it frustrates me when I read notes like “attackers are able to continue exploiting these vulnerabilities because businesses haven’t yet applied patches,” as they ignore the brutal truth that security teams are busy, like really busy, keeping the lights on against an increasing attack surface and a sophisticated attacker. These top exploited vulnerabilities are valuable input, among others, to be taken into a risk-weighted approach to reduce cybersecurity exposure and increase readiness.
Get started Now
Understand today if you are vulnerable. Not only to these top reported security vulnerabilities, but to all TTPs malicious actors have in their arsenal. Start exposing vulnerable assets, apply real and safe exploitation, and uncover and prioritize every possible attack path. Focus on root vulnerabilities that can truly reduce risk when remediated. Pentera scans for vulnerabilities as a means to solving the problem rather than highlighting the symptom.
Want to learn how Pentera can help you validate your security program? Schedule a demo today.
Pentera high-risk achievement to pinpoint the root vulnerability
Remediation Priority defined by Pentera to several of the safe exploits Pentera leverages to understand the full attack operation (Pulse Connect Secure CVE 2019-11510, FortiOS CVE 2018-13379, BIG-IP CVE 2020-5902, Microsoft CVE-2020-0787, Citrix CVE-2019-19871, etc.)
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately. Executive Summary Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments. This finding is...
4 steps to knowing your exploitable attack surface
Originally published on Dark Reading. According to a Cisco CISO Benchmark survey, 17% of organizations had 100,000 or more daily security alerts in 2020, and its trajectory has only increased. Source: Cisco 2020 CISO Benchmark Survey 2021 only followed this trend with a record year of newly-discovered CVEs – 20,137 to be exact, topping the...
The Security Miss in Misconfigurations: Taking a second look at firewall misconfigurations
Network misconfigurations take on many types and forms, and come about for many different reasons. Many of them stem from blind adherence to poorly-informed common practices or even just from simply not being aware that operating system configuration defaults inherently contain security misconfigurations. Let’s review 2 common misconfigurations to serve as our examples: Why closed...