Lately, a lot of organisations have been distracted by unpreventable zero-days – the unknown software vulnerability security teams have had ‘0 days’ to patch or fix . To be fair, we’ve had some impressive examples recently, including the Log4J, Confluence and Folina vulnerabilities which have sent some security teams, Chief Information Officers and Chief Information Security Officers into a spin. In my experience, and not to diminish the stress it causes, there’s a much bigger threat.
Over 99% of incident responses we’ve been involved with could have been avoided by simply patching known and preventable vulnerabilities that have been publicly disclosed for months. Even in the case of the most advanced incident responses and compromise assessments ParaFlare has undertaken, APTs are often using known and preventable vulnerabilities to exploit their targets.
This experience is backed up by research. Researchers at the University of Trento in Italy1 looked at how organisations can best defend themselves against advanced persistent threats (APTs) in a qualitative study. They manually curated a dataset of APT attacks covering 86 APTs and 352 known campaigns from 2008 to 2020.
The research included information about attack vectors, exploited vulnerabilities (e.g. zero-days vs public vulnerabilities), and affected software and versions.
What they found is most APTs employed publicly known vulnerabilities.
Of the 352 known APT campaigns, 162 employed vulnerabilities to execute their aims. Of those, only 10 used previously unknown undisclosed vulnerabilities as part of their activities.
Most organisations are still being exploited by the most advanced threat actors through preventable and known vulnerabilities. There are a lot of cyber vendors out there reporting to have quick detections and rapid discovery of zero-day exposures within their environment. However most organisations should concentrate on the known and preventable vulnerabilities, and the current status of software updates being applied to their environment.
So why do we jump at zero-day shadows when there are multiple known vulnerabilities that have not been patched or not sufficiently treated in a way that minimises the risk and exposure to the organisation?
You can’t understand the risk to an organisation until you fully understand the threat and the vulnerabilities within your own environment. Certain threats have greater resources and are able to exploit vulnerabilities in environments that are more complex or chained to achieve their outcomes.
There are currently over 7600 vulnerabilities that have been confirmed on the Common Vulnerabilities and Exposures (CVE) website, commonly known as the CVE List. The fact these vulnerabilities are published and declared, makes them known, and therefore, preventable!
Vulnerability management and software update processes are critical to an organisation’s cyber resilience. Mature organisations focus on defence in depth, instead of being consumed by zero-day distraction. They focus on vulnerability management processes for known / known security vulnerabilities and preventable security vulnerabilities that APTS exploit more often than unknown / unpreventable zero-day vulnerabilities.
Experienced CIOs understand some security risks are within their control, while others are unpreventable and outside their control.
Don’t jump at zero-day shadows when there are known vulnerabilities that need – in fact demand – your attention.
[1] Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats by Giorgio Di Tizio, Michele Armellini, Fabio Massacci`