Like it or not, we live in an era of manufactured celebrity and large-scale hype creation. While this can make it easy to keep tabs on movie stars’ relationships, it doesn’t help security teams stay on top of what’s really important. To prioritize their efforts, there are five factors security teams should look at in assessing the true risk of vulnerabilities. Read on to find out what these factors are and why they matter.
The Urgency of Vulnerability Remediation
If security is a race, it’s a sprint. This is particularly true when vulnerabilities are discovered. The race begins, with the good guys figuring out where they’re exposed and how to address the gaps, while the bad guys start building their modes of attack. The problem is that bad guys have an unfair advantage, leveraging automation to wage broad-based, indiscriminate attacks.
Security teams are falling behind. The reality is that vulnerabilities are most likely to be exploited within 40 to 60 days of their release, while security teams typically take 100 to 120 days to remediate vulnerabilities—according to Kenna Security’s proprietary research.
This is a race that also calls for precision. In an enterprise, security teams have tens of thousands of vulnerabilities to remediate. There’s no way they’ll address them all ever—let alone anywhere close to that 60-day window. Therefore, it’s critical that administrators don’t waste time remediating vulnerabilities that aren’t being exploited. Security staff needs to identify the vulnerabilities that pose the biggest risk—and the key is knowing which those are.
The Emergence of Vulnerability Marketing
As security teams struggle to stay current with the threat landscape and determine how to prioritize their efforts, they have to wade through a dizzying amount of news, hype, opinions, and other noise. In recent years, the noise volumes have continued to be amplified. For that you can blame a lot of factors, but one that may not come to immediately to mind is Heartbleed.
Back when Heartbleed was announced, a new precedent was set. Here was a vulnerability with its own marketing engine, featuring a logo, a web site, and more. Heartbleed was a critical vulnerability affecting the most popular open source cryptographic protocol, one relied upon by millions of sites. This was a vulnerability worthy of widespread attention, and using marketing to increase awareness was a good thing.
The Problem: Distinguishing Between Hype and Risk
The problem is that, since that time, around ten vulnerabilities have received similar “star” treatment. Some were critical and worthy of attention, others weren’t. It’s almost starting to feel like this kind of promotion is the only way to get folks to pay any attention to vulnerabilities. (The recent ImageTragick campaign was a great illustration of this phenomenon.)
When security teams are relying on media, forums, and other public resources to assess their vulnerabilities, they’re in trouble. The process is simply way too arbitrary. Clever marketing can hype a vulnerability, and get staff chasing a vulnerability that doesn’t pose any real danger. At the same time, the increased noise is very likely to drown out the real risks that should be getting addressed.
Consider just a couple examples of some non-marketed vulnerabilities that are still being exploited:
- CVE-2010-3055. This vulnerability was exploited 121,000 times in one year. It allows attackers to run malicious code in phpmyadmin, which is used to run millions of sites worldwide. This only received a Common Vulnerability Scoring System (CVSS) score of 7.5 out of 10, so has remained under the radar of many teams—but it continues to be exploited.
- CVE-2002-0649. First discovered in January 2003, this exploit affects Microsoft SQL Server and Microsoft Desktop Engine. One may think that given how long ago it was discovered that this is a vulnerability we could forget—but one would be wrong. Many thousands of exploits continue to be seen.
Publishing these kinds of exploits won’t get you press or notoriety, so much as a stifled yawn. If you’re waiting for some high profile news stories to appear on these types of threats, you will be waiting a while. A vulnerability shouldn’t have to be new and buzz-worthy to get attention. The quality of logo design or a firm’s social marketing prowess shouldn’t determine which vulnerabilities get addressed and which don’t.
This graph shows the significant delta between successful hits on “Logo’d vulns” versus ones that go mostly unnoticed. It’s the quiet ones that have remote code execution, an exploit, and an active Internet breach.
The Top 4 Factors to Consider
These recent developments point to a bigger problem: Many security teams lack an objective, consistent way to find out about vulnerabilities, and to determine how to prioritize them. Security teams need a way to be alerted to threats and prioritize their efforts based on factors that really matter.
Based on the extensive intelligence Kenna has collected, we have identified common factors that distinguish between vulnerabilities that are critical, and likely to pose real threats to businesses, and those that aren’t. In the following sections, I’ll outline some of the most important factors. These factors are all important; they’re not listed in any kind of priority order. Spoiler alert: The quality of a vulnerability’s logo design, the catchiness of its name, and the number of its Twitter followers are nowhere to be found.
#1. Allows Remote Code Execution
Remote code execution is ultimately what the bad guys are after. Once bad guys have established a way to run their code on a remote system, they inflict all kinds of chaos, whether they want to set up bot networks, steal data, or infiltrate networks. If a vulnerability doesn’t permit remote code execution, it’s one that will typically pose less risk than a vulnerability that does.
#2. Has a module in Metasploit
Metasploit has emerged as the de facto standard for exploit development. Many enterprise security teams and security firms use Metasploit to do penetration testing of an organization’s defenses and identify weaknesses. The problem is that the bad guys can also use Metasploit, and these aren’t just tests—they’re real attacks. When modules appear in Metasploit, you can be assured that a lot of bad guys are, or will soon be, leveraging them in their attacks.
#3. Is network accessible
Whether or not a vulnerability is network accessible can play major role in the severity of the threat and the likelihood of being exploited. Today’s bad guys are all about automation and scale in waging their attacks. The only way to achieve these ends is through network-accessible vulnerabilities that form the basis of botnets, command-and-control communications, and so on.
#4. Is included in Exploit Database
The Exploit Database is a comprehensive repository of exploits and proof-of-concept attacks. Like Metasploit, Exploit Database is invaluable for good guys and bad guys alike. Until a vulnerability appears in the Exploit Database, it remains less likely to emerge as a significant, broad-based threat for organizations.
How Kenna Can Help
Assessing all these factors represents one of the most critical efforts for security teams. However, it also represents a significant effort that has to be sustained. If security teams are going to address the growing gap being created by automated, broad-based attacks, they must get actionable intelligence and they must respond quickly and at scale. This means streamlining and accelerating efforts wherever possible. Quite simply, security teams need to fight automation with automation.
With Kenna solutions, that’s exactly what security teams can do. With Kenna, security teams don’t have to do all the work of manually collecting and analyzing vulnerabilities that get discovered. Kenna solutions automate and streamline the intelligence gathering process. These solutions make it easy for security administrators to distinguish between what’s really being exploited versus what’s being effectively hyped. With Kenna, security teams can more intelligently manage efforts, including remediation and security investments, so they can apply their efforts to the activities that matter most: those that significantly reduce risk.
Reading security news is a great way to keep tabs on what’s happening, but it’s not a suitable basis for formulating your remediation strategies. Don’t let the cleverness of a vulnerability’s marketing campaign dictate how you prioritize your efforts. Make sure you’re looking at the most critical aspects that figure to predict how much danger a vulnerability really poses. When you do that, you can align your limited time and resources with those efforts that will yield the biggest dividends in reducing risk to your organization.