The Complexities of Vulnerability Management: Is the Damage Already Done?
Vulnerability management is a complex issue which continues to strain the resources of many organizations. Failing to adequately detect and mitigate vulnerabilities can be a major source of risk for organizations of any size, and these lapses have been at the center of many recent high-profile breaches. Vulnerability management software combined with more aggressive patching programs have significantly reduced the potential risk for the organizations who have taken these steps.
However, no matter how well defined an organization’s vulnerability management program is, an element of risk remains with traditional vulnerability management programs: by the time a vulnerability has been detected and mitigated on a host, has the damage already been done? A recent study by the Cyentia Institute and Kenna Security, presented at the 2019 RSA Conference in the United States, found that the vast majority of exploits are published around the same time as the Common Vulnerabilities and Exposures (CVE) for the vulnerability it exploits. This gives organizations very little time, if any, to detect and mitigate a vulnerability before they may be a victim of its exploit.
Even in the most aggressive vulnerability management programs, it takes time for a vendor to develop a signature, that signature to be pushed to users, and the next scan to take place. Best case scenario, this gap may only be a few days. More realistically, this gap may be a few weeks. Whether it is a few days or a few weeks, attackers are left with more than enough time to wreak havoc with new-found vulnerabilities.
Once an organization has determined that a newly discovered vulnerability is present on their network, how can they achieve some level of comfort that the vulnerability has not already been exploited? By the time a CVE is issued, there is often some intelligence which has been gathered regarding the exploitation of this vulnerability in the wild. Many threat intelligence services will allow users to query intelligence based on association with a particular CVE. Intelligence associated with a CVE may include artifacts such as hash values of files known to exploit this vulnerability, domains which are known to serve this exploit, or IP addresses known to act as C2 servers. By coupling this threat intelligence with netflow data, proxy logs, EDR logs and other sources of historical information, organizations can achieve a relative level of confidence in determining if they may have already been exploited.
Of course, this all takes time, something that most security teams are hard pressed to find extra of these days.
I’ll be at the Borderless Cyber Conference in Washington, DC next week discussing how this entire process can be automated using a Security Orchestration, Automation and Response (SOAR) solution like IncMan SOAR from DFLabs. If you are planning on attending Borderless Cyber, stop by my talk “Is the Damage Already Done? Automating Vulnerability Investigation”, in the Holeman Lounge on Tuesday 8th October at 4:45 PM EST. If you are not able to attend, conference videos should be available shortly after the conference. Hope to see you there.