Over the past few years, cybercrime has evolved into a money-making enterprise. Threat actors are always on the lookout for the path of least resistance — using existing attack tools and often re-using the same attack method on as many victims as possible — think WannaCry or NotPetya. The recently published 2018 Vulnerability and Threat Trends Report, compiled by the Skybox Security Research Lab, analyzed some of the most common tools used in attacks for 2017, such as vulnerabilities, exploits and other threats. The results reveal the emergence of a troublesome trend: the assets most difficult to patch are increasingly vulnerable.
Server-side applications now account for most of today’s exploits. The report reveals that 76 percent of all exploits were against server-side applications, a 17-point jump from 2016. Concurrently, client-side exploit kit use has plummeted, in part because of the demise of high-profile exploit-kit players like Angler, Neutrino and Nuclear.
Another growing target is operational technology (OT), which includes monitoring and control devices common in critical infrastructure organizations such as energy producers, utilities and manufacturers, among others. OT saw a 120 percent increase in new vulnerabilities compared to the previous year.
This latter spike is particularly concerning as many organizations have poor or non-existent visibility of their OT network, especially when it comes to vulnerabilities, as active scanning is generally prohibited.
“What many don’t consider is how pervasive OT networks are,” said Marina Kidron, senior analyst and group leader of the Research Lab. “For example, building management systems can be used as a means to get access to a network or cause specific building systems to fail, such as the HVAC system that cools a datacenter or clean room. Our research shows that these systems are way more vulnerable that many realize. It’s a problem.”
This new focus on server-side and OT vulnerabilities makes prioritization and remediation even trickier, since these higher-value assets typically require more than a patch or patching is difficult. To properly address this rising threat, enterprises must have insight into a variety of related factors, such as:
- How critical is the asset and will an update mean downtime?
- If we don’t update, what is our risk of exploitation?
- What is the network topology and where do potential attack paths exist?
- Do we currently have security controls in place that protect our exposure?
- How active are this asset’s currently-available exploits in the wild?
Only when you have gained complete visibility of a network paired with the context of these issues is it possible to determine the priority and scheduling for optimal patches.
Additional data in the report shows that the number of vulnerabilities listed in MITRE’s National Vulnerability Database doubled in 2017. The reason for this is multi-faceted: there has been an increase in threats paired with organizational improvements at MITRE and the rise of external research and “bug bounty” programs. While this is a positive improvement, it makes the job of the vulnerability management team ever-more challenging, as analysts continue to be overwhelmed by a deluge of alerts and data.
It also indicates the problem with using CVE scores alone for determining threat and patch priorities — they simply do not provide enough context for an accurate assessment of the overall risk a vulnerability poses. To cut through the noise, analysts should again be considering additional factors, such as the network and security controls in place, the importance of a particular asset to the businesses, and continuous threat intelligence on which vulnerabilities are being exploited in the wild. With this context, they are better able to determine the true risk a particular vulnerability poses, and where to put it in their list of priorities.
What’s clear from the report is that the threat landscape is continuously evolving, with the threats and volume of issues to address growing at an accelerated pace.
If enterprises are to keep up, they will need to evolve too, and that begins with gaining complete visibility of their entire attack surface, including all assets, network topology, security controls, vulnerabilities and threats. That visibility should cover not only physical networks, but also virtual, multi-cloud and even OT environments. Only then do security teams have the necessary context for quickly and accurately analyzing and prioritizing vulnerabilities in a systematic, focused way that truly addresses risk and improves the security posture of the organization.
Gerry Sillars is the Vice President, APAC at Skybox