You might be better off ignoring that new high-profile zero-day for now, a senior Tenable staffer suggested to a high-level gathering of senior security executives, if it gives you the time to fix the parts of your digital infrastructure that attackers will actually try to leverage.
Security professionals talk about risk management all the time – but what does it really mean? In today’s cybersecurity landscape, published vulnerability assessments vie with network-defence teams’ lived experience and the pressures coming down on boards from shareholders. All these factors are driving security priorities – and often will be pushing network defence teams in different directions at the same time.
Consider, too, that all these players are being bombarded daily with open-source reports of ever-more-scary new vulnerabilities, often arriving in the marketplace of ideas complete with catchy names, trending hashtags and sometimes even their own swish logos. The difficult truth is, often it’s the older, ostensibly tired, definitely somewhat tedious, and invariably never particularly sexy or high-profile vulnerabilities that are the ones that cause most of the real damage.
“Behind every breach headline are known flaws,” Tenable’s deputy CTO, Gavin Millard, told a high-level group of digital security specialists during a roundtable discussion the company hosted in London. “And it’s a really painful thing to face when you realise that no matter how complex or sophisticated the attackers are, they’re always leveraging known flaws to break into infrastructure.”
To bolster his argument, Millard cited attacks on meat distributor JBS and Colonial Pipeline, which leveraged, respectively, the firm’s remote desktop protocol (“or, as we call it, ransomware delivery protocol”) and the oil distributor’s industrial control systems infrastructure via a poorly configured VPN. JBS paid an $11m ransom, but, Millard argued, “that’s just a drop in the ocean compared to the actual business cost of such an outage. Shelves were left empty; people were really struggling. The Colonial Pipeline attack caused a run on gasoline where people were queuing for hours and panic-buying petrol.”
News of attacks that succeed because of poorly applied policies or failure to patch long-known vulnerabilities exist in that category of events that are shocking but not surprising. Every digital security professional finds it unconscionable that long-known flaws remain unaddressed, but at the same time they all understand how and why such gaps can appear in large companies’ increasingly complex and ever-growing attack surfaces.
The problem, Millard argued, is one of priorities: which vulnerabilities should a company be devoting finite security resources to fixing, and – in the highly imperfect real world, where prompt remediation of every disclosed issue is impossible – which ones can it, should it, pragmatically allow to stand unaddressed for a little longer? In 2022, he said, more than 20,000 new vulnerabilities were disclosed, more than half of them rated as critical according to CVSS version 3 – “which is not the best measure, but it’s what people have,” he noted.
“In reality,” he said, “the vast majority of those 20,000 are a complete irrelevance when it comes to good cyber hygiene. We’ve built models for predicting which vulnerability is going to be leveraged. We have historic data, so we can go back and see which vulnerabilities were leveraged. Only about two per cent of all disclosed vulnerabilities will ever be leveraged by attackers. People still have this focus on addressing high or critical vulnerabilities, but most of them are never going to be leveraged.”
Corporate compliance protocols which prioritise fixing vulnerabilities with high CVSS scores are playing a part here, Millard argued.
“Badlock’s a really good example,” he said. “It hit the news and everyone was freaking out – but it should have been called Sadlock, because non-one’s going to end up using this vulnerability. At the same time Badlock was announced, so was CVE-2017-0199, which was really bad, and has been leveraged more than any other vulnerability in the last five years.”
“There’s a difference between something being vulnerable versus it being exploitable,” agreed Simon Riggs, a CISO in the retail sector. “We all struggle with that long list of high-priority, so-called critical vulnerabilities. But if you can get a bit more confidence about which bits of your infrastructure, while vulnerable, may not be easily exploitable, that allows you to work with your technology teams to focus efforts on those things that are likely to be exploited, and on getting that stuff right. If anything it just buys you some time.”
As the discussion circled, education emerged as a key concern. Security teams need to learn more about how to better balance a high vulnerability metric with the practical challenges an attacker will have to overcome to successfully exploit it. Boards need to think carefully about how to frame compliance policies. Standards organisations should be encouraged to use greater nuance and operational context when assigning a criticality metric. And developers need to be supported by customer organisations so they can better understand how to build prevention into the software they are writing.
“Taking more of a historic view on the vulnerability is the only way you can truly decide what needs to be remediated,” Millard said. “Just looking at the traits of a vulnerability is foolhardy: you need to truly understand the context of the threat.”
And, he argued, this means a relentless focus on that 2% – the vulnerabilities that hackers are actively exploiting – even if that means the attackers start to look elsewhere.
“If we get to the point that all the 2%s have been addressed, and they’re going after things that haven’t – that would be a perfect win for us,” he said. “If we can make it as hard as possible to attack using the 2%, then we can start to worry about the next few. In reality, the attack surface is massive, and people are terrible at finding and addressing that 2% in a timely manner, so I don’t think we’re ever going to get to that point. But it would be such a massive win for cybersecurity if we did.”