As a safety researcher, widespread vulnerabilities and exposures (CVEs) are a problem for me — however not for the explanation you may assume.
Whereas IT and safety groups dislike CVEs due to the risk they pose and the mountain of remediation work they create for them, what troubles me is the way in which our trendy safety procedures relate to CVEs. Our mitigation methods have develop into too targeted on “vulnerability administration” and are too CVE-centric, when what we actually want is a hacker-centric strategy to successfully scale back our publicity.
Vulnerability administration as a main technique would not actually work. In line with the Nationwide Institute for Requirements and Expertise, 20,158 new vulnerabilities had been found in 2021 alone. This represented the fifth consecutive yr of file numbers for vulnerability discovery, and it seems like 2022 might very effectively proceed the pattern. Safety groups can’t moderately patch 20,000 new vulnerabilities a yr, and even when they may, they should not.
This may sound counterintuitive, however there are a couple of the explanation why it is not. The primary is that latest analysis reveals that solely about 15% of vulnerabilities are literally exploitable, and so patching each vulnerability is just not an efficient use of time for safety groups that don’t have any scarcity of duties. The second and equally vital purpose is that even when you did constantly patch 100% of the CVEs in your community, this possible nonetheless would not be efficient at stopping hackers.
Hacker Methods Are Huge and Diversified
Phishing, spear-phishing, various ranges of social engineering, leaked credentials, default credentials, unauthenticated entry utilizing normal interfaces (FTP, SMB, HTTP, and so forth.), accessible hotspots with no passwords, community poisoning, password cracking — the listing of methods that hackers are using is huge and diversified, and many do not even require a high-level CVE, or any CVE in any respect, to be harmful to a company. The latest Uber breach is a superb instance of how hackers exploited a company with out using the newest CVEs or overly difficult assault strategies to focus on organizations.
Relying on whether or not you consider what the hacker claimed on Uber’s Slack channel, or Uber’s latest feedback, the hacker was both an 18-year-old who exfiltrated information from an Uber staffer by way of a intelligent social-engineering/spear-phishing assault, or the work of South American hacking group Lapsus$, which executed a spear-phishing assault, using the leaked credentials of a third-party contractor obtained from the Darkish Net. In both situation, there was no difficult coding or vulnerability exploitation that went on right here. As an alternative, it was a variation on an old-school tactic that’s tried and true.
It is Not The Vulnerability however the Vector That Issues
I do not need anybody to get the flawed thought. Patching is essential; it is a essential a part of a powerful safety posture, and a vital part of each safety technique. The problem is that many instruments right now prioritize remediation suggestions primarily based solely on Frequent Vulnerability Scoring System (CVSS) scores, and what will get misplaced is the organizational context; the understanding of separate the significant 15% of vulnerabilities from the opposite 85%.
As an skilled penetration tester within the Israeli Protection Forces and vice chairman of analysis, main a workforce of ex-pen testers and pink teamers at Pentera, what I’ve realized is that it is not the vulnerability however the vector that issues. Simply because your assault would not start with a significant vulnerability doesn’t suggest it will not finish with one. Essentially the most harmful vulnerability to your group could be a 5.7/10 CVSS rating hidden on the backside of a listing of high-scoring false positives.
Leaked Credentials Are a Greater Risk
Leaked credentials possible pose a far better risk to the typical group than the following dozen CVEs to be introduced mixed, but many organizations don’t have any protocol in place to find if any of their credentials are floating round within the darker elements of the Net. We act as if hackers will spend numerous hours growing new CVEs, whereas they’re actually simply in search of essentially the most environment friendly solution to entry our networks. A lot of right now’s hackers, and hacking teams, are financially motivated, and like all group they need the most effective ROI for his or her time. Why spend time executing a sophisticated assault when you may simply purchase or scrape the credentials?
Proper now, our defenses aren’t working, and we, as safety professionals, must reexamine the place the weak factors are. Whereas vulnerability administration is certainly a core a part of any significant safety technique, we have to transfer away from it as a main methodology. As an alternative, we have to take a great have a look at the methods hackers are using and base our safety methods on cease them. If we would like our safety to really be efficient towards decreasing our publicity, our methods should give attention to understanding the real-world methods and methodologies that hackers are utilizing to take advantage of us.