The Exploding Vulnerability Arms Race

Vulnerability

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Rohit Dhamankar of Fortra’s Alert Logic warns of a growing Cyber Cold War, as countries stockpile vulnerability “weapons of mass destruction.”

SR - Premium ContentAt 2022 Black Hat USA, former CISA Director Chris Krebs warned that every country today – not just Russia, China, North Korea, and Iran – sees the Internet as the “Fifth Domain.” Nation-state attacks are on the rise – primarily due to an ever-growing exploitable vulnerability stockpile.

In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020. And the zero-day market is flourishing. Often, it can be more lucrative to sell a vulnerability than participate in a bug bounty program. And software vulnerabilities are not just being exploited by nation-state attackers. The explosion of vulnerabilities has lowered the bar to entry for bad actors, from e-crime to ransomware. To measurably improve their security posture, defenders need to more efficiently – and effectively – manage software vulnerabilities in their environment.

A Perfect Storm

The size of the attack surface continues to expand due to the continued adoption of cloud technologies. Yet security continues to lag far behind. Why? Often, in the rush to go-to-market, organizations have little time or resources to spend on security. In addition to a growing attack surface, the type of software vulnerabilities has changed. In the past, vulnerabilities would predominantly be found in various operating systems and web applications. While these attack vectors haven’t gone away, now vulnerabilities are much more complex, and hackers are increasingly using vulnerability chaining to compromise their targets.

Adding to these elements, the speed to exploit has increased as well. For example, ransomware gangs know organizations don’t patch automatically; in the past, they could go undetected in a targeted environment for up to two weeks. As security solutions started maturing, they realized they needed to exploit software vulnerabilities more quickly and now can infect environments in just a few hours.

Reduce your Exposure, Increase Your Security Posture

While the risk due to software vulnerabilities has escalated over recent years, defenders must continue to follow these basic steps to protect their organization:

  • Gain visibility of your complete attack surface: Today, visibility of your environment is key. By being able to view your entire infrastructure, you can better identify your vulnerabilities and their potential risk to your organization. Due to the expansion of the attack surface, visibility has become more complex. You need to know not just your operating systems, but also all the assets you are running in the cloud.
  • Automate, automate, automate: Resources, from staff to tools, are always going to be limited – automation can help reduce your risk. Identify areas of your environment that you can automatically control. For example, can you automatically check if your end-user systems are completely patched? Can you automatically deny unauthorized access to the network? Put together a Zero Trust framework for your environment. Automation can improve your success against an ever-increasing attack vector.
  • Don’t forget the outside-in view: Today, most practitioners use vulnerability management systems to see what’s vulnerable in their environment and prioritize their risk approach. Yet these systems only provide an Inside-Out view — you also need an Outside-In view. Conduct a robust penetration testing of your environment and take it seriously because that’s how hackers and other outsiders investigate your environment. You then can fuse together the inside-out view with the outside-in view to make proper decisions to reduce risk.
  • Audit your security controls: What are the controls that you have invested in from a security perspective? Are you maximizing the utility of those controls, and are you making sure that you have the right skill set — and monitoring — of these controls to make sure that they are in place and that they’re delivering the maximum benefit for the investment that you have made?
  • Prioritize your workforce: Prepare your entire staff to respond to the next breach. Do you have KPIs in place for your staff for responding to vulnerabilities in your environment? That’s a business metric that you should be measuring.
  • Ask yourself: “How am I measuring, how am I doing month to month?” Every day there is a new risk. How does that affect my KPI and how are my resources aligned to help me reduce the risk?” These are just some of the questions that organizations really need to think about to address carefully.

Conclusion

The threat due to software vulnerabilities will continue to grow. To measurably reduce risk, take a holistic look at everything, from your attack surface to your resource and tool optimization. If that is done, organizations have at least a chance of staying ahead of today’s adversaries.

Rohit Dhamankar
Follow Rohit
Latest posts by Rohit Dhamankar (see all)