According to the 2021 X-Force Threat Intelligence Index, scanning for and exploiting vulnerabilities was the top infection vector of 2020. Up to one in three data breaches stemmed from unpatched software vulnerabilities. Take a look at this list of vulnerabilities or design flaws with no official Microsoft fix. In any case, one in three might be a low-ball estimate given the increase in unpatched vulnerability attacks. How do defenders stop them?

Attacks have become more diverse over time. For example, some Linux vulnerability attackers don’t want your trade secrets. Instead, they hijack computing resources for cryptomining, which can go on for months before detection. Meanwhile, threat actors can also set up web shells to install ransomware. By maintaining the shell, they can sell remote access to your web server.

The Cybersecurity and Infrastructure Security Agency (CISA) beats the drum about software vulnerabilities and exploits. CISA says, “Foreign cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”

In other words, CISA is tired of having to deal with unpatched vulnerability breaches. Some say the lack of patching is due to laziness and neglect. Maybe it’s because security teams don’t have a solid patching plan. So let’s hatch a plan.

Prioritize the Risk

If you were to scan your systems for software vulnerabilities, you might discover hundreds of thousands of open doors. Merged with or acquired a company recently? You just multiplied your risk. For enterprises, the grand total of detected vulnerabilities can number in the millions.

Of course, you can’t patch everything at once. Instead, proper triage is essential. For example, what types of vulnerabilities are nearest to mission-critical systems?

Another factor: you can’t handle this without qualified patchers. Plus, how do you know if a detected vulnerability isn’t a false positive?

Common Software Vulnerabilities and Exposures

Why not target the CISA Top 10 Routinely Exploited Vulnerabilities? While it’s important to be aware of the CVE list, your high-value assets may be exposed to uncommon risk. Also, CISA’s Common Vulnerability Scoring System doesn’t consider weaponized software vulnerabilities , that is, the ones being actively exploited. You need to consider both asset value and weaponization to triage patches.

To minimize false positives, it’s important to use attack correlation, intelligence sources and a risk-based approach. This is not a simple task, and few companies have the right in-house resources. For this reason, some may choose to hire an expert team.

So Little Time, So Many Software Vulnerabilities

For vulnerability patching, the emergency room triage example serves us well. When the ER is full, doctors must decide which patients are critical. Later in the day, the ER may be nearly empty, so the doctor can address less urgent cases. Vulnerability assessment and remediation are similar. And just like the ER never closes, a company needs to audit, monitor and test their software vulnerability profile often.

Remember, your teams might add applications at any moment. So, maintain an up-to-date network inventory and schedule vulnerability scanning. Automated software vulnerability management programs can be a great help here.

Many companies don’t have the time or qualified resources to identify, prioritize and remediate vulnerabilities. Rather than being lazy or negligent, businesses simply find the process overwhelming. Given the high risk involved, many companies decide to contract expert vulnerability mitigation services.

Software Patch Testing

Once your team has identified a software vulnerability, it’s time to test the patch. Perhaps something worse than non-security broke an application due to a botched patch. After patch download, test each patch in a non-production environment.

Remember, with infrastructure becoming more complex, it can be difficult to test a patch in many cases. Some use cloud services as a cost-effective way to create a patch testing environment that mimics your production system.

Software Patch Bundling

Work in bundles when you can. Put another way, test and roll out patches in groups instead of one at a time. Be aware that this tactic carries some risk since an attacker may discover a vulnerability before you apply the patch. For mission-critical assets, bundling may not be the best choice. Still, in some cases, bundling leads to faster patch deployment since you’re rolling out the process according to a plan.

Software Vulnerabilities: Patch Application & Verification

Since it can get confusing, IT teams should stick to a vulnerability database management schedule to keep track of patch deployment. After you apply patches, check your system logs and exceptions to verify correct patching. Also, put a recovery plan in place beforehand in case the patch causes a disaster.

To verify patch success, you can rescan your assets. This should also include checking related network devices, systems or applications for signs of malfunction.

End of Life Software & Virtual Patches

Still have outdated software or operating systems on your network? If so, threat actors can exploit existing or newly-found data protection vulnerabilities. Since old software may lack updates, the application security becomes patchless.

If legacy software sits in front of important assets, some security teams may turn to virtual patches. With virtual patches, the security enforcement layer analyzes transactions and intercepts attacks in transit. This prevents malicious traffic from reaching the web application. While the application’s actual source code stays the same, virtual patches prevent exploitation attempts.

Virtual patches are useful, scalable and much better than emergency patching. Still, virtual patching does not address all ways in which an attacker might exploit a vulnerability. For instance, a custom rule placed on a web application firewall to block access to an at-risk web page might not protect another web page that makes use of the same code.

IT teams should not rely on virtual patching as a permanent fix. Instead, it can be a bridge to more comprehensive solutions such as legacy software replacement. There’s a reason CISA considers end-of-life software use as exceptionally dangerous behavior. The best thing to do is to begin planning to replace it right away. That way, it will be more likely to have patches for future software vulnerabilities, too.

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…