The IBM X-Force Vulnerability Database (XFDB), which holds over 100,000 publicly disclosed vulnerabilities, is chock-full of insights concerning the cybersecurity threat landscape. Much of the data is publicly available directly on the IBM X-Force Exchange platform and can be accessed by users anytime.
In reviewing the database on an ongoing basis, the IBM Security Threat Research Group found a particularly interesting trend persisting over the last five-plus years. It appears there has been a near-constant decline in publicly available exploits or proof-of-concept (PoC) code for known vulnerabilities, in contrast to past trends where those exploits were made public, shown a full PoC, sold or even shared freely on hacking forums.
Figure 1 (Source: IBM X-Force Vulnerability Database)
A Double-Edged Sword
Not having the exploits publicly available to general internet users can be a good thing. It may result in fewer malicious actors adopting exploits and using them in attacks. But this sword is double-edged: It can also enable threat actors who do find exploits and know how to use them to keep them from others and deploy them in attacks that would inevitably be more surprising and damaging.
The downward trend in free, publicly available exploits has a lot to do with the growing underground economy and organized cybercrime. Due to their high demand and profitability, many exploits do not reach the public sphere and are sold on the black market on their own or as part of exploit kits.
Fewer publicly available exploits may lower risks associated with script kiddies and low-budget attackers. However, it does not decrease the risk of attackers that are willing to pay for exploit code already integrated in an easy-to-use exploit framework. While a decline in publicly available exploits is welcome news, we advise against modifying your organization’s security posture in a way that would place less emphasis on patching or managing risk of exploitable resources on your networks.
Think of it as a neighborhood crime report: A downward trend in neighborhood crime doesn’t necessarily mean it’s safe to leave your doors and windows unlocked. It would still be wise to make every effort possible to secure your home. The same can be said for enterprise networks. Another important point is that the availability of exploit code doesn’t necessarily correlate to the amount of malicious activity coming across the organization’s network, nor does it reduce the susceptibility of compromise.
An attacker only has to exploit one unpatched vulnerability to gain a foothold in a target network, potentially leading to millions of dollars in data breach costs. According to the Ponemon Institute’s “2017 Cost of a Data Breach Study,” the average cost of a breach in the U.S. is $7.35 million. For example, a major U.S. insurance company recently paid $5.5 million for a breach that occurred in 2012, resulting in the compromise of 1.2 million customer accounts, according to Healthcare IT News. Attackers had exploited a vulnerability in a third-party application for which a patch had been released three years prior to the incident.
This type of incident highlights the importance of patching older vulnerabilities, not just newer, high-profile flaws. In fact, IBM X-Force identified several attacks in 2017 that attempted to exploit vulnerabilities noted in a 2016 Dark Reading article. From 2014’s OpenSSL Heartbleed Vulnerability (CVE-2014-0160) to a 2008 remote code execution vulnerability in Microsoft Server Service (CVE-2008-4250) exploited by the infamous Conficker worm, these threats may not be as prevalent as they once were, but they are still present and can result in a breach by even the lesser breed of attackers.
Control Risk Through Patch Management
Patch management is not one of the most exciting parts of treating risk, but it is arguably one of the most important controls. The best way to reduce risks associated with vulnerabilities is to mitigate the flaws themselves. In the case of WannaCry, even if an attacker was able to connect to an open Secure Message Block (SMB) port or deliver an exploit by email, the attack could have failed if the relevant Microsoft patches had been applied on the target systems on time.
Good patch management practices usually establish installation deadlines based on multiple criteria, including the potential impact of a vulnerability, availability of details or exploit code and evidence of exploitation occurring in the wild. For example, a remote code execution vulnerability for which there are no known exploits or reports of exploitation could be considered highly important and assigned a patch installation target of one week. However, if there is an exploit publicly available or reports of exploitation in the wild, installing the available patch may be considered critical and assigned an installation window of 48 hours.
There are several publicly available systems that can be used to rate vulnerabilities. Perhaps the most notable and widely used is the Common Vulnerability Scoring System (CVSS). This well-documented system enables vendors to provide ratings for vulnerabilities and allows for further refinement of a base score by including environmental factors in the final rating.
Keeping detailed inventory of the various operating systems, servers and applications within the environment is also important for effective patch management. An inventory of assets is the very first step toward classifying and prioritizing the systems that may need patching.
Even without a complete inventory, there are some obvious targets that should always be kept up to date due to their high usage rate and high target ranking for attackers. These are operating systems and prevalent applications such as web browsers, office packages, PDF readers, Java and Flash. Security updates rated as critical or high should be installed as soon as possible, since these are arguably the most exploited attack surfaces. Unless otherwise unavoidable, unsupported operating systems or applications should not be in use. If they are, the organization must adapt mitigating controls to protect them until they can be decommissioned.
An endpoint security and management platform can help organizations gain full visibility into their constantly changing endpoint landscape while bridging the gap between threat detection and remediation. A publicly available case study shows how this type of tool helped one company reduce its patch deployment times by 80 percent.
Patch Management Is Not a Catch-All
Applying available patches in a timely fashion will greatly reduce exposure and risk. Unfortunately, this best practice can’t assist with all zero-day vulnerabilities and exploits. Furthermore, patches aren’t always available for vulnerabilities, even years after the disclosure. In fact, let’s take a look at Figure 1 again, this time adding a column showing the number of vulnerabilities disclosed each year with publicly available exploits that don’t currently have patches:
Figure 2 (Source: IBM X-Force Vulnerability Database)
Comparing 2017 to any one of the past five years reveals a worrying decline in exploitable vulnerabilities for which a patch has been issued. Within that period of time, two-thirds of the vulnerabilities with publicly available exploit code do not have patches available. That is why it’s important to build defense in depth into the overall risk mitigation program.
Vulnerability assessment and management is just one aspect — albeit a very important one — of the security immune system. It’s important to determine your organization’s specific needs when identifying appropriate controls and solutions for each case, depending on the types of systems and users the organization relies on.
Sounds overwhelming? It doesn’t have to be. We encourage seeking the guidance of security experts when making these important decisions for your enterprise and maintaining a continuum of security policies, procedures and risk management throughout the life cycle of any project.
Senior Threat and Intelligence Analyst, IBM X-Force
Lyndon Sutherland has been involved in Network Engineering and Security for more than twenty years, fourteen of which have been with IBM. His work with IBM a...