Light Dark
August 25, 2014 By Leslie Horacek 4 min read
X-Force

Today, we released the third edition of the 2014 IBM X-Force Threat Intelligence Quarterly. One of its key features was a look back over the past four months as we analyzed data and trends in the wake of Heartbleed (CVE-2014-0160), one of the most widespread and impactful security vulnerabilities of all time.

From attack trends to vulnerability scoring, this report looks at how relevant this pervasive vulnerability is today and what we can learn about mitigation strategies for similar types of attacks in the future. Additionally, the report looks at overall vulnerability trends for this period and discusses some observations and theories regarding why disclosures may be lower than those made in previous years.

The Heartbleed Disclosure

So far, the disclosure of the Heartbleed vulnerability in the OpenSSL library has been the biggest event to hit the security industry in 2014. So much has been written about this bug, and yet its effects have been so widespread that it brings a number of discussion topics to the surface.

Much emphasis has been placed on preparing for and mitigating zero-day attacks, but in the case of Heartbleed, a more interesting study occurs after disclosure, when both attackers and enterprises are racing against the clock. Attackers want to capitalize on the vulnerability as much as possible before there is a widespread patch campaign, while the enterprise is racing to ensure there are protections in place.

IBM’s Managed Security Services (MSS) witnessed attackers immediately retooling and exploiting the bug on a global scale. Once the major vendors for intrusion detection and prevention systems created protection signatures, MSS was able to see just how bad the situation had become. On April 15, 2014, MSS witnessed the largest spike in activity across the customer base, with more than 300,000 attacks in a single, 24-hour period. That is an average of 3.47 attacks per second for hundreds of customers.

Attackers Waste No Time

One-day attack methods demonstrate how quickly attackers rush to exploit a vulnerability such as Heartbleed. Just one day after the disclosure, a proof-of-concept tool capable of exploiting the Heartbleed bug began to circulate, exposing unpatched systems to skilled and unskilled attackers alike. But more troubling is the fact that also a day after the disclosure, attacks leveraging the vulnerability began to occur.

For one-day attacks, the attacker’s goal is to take advantage of the exposure window between when the patches are announced and when the patches are usually deployed.

6 Strategies to Protect Against These Attacks

The following are six strategies you can use to mitigate these types of attacks:

  1. Keep up with threat intelligence. A timely source of information on the latest threats is critical for keeping organizations informed and allowing them to respond as quickly as possible.
  2. Maintain a current and accurate asset inventory. When a critical vulnerability is publicized, you don’t have time to try to figure out where your vulnerable, exposed assets are located. Attackers are engaged in the same pursuit, and effective defense should not be a race toward discovery. As a defender, this is one area where you should have the upper hand.
  3. Have a patching solution that covers your entire infrastructure. Apply patches as soon as vendors release them, and implement a rapid burn-in procedure, including back-out plans, to make sure patches don’t break operational systems.
  4. Implement mitigating controls. Firewalls, intrusion prevention systems and endpoint protection can all help protect against new threats during the period between the vulnerability disclosure and when you’re able to apply vendor patches.
  5. Instrument your environment with effective detection. Knowing when you’re being attacked is crucial to responding as early as possible, ultimately before attackers steal or corrupt data.
  6. Create and practice a broad incident response plan. All activities related to vulnerability disclosures and active attacks must be guided by processes involving all levels of your organization and guided by clear procedures for a variety of situations. Test the procedures often to make sure you aren’t working out the kinks when an actual emergency arises.

Disclosures on the Decline

In the first half of 2014, we reported just over 3,900 new security vulnerabilities affecting 926 unique vendors. If this trend continues through the end of the year, the total projected vulnerabilities would fall below 8,000 total vulnerabilities for the first time since 2011.

However, does the current CVSS represent actual risks to networks and systems? The report discusses why this decline in total vulnerabilities might be happening and touches on the subject of the current scoring system. Inherent flaws in the current CVSS(v2) standard and a clear lack of guidelines on how to objectively assess certain types of vulnerabilities often fail to reflect the true risk a vulnerability may pose to an organization. This causes an overall loss of confidence in the CVSS score as an accurate and reliable measure of risk. This report explores the most obvious (latest) example with the OpenSSL vulnerability (Heartbleed), which was rated a medium base score of 5.0.

Download the latest research from IBM X-Force

With the number of products and systems affected, the time and attention IT teams spent patching systems and responding to customer inquiries and the potential sensitivity of the exposed data, the true impact of Heartbleed was much greater than the CVSS base score would indicate.

 |  |  |  |  |  |  |  |  |  |  |  | 
Leslie Horacek
Senior Managing Security Consultant, X-Force, IBM

More from X-Force
July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

June 13, 2024

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature