Cybercriminals have a 7-day window of opportunity to use vulnerabilities against a target Web site before their activity is likely to be detected or stopped with a patch, according to new research that suggests the rapid time to exploit is keeping defenders continually on the back foot.
The Tenable Research analysis – conducted on the 50 most prevalent critical and high-severity vulnerabilities encountered in the last quarter of 2017 – noted that attackers generally had a 7.3 day head start in exploiting new vulnerabilities, before defenders caught up.
Some 24 percent of analysed vulnerabilities were being actively exploited by malware, ransomware or exploit kits, the analysis noted, while 34 percent of analysed vulnerabilities had a patch available on the same day the vulnerability was disclosed.
Chronically poor patching practices – particularly in highly-targeted industries like healthcare –
Continuous vulnerability assessments offer a significant benefit in helping quickly identify exposure to new vulnerabilities – thereby helping target patching activities – while tools from the likes of Qualys and ShiftLeft quickly produce patches for new vulnerabilities, while Flexera recently added vulnerability-assessment capabilities to its application-packaging tool.
While such tools help improve the detection of vulnerabilities and the company’s response to them, however, attackers are still proving effective at remaining hidden on target networks for months after they exploit a vulnerability: FireEye’s recent M-Trends 2018 report, for one, noted that the global median time from compromise to discovery was 57.5 days last year.
To avoid this, companies need to move quickly to evaluate and minimise their exposure when a new vulnerability is detected – knowing that cyber criminals are simultaneously working towards developing an exploit for the new weakness.
Many companies spend so much time on the back foot that they never manage to get more proactive about their vulnerability management – but Tenable research director Oliver Rochford advises companies to find ways to make themselves more resilient to attack.
“We tend to forget that we have an adversary who is dictating the rules of engagement,” Rochford wrote. “While we have no control over when the attacker decides to attack, or how, we do have control over our own environment.”
Controlling your environment
Exerting that control may well require new architectural approaches to security – and the ephemeral Menlo Security Isolation Platform (MSIP) of Menlo Security’s offers one possible option.
MSIP leverages a cloud-based architecture that constructs a new virtual machine (VM) each time a user clicks on a Web site or email link. Each VM is destroyed once the session is finished, providing very short lifespans for any vulnerabilities that might penetrate its Linux-based architecture – and stopping intruders in their tracks.
Relevance of the platform increases given the complexity of today’s Web sites, which should really be thought of as “a family of Web sites” that, Menlo Security CEO Amir Ben Efraim told CSO Australia, includes advertising and other third-party tracking sites whose provenance varies.
Many of those sites are serving ads and other content from servers that haven’t been patched “for some time,” Ben Afraim explained. “They’re just full of vulnerabilities, and they’re a pretty juicy place for a takeover. Good Web sites go bad all the time – and the Web site may have been serving malware for a few weeks before anyone figures it out.”
One 2015 study found that one-third of the top million Web sites were either vulnerable to hacking, or had already been hacked.
Connecting to these sites represents a significant risk if a company’s endpoints have unaddressed vulnerabilities, Ben Efraim said, which is why many companies have adopted the MSIP technology to handle all Web requests from their endpoints.
“Rather than let end devices connect to the Internet, we create this layer of abstraction via the cloud,” he said. “This ensures that only safe visuals are able to get to you. And the nice thing about this is that it’s definitive: we are willing to make a 100% security guarantee that nobody else in security is willing to make.”