Managed Detection and Response
Winning the Race Against the Threat of Emerging Vulnerabilities
March 28, 2024 | 4 min read
George Aquila
Product Marketing Manager
The threat of zero-day vulnerabilities is increasingly concerning for modern organizations; timely identification and effective patching are key to defending against these threats
Zero-day vulnerabilities are frequently reported on, but remain a major challenge for organizations, especially when it comes to quantifying the real threat posed by an unpatched instance of a vulnerability. In 2023 the number of disclosed zero-days, or emerging vulnerabilities (EVs)1, increased from the previous year, rising from 55 in 2022 to 69 in 2023. While this wasn’t as high as the record in 2021 (with 81 disclosures) the prevalence of zero-day vulnerabilities has been rapidly trending upwards over the last 5 years. To stay ahead of the potentially devastating impact of being breached via an emerging vulnerability, organizations must be aware of how to stay ahead of attackers.
The Zero-Day Race
When a zero-day vulnerability is disclosed, it starts a race between sophisticated threat actors and the security response capabilities of affected organizations. If attackers can identify exploitable instances of the vulnerability in a company’s infrastructure or in the infrastructure of a third party that the company is connected to, it can result in a breach with devastating consequences. The average cost of a data breach in damages rose to $5.4 million in 2023, a number that has also been trending upward in recent years.
To counteract this threat, the presence of emerging vulnerabilities must be immediately identified by affected organizations, and remediated before attackers can exploit them. Timing is key.
Unfortunately, many organizations struggle with simply identifying how and where in their digital infrastructure EVs are leaving them open to attacks. EVs can be exploited within an average of 14 days, so modern organizations must be able to respond even faster to patch and remediate these threats. Patching cadences remain notably low, however, even in enterprise organizations.
In one example, the WS_FTP vulnerability (CVE 2023-42659)
that was disclosed in late September of 2023, researchers at BlueVoyant
observed that over 50% of organizations across the IPv4 space still had
unpatched and vulnerable instances over a month after the disclosure.
When compared to the above cited average of 14 days that it takes for
attackers to exploit these vulnerabilities, many organizations are
clearly still lagging behind.
Staying Ahead of Attackers: Patching and Vulnerability Remediation
As dangerous EVs can be, staying ahead of the threat is far from impossible. The first step in defending your organization from a newly disclosed EV is awareness: a security response team must be able to quickly identify all the assets within a digital infrastructure that host instances of the affected software, hardware or service.
To do this, you must be able to maintain a comprehensive view of your digital ecosystem through a “footprint” or mapping of your externally visible IT infrastructure. Good software and service inventory practices can be the key in identifying which systems are affected by a vulnerability once it is disclosed.
The Common Vulnerability Scoring System (CVSS) serves as a valuable tool in aiding organizations in determining the severity of disclosed vulnerabilities. It can form the backbone of an assessment, providing a way to capture the principal characteristics of a vulnerability and produces a numerical score to reflect its severity. However, one significant drawback is that the evaluation and publishing process can take days or even weeks. By the time CVSS scores are published, a staggering 65% of vulnerabilities are already being exploited.
Nevertheless, CVSS scores are still important prioritization tools for triaging and determining the need for patching a specific vulnerability, especially if patching is a decision that must be weighed against important business disruptions and service downtime.
Some general best practices for mitigating emerging vulnerabilities include:
- Ensure timely and effective patching across your organizations and your third-party ecosystem. Patching safeguards your organization and provides a defense for those engaging with you.
- Leverage continuous monitoring services to identify vulnerable instances of newly disclosed vulnerabilities in your third parties to ensure that third parties are aware of those instances.
- Make sure you are following up with third parties to confirm patching and vulnerability closures.
- Consider that externally facing assets are the most vulnerable first line of attack vectors, so prioritize patching vulnerabilities on those assets.
- Ensure visibility and cataloguing of all digital assets, including even inactive assets such as parked domains
Getting a Head Start
The need to rapidly identify and mitigate zero-day threats will only increase as time goes on. As highlighted in the case of the WS_FTP vulnerability, many organizations are still struggling to stay ahead of attackers, largely due to the inability to promptly identify and remediate them. This is doubly true for vulnerabilities in their third-party ecosystems, where a breach can have equally devastating consequences.
For organizations that face this looming threat, modern third-party cyber risk monitoring solutions like BlueVoyant Supply Chain Defense (SCD) can assist in both rapidly identifying and alerting on the presence of the externally visible emerging vulnerabilities in both client environments and in your third-party suppliers.
As part of its Supply Chain Defense platform, BlueVoyant leverages unique AI and machine-learning technology that predicts the severity or score of a new CVE with consistent accuracy in the minutes after the disclosure. This means that instead of waiting days and potentially being open to exploit, BlueVoyant customers can start remediating vulnerabilities the same day that a new potentially critical CVE is announced. Analysts from BlueVoyant’s Risk Operation Center and Threat Teams work with you and your third parties to ensure that these vulnerabilities are patched and mitigated, cutting off the opportunity for threat actors to compromise your business and critical supply chain.
When timing is key, adopting robust, comprehensive approaches to dealing with emerging vulnerabilities is essential for organizations to protect their digital infrastructure.
Related Reading
Digital Risk Protection
From Zelle to Your Wallet: The Mechanics of Third-Party Phishing
September 12, 2024 | 3 min read
Managed Detection and Response
Forrester Study: BlueVoyant MDR Delivered a 210% Return on Investment for Clients Through Effective Threat Detection and Response, Optimized SecOps Spending, and Reduced Breach Incidence
September 10, 2024 | 5 min read