Attackers are opportunistic. Adversaries seek out security gaps hiding in plain sight, targeting known vulnerabilities in assets organizations haven’t patched yet to access their critical data. And it’s working. According to recent research, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks.
So, how can you better protect your organization from cybercriminals? The best offense is a good defense – think like a cybercriminal to reduce cyber risk.
Change your focus to cyber exposure
Adversaries know that most security teams are overwhelmed with the number of vulnerabilities in their environment and behind on patching. Many organizations still rely on traditional approaches to vulnerability management, often involving sparsely scheduled scans and prioritization based on CVSS ratings that don’t take into account the risk specific to an organization — this despite recent updates to the CVSS methodology. The bottom line is that security teams continue to be swamped, always playing a game of catch-up with no end in sight.
According to our 2023 trends report, there were 25,096 new vulnerabilities in 2022, a 25% jump from 2021. And we expect the growth will continue in the years to come, giving adversaries many options.
Adding insult to injury is that security teams remain understaffed. The Verizon Data Breach Report indicates an organization’s median patch time for critical vulnerabilities is 49 days – after a vulnerability is discovered. Given that most organizations scan once a month (or quarter) and only 16% of vulnerabilities in 2023 were deemed critical, you can imagine how long it may take to patch vulnerabilities of lesser criticality. Cybercriminals have learned to use this to their advantage, often focusing on exposures with less critical CVE scores to carry out their attacks.
It is also worth noting, per CISA, “many vulnerabilities classified as ‘critical’ are highly complex and have never been seen exploited in the wild – in fact, less than 4% of the total number of CVEs have been publicly exploited.”
This is why organizations need to adjust their strategy for vulnerability management and start looking at factors beyond the CVSS rating. For example, a modern continuous vulnerability management solution considers whether the vulnerability has been exploited in the wild, which may provide significantly more value to a team than the CVSS rating. Rethinking how – and what – you prioritize is the first way to get ahead of cybercriminals.
Look for alternatives to vulnerability remediation
Patching systems and applications is an important remediation step when mitigating vulnerability risks. Still, we also know taking a machine offline, even for routine security maintenance such as patching, results in downtime that impacts operational productivity and can also mean a service interruption for customers (think energy sector). And with every patch, there’s a risk that a new vulnerability may be introduced into the environment.
It’s critical to do due diligence regarding patch management, but it’s also essential to act fast on high-risk vulnerabilities. As CISA notes, “threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% of known exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.” Time is always of the essence.
While you may be unable to increase the frequency of scans or shorten your patch management SLAs, you can look for other ways to mitigate the risks that might make you vulnerable to a breach. For example, continuous scanless evaluations provide visibility to vulnerabilities in your environment and alert you to risks that are only found during periodic (monthly or more) scanning cycles. This minimizes the vulnerability “awareness gap” from months to less than a day. It also gives you a head start on looking for alternative compensating controls that mitigate the risk of “patch lag” — your risk between patch cycles.
As you reflect on your organization’s defenses, take a page from the attackers’ playbook: Don’t work harder – work smarter.
- Prioritize vulnerability remediations based on more than just risk score, to include accessibility, exploitation in the wild, and asset importance.
- Use attack simulations to proactively test the environment for attack paths, mimicking common methods attackers may use to access your network.
- Test changes before deployment to verify new exposures are not inadvertently introduced.
- If you use multiple scanners, ensure your vulnerability management solution integrates across scanning tools to dedupe and normalize vulnerability data for the most effective vulnerability remediation prioritization.
Skybox Vulnerability Control, as a part of the Continuous Exposure Management platform, takes a different approach than the traditional vulnerability management solutions. We significantly reduce the noise by immediately identifying vulnerabilities as they are published, prioritizing the most critical vulnerabilities, and automatically recommending mitigation and remediation options.