From what we’ve seen in movies and pop culture, the common consensus of a typical hacker is an individual sitting in a dark room in a basement somewhere creating a custom zero-day virus that is so brilliantly coded that it’s impossible to detect and stop. The world’s networks are a genius hacker’s playground allowing them to go in wherever and whenever they please. We begin to fear the zero-day attack as if it’s our biggest threat that will take us all down. You’ve likely read news articles about the latest zero-day exploits spreading across the web. These exploits are great news headlines, but zero-day attacks aren’t the most dangerous enemy to your organization – patches are.
This misconception could be nothing further from the truth
The reality is most hackers base their attack methodology on trajectories already created by a small number of talented attackers that have previously discovered a weakness and found a way to exploit it. This may have been accomplished through extensive research or simply coming across a vulnerable misconfiguration in the code. From there, public tools and exploits will begin to surface and make the life of future potential attackers a lot easier, so pretty much anyone can come after your personal network or organization’s architecture. As it turns out, zero-day malware really only makes up a very small percentage of attacks.
Beware of the zero-day exploit
According to the most recent Microsoft Security Intelligence Report, the overall malware encounters saw a decrease in 2018. Microsoft accredits this decrease to good computer hygiene and high user security education and awareness. The 2018 Symantec Internet Security Threat Report states that the use of zero-day attacks continue to fall out of favour. In fact, only 27 percent of the 140 targeted attack groups that Symantec tracks have been known to use zero-day vulnerabilities at any point in the past.
In most cases, zero-days aren’t really used extensively in attacks against a large number of potential victims because as soon as they are executed with any frequency they are identified and usually reported to the software vendor and anti-virus vendors to be added to the antivirus updates. A high risk zero-day can be worth thousands of dollars and some have brought in large bounties in the range of one hundred thousand dollars. The point being that the “zero-day” won’t be a zero-day for much longer as the known vulnerability has now been discovered and a patch will soon be released.
Why don’t we just patch everything all the time then?
You may think to yourself that it’s great news that zero-day malware is not that frequently released, but it’s actually the opposite. Issues relating to missing security patches is an extremely common finding within many of our tested networks, which almost always leads to successful exploitation.
The two basic types of security paradigms
According to one of our favourite security authors, Bruce Schneier, there are two basic paradigms of security. The first is based on the real world of dangerous technologies. They all belong to a world of rigorous testing, security certifications, and licensed engineers. They must adhere to an expensive safety testing process. Consider how much testing a new drug must go through before it is allowed to go market. Any change to these items must go through the same expensive strict process. We go through this expensive process each time because the costs of getting it wrong are too great. While it’s impossible to eliminate all risks completely, the process is implemented to help mitigate risk by focusing most of the effort on the initial up-front work.
Now consider the alternative security paradigm (the second of Schneier’s aforementioned paradigms) that’s based on the quick moving, easily compatible, highly complex – yet largely benign – world of software. The objective of this model is to try and ensure we can update our systems quickly whenever security vulnerabilities are discovered. Our goal is to try and build systems that are survivable, can recover from an attack easily and quickly, can adapt to changing threats, and possibly mitigate the attacks when possible.
Conflicting Security Paradigms
These two paradigms are colliding dramatically. Bruce Schneier states in his book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World” that there are undiscovered vulnerabilities in every piece of software. They lie dormant for months and years, and new ones are discovered all the time by everyone from companies to governments to independent researchers to cybercriminals.
Why is Patch Management essential?
New patches are released every month to the public, and with them the vulnerability is often also disclosed with it. Isn’t this an excellent opportunity for an attacker to spend their time trying to find potential victims that were not quick enough to apply the new update? If you take into consideration that 16,555 CVE security vulnerabilities were published in 2018 alone you begin to see that having known vulnerabilities can easily become the weakest link in your software security. Everyone knows that patches are time and effort intensive. In fact, according to a recent study, organizations spend on average 18,000 hours and a cost of $1.1 million dollars on patching related activities.
In addition to all this effort, publicly accessible exploits for recent vulnerabilities are being published in the wild even quicker. A study from the Ponemon Institute found that 57% of cyberattack victims stated that applying the patch would have prevented the attack while 37% admitted to knowing about the vulnerability before the attack. Additionally, more than half of all security professionals studied acknowledged their organization is at a disadvantage because of the reliance on manual processes to respond to vulnerabilities related to patching. This makes a strong patch program even more important, as a failure to having one will leave your organization open to attack.
The threat moves from zero-day to patching vulnerabilities
Instead of focusing on the latest zero-day exploits, organizations should focus on implementing patch management best practices:
- Keep an inventory of your systems
- Keep up with vendor announcements
- Test your patches, mitigate where you can’t patch and act quickly to patch your own applications
- Use automation to keep vulnerabilities from becoming vulnerabilities in your applications.
As a penetration testing company, our team of highly skilled security consultants customize every engagement by adjusting our focus to fit the client’s needs. We can be a great resource for any organization that is having challenges in identifying how effective their patch management system is performing.
We understand that no one client’s architecture or application fits into a predefined box and will require an adaptive testing methodology to develop a solution that works best for your organization. Our consultants are proficient at adapting to our clients’ environments and have familiarity with a variety of tools, techniques, and targets. At Packetlabs, our first priority is to locate and mitigate our clients’ security vulnerabilities before they are potentially exploited by an attacker.