Researchers say that they are continuing to observe the average time that it takes threat actors to exploit vulnerabilities - either prior to or after their public disclosure - go down.
Mandiant researchers analyzed 246 vulnerabilities that were disclosed in 2021 and 2022 and that were tracked as exploited in the wild, and found that the overall average times-to-exploit (TTE) are decreasing, with exploitation likely to occur before the end of the first month after a patch has been released. This marks a trend that has continued over the past few years; for instance, between 2018 to 2019 the average TTE was 63 days, and in 2020 to early 2021 it went down to 44 days.
“For 2021 and 2022, we saw a continued, notable decrease in TTE to 32 days, about 75% of the previous two years,” said Casey Charrier and Jared Semrau, researchers with Mandiant, in a Thursday analysis. “Given that the proportion of n-days to zero-days was practically identical (38:62 as opposed to 39:61), the time between disclosure and exploitation is consistently trending downward.”
This timeframe has been closely studied by many researchers across the security community as a way to get a sense of how quickly attackers are able to exploit flaws once they discover them. Understanding these trends helps organizations better develop effective strategies around patching and remediation. In a report released earlier this year, for example, Rapid7 researchers looked specifically at instances of exploitation after public disclosure and found that half of the flaws that they analyzed were exploited within seven days of public disclosure in 2022, marking a 12 percent increase over 2021.
Behind the Numbers
There are many factors that could potentially impact these figures. Mandiant’s TTE accounted for both exploitation prior to or after public disclosure, but it's important to note that in many cases first exploitation dates are not publicly disclosed or are given vague timeframes.
One big factor is zero-day versus n-day exploitation: Researchers said that zero-day usage has driven the decrease in TTE averages, but continued exploitation of n-day vulnerabilities has also had an impact on this timeframe. For instance, Mandiant researchers noted that between 2020 and into early 2021, they saw that 41 percent of n-day flaws were exploited within weeks of disclosure, while in 2021 to 2022, they found 44 percent of n-day bugs were exploited within two months.
“This suggests that n-day exploitation timelines may have grown slightly, but the high proportion of zero-days seen across the last two years, especially in 2021, skewed the total TTE average,” said researchers. “This TTE average also accounts for seven unpatched vulnerabilities, for which we capped TTE timelines at the end of their respective years. If we had not capped the TTE timelines for those seven unpatched vulnerabilities, the average TTE would drop from 32 to 20 days.”
When looking at zero-day timeframes, researchers also took into account how quickly patches are deployed. Researchers found that most of the 153 zero days in 2021 and 2022 were remediated in a timely manner, with 101 of them being patched within the first week of the first known exploitation. Conversely, only 23 percent of flaws received patches after the first month following first known exploitation.
“This reinforces the need for organizations to utilize multiple strategies when trying to protect against zero-day exploitation, as a well-rounded, defense-in-depth strategy is often needed when remediations do not yet exist,” said researchers. “It is also important to acknowledge that a vulnerability’s first exploitation is not necessarily its last… Mandiant has identified many vulnerabilities that are still not only used long after initial exploitation, but also after patches were made available. This demonstrates the importance of patching vulnerable systems, even when well after the initial patch was released.”
Mandiant researchers said that exploitation is most likely to occur within the first month after an initial patch for a flaw has been released, with a total of 29 n-day vulnerabilities being exploited within the first month of being disclosed (versus 23 flaws being first exploited after the first six months).
Researchers said that though vulnerabilities are less likely to be exploited after the first several months following the issuance of a patch, attackers still do exploit known flaws long after their discovery and disclosure. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August highlighted that many of the flaws that were routinely exploited last year were disclosed in 2021 or earlier, including the Log4j flaw from 2021, the ProxyShell bugs from 2021 and a Fortinet SSL VPN flaw from 2018.
“A key takeaway from this is that while threat actors generally prefer newer vulnerabilities, they will not completely shy away from vulnerabilities due to age and public knowledge; threat actors still value using already known and documented vulnerabilities as opposed to discovering new ones,” said Mandiant researchers. “While it may be tempting to ignore patches that haven’t been implemented within their first year, there are actors ready to target unpatched systems.”