Vulnerability management is often described as a race, where enterprise defenders try to patch vulnerabilities before they can be exploited, and attackers try to exploit the flaws while the systems are still vulnerable. The latest research from Kenna Security and Cyentia Institute found that attackers have a head start over defenders if the exploit code is available for a vulnerability before a patch is released. However, that didn’t mean that defenders didn’t benefit from having the code before a patch.
When exploit code is available “in the wild,” it gives attackers a 47-day head start on their attacks, Kenna and Cyentia said in the sixth volume of the Prioritization to Prediction report. Depending on whether exploit code was released first or a patch was released first, there were periods when attackers had the momentum to carry out their attacks and when defenders had the momentum to remediate their systems and defend against attacks. Over the 15-month study period, attackers had the upper hand for nine months, while defenders had the advantage for six months.
“[The] timing of exploit code release can shift the balance in favor of attackers or defenders,” said Ed Bellis, CTO of Kenna Security.
There were more than 17,000 CVEs published in 2019, but just 473 were actually exploited in the wild, the researchers found. This is consistent with earlier research from Kenna and Cyentia that found that a small subset of vulnerabilities get exploited in attacks. This volume focused on the 473 publicly exploited vulnerabilities to compare the timeline of exploit development with how vulnerabilities are managed. For the purpose of this research, exploit code considers attack code developed by the adversaries, as well as proof-of-concept code that may accompany a disclosure report and tests that allow defenders to determine if their systems are vulnerable.
The analysis—which drew on data compiled by Kenna Security from its various services and data collected by Fortinet’s security appliances—found that exploit code was already available for more than 50 percent of vulnerabilities (which were eventually exploited in the wild) by the time the CVEs were published. To balance things out, 80 percent of those CVEs were published at the same time the patches were released. While there is strong evidence that early disclosure of exploit code gives attackers an advantage, that doesn’t mean that defenders don’t benefit from having access to the exploit code before a patch.
One long-held assumption in security is that vulnerabilities are being exploited in the wild means everyone should consider themselves under attack. The perception is that the "probability of exploitation goes from 0 to 1 overnight," the researchers wrote. However, an exploit in the wild did not mean that attacks were “raging hog wild across the internet.”
Exploited in the wild does not mean widely exploited, Cyentia co-founder Jay Jacobs said. Just 6 percent of the vulnerabilities being exploited in the wild were found in attacks against more than 1 out of 100 organizations. Less than 1 percent were in attacks against 1 out of 3 organizations, which would be an example of a "spray and pray" attack, where adversaries launch indiscriminate attacks against a large pool of victims. About three-quarters of the publicly exploited CVEs were found in attacks against 1 in 11,000 organizations.
“Exploited in the wild does not necessarily mean you are exploited,” Bellis said.
How to Disclose?
That 47-day advantage makes it really tempting to argue that this is why disclosing vulnerabilities and developing proofs of concepts exploit code before a patch is released is irresponsible. But the data doesn’t quite go that far, Cyentia co-found Jay Jacobs said. It is possible that releasing a proof-of-concept makes it easier to detect that an attack is in progress, not that it makes it easier to launch an attack. Perhaps the attacks have already been in progress, but there was no way to detect it beforehand. Release of the code made it possible to detect, because the defenders now have a way to find the attacks.
The disclosure debate will continue, Jacobs said.
Understanding the Lifecycle
The analysis looked at the lifecycle of a vulnerability—when it was discovered, when a CVE was reserved, when the details of the vulnerability was published (as a CVE), when a patch was released, when the flaw could be detected by vulnerability scanners, and when it was exploited—and found that in most cases, there wasn’t a clear pattern. Just 16 percent of the CVEs followed this particular pattern of events. Sometimes the vulnerability was exploited in the wild before a patch was available. Sometimes the exploit code was available before the CVE was published. Sometimes, especially in the case of coordinated disclosure, all of these steps may happen on the same day, or within days of each other.
“There is no standard order of operations,” Bellis said.
As noted earlier, about 60 percent of vulnerabilities have a patch before the CVE is officially published. About 24 percent of the time, an exploit code was public before the patch was released. About 10 percent of the exploitations (the last step in the lifecycle) occurred before a patch was available.
Over 80 percent of vulnerabilities have a patch within a few days following the publication of CVE. Within two days of the patch being released, nearly 80 percent of vulnerabilities can be detected by scanners.
Companies are, for the most part, issuing patches when researchers point them out," Bellis wrote in the blog post. "[Defenders] know where the vulnerability exists across their assets and have the means (the patch) to begin remediating it.