Patching without Prioritization isn’t Working

 Businesswoman holding tablet pc entering password. Security concept

Detection dates and continued scanning don’t solve the root cause of the problem: how do you determine which CVEs are likely to be targeted and must be patched?

Recent media reports a drastic surge in attacks against Microsoft’s IIS web server totaling 1.7 million attacks in the second quarter of 2018, up an incredible 850% from the 2,000 recorded in the first quarter of this same year. Most of the attacks are attributed to two vulnerabilities that are often used in tandem:

  • an Oracle middleware vulnerability (CVE-2017-10271)
  • an IIS code execution vulnerability (CVE-2017-7269)

There is no correlation between detection date and attack date.

Both CVEs were identified in 2017 but were not weaponized until 2018, highlighting that detection date is not useful when determining that an attack is likely to occur.

Is it surprising that two vulnerabilities from the prior year account for a surge of over a million attacks? Actually not – Fortinet reported that 90% of companies suffered a breach due to a vulnerability over 3 years old (full disclosure: CYR3CON is a Fortinet partner). The date of vulnerability detection gives no clues when attempting to determine if an attack is likely or even probable.

Patching is a numbers game - it’s almost impossible to keep up.

A second factor impacting successful patching is simply the sheer volume of CVEs identified and reported each year. NIST reported over 11,000 vulnerabilities in 2018 before the end of the third quarter was reached. Is it surprising that patch management falls behind? Even for mission-critical web platforms? We previously discussed why this is a challenge after the Equifax breach.

Getting Serious about Patching

With 1,000’s of CVEs constantly being identified and detection date of no relevance, how should companies protect themselves? Prioritizing patching of CVEs likely to be targeted is the best path forward.

CYR3CON Priority automatically identified hacker discussion and ranked both vulnerabilities as “Nearly Certain” to be weaponized by hackers – the system made the assessment on CVE-2017-7269 in May 2017 and in January 2018 for CVE-2017-10271.  First assessments (status of Likely) were made in March and December of 2017 respectively for the two vulnerabilities.

Hacker discussions relating to the vulnerabilities often centered around crypto currency mining.  Hence, it was not surprising to see crypto mining attacks using the IIS vulnerability in April 2018 – nearly a year after the CYR3CON platform assessed the vulnerability as being “Nearly Certain” to be weaponized. But the attacks went beyond crypto-mining – the IIS vulnerability was also used in large-scale supply chain information theft that were discovered in July 2018.

Patch prioritization needs to become part of the cyber security playbook. Arming companies, clients and partners with the information needed to prioritize patching and improve exploitation resistance is the newest weapon in the cyber security arsenal.