Qualys is a sponsor of TechSpective
Cyber attacks target vulnerabilities. That is a simple, common sense reality that shouldn’t need to be pointed out. However, organizations often struggle to patch efficiently and do a poor job of understanding emerging threats. The threat landscape has shifted and accelerated, and organizations need to be more proactive threat hunting to avoid having those vulnerabilities exploited.
Known Vulnerabilities Increasing
At the Qualys Security Conference in Las Vegas last week, Chris Carlson, VP of Product Management for Qualys, presented a session titled, “Threat Hunting with Qualys: Going Beyond Your EDR Solutions.” He began the presentation with an overview of the challenges organizations face just trying to keep up with known vulnerabilities.
Carlson noted that there have been more than 14,000 new vulnerabilities disclosed in 2017, 2018, and 2019. That’s nearly 50,000 vulnerabilities in just three years, and 30% to 40% of those have been ranked as “High” or “Critical” in severity. Combine that with the fact that wormable vulnerabilities are increasing, and that attackers are accelerating the mean time to weaponize newly discovered vulnerabilities and it’s easy to see why organizations struggle.
BlueKeep Becomes the Next WannaCry
To illustrate the point, Carlson walked through the relatively rapid evolution of BlueKeep. Microsoft issued warnings in May about the BlueKeep vulnerability—a threat that Microsoft took so seriously that it issued the first patch in years for the long-unsupported Windows XP. The US government announced in mid-June that it had achieved remote code execution against the BlueKeep vulnerability and issued an alert for organizations to take action to patch the vulnerability. About a month later, a US company was selling a weaponized BlueKeep exploit as part of a commercial exploit kit. At the beginning of November, the BlueKeep attack the US government warned about in June became a reality and vulnerable Windows systems around the world were compromised with cryptominer software.
The good news is that this BlueKeep attack seeks out and targets systems with the Remote Desktop Service—port 3389—exposed to the internet. It’s also a relatively benign payload. A more pervasive exploit is still a possibility, and future attacks against BlueKeep might have more malicious outcomes.
The bad news is that Microsoft announced a newer threat in August dubbed DejaBlue. DejaBlue is similar to BlueKeep—a wormable vulnerability in RDP. The main difference between BlueKeep and DejaBlue is that the DejaBlue affects newer Windows versions—Windows 7 and later. So, organizations that may have been safe from BlueKeep are now potentially at risk from DejaBlue unless they close RDP or patch the vulnerabilities.
Proactive Threat Hunting Can Reduce Your Attack Surface
Carlson talked about how to the limitations of endpoint protection, and how to better protect the company’s “crown jewels.” He shared a number of assumptions and statements related to effective threat hunting:
- Every machine can be compromised – it only takes one
- Every Remote Code Execution (RCE) vulnerability can be exploited
- Attackers use local privilege escalation and credential harvesting to move laterally
- System misconfigurations are often overlooked and easy to exploit
- Network segmentation is rarely used internally due to complexity of managing properly
- All attacks are not equal: Can adversaries reach my critical servers?
The last point is crucial. Part of what makes cybersecurity overwhelming is treating every threat and every asset the same. Effective cybersecurity requires being able to prioritize threats and address assets based on context. An accurate, real-time inventory of assets and an understanding of indicators of compromise for emerging threats are essential for tackling the problem.
You can reduce your attack surface and effectively manage threats if you understand what assets are on your network, the relative value of the systems, which systems are public facing, and how the systems are interconnected in your environment.
In a perfect world, organizations will simply patch all vulnerable systems. The reality is that many companies have expansive, complex network environments and very limited IT resources. The goal should still be to eventually patch all vulnerable systems, but with the right tools and visibility you can at least quickly reduce your exposure to risk by identifying and prioritizing the systems that are at greatest risk.