There is a very simple reason that it’s so difficult to prevent zero-day attacks: By definition, zero-day attacks exploit zero-day vulnerabilities – flaws in software and hardware for which no patch has yet been released. In other words, a zero-day attack is a type of cyberattack that takes advantage of problems that have yet to be fixed.
As we explained in a recent post on the threat of zero-day attacks, zero-day vulnerabilities can include risks that developers and manufacturers have to discover, as well as vulnerabilities that have been discovered but for which developers have not yet produced a corrective patch.
Still, businesses and organizations can take steps to minimize the risk posed by unpatched vulnerabilities. In the case of zero-day vulnerabilities, the most effective line of defense is simply being diligent about general cybersecurity best practices, such as making sure to use unique passwords rather than recycling passwords across platforms. In the case of vulnerabilities for which patches have already been released, the most effective course of action is to install the patches as soon as possible.
Sounds like a straightforward solution, right? There’s just one reason that it’s not: The sheer volume of patches to be applied is far too great for most organizations. Applying these patches takes time and resources, and the rate at which vulnerabilities are discovered and publicized (along with their corresponding patches) is simply beyond the scope of what most organizations can handle as far as cybersecurity.
To stay safe both from zero-day attacks and from other types of cyberattacks, it is important to understand why it can be so difficult to keep up with necessary patches and what solutions are out there to help you identify and prioritize your most urgent cybersecurity vulnerabilities. With that in mind, this post will examine the challenge of using patches and other technologies to minimize the risk of falling victim to either a zero-day attack or a cyberattack that exploits a vulnerability for which a patch has already been released.
The numbers show that the pace at which cybersecurity vulnerabilities are discovered is increasing over time. While each vulnerability is cause for concern, the good news is that patches are typically announced at the same time as the vulnerabilities they address. The problem is that organizations simply do not have the time or resources to install every patch. As a result, companies are at risk of falling victim not only to zero-day attacks, but also to attacks exploiting vulnerabilities for which they have not yet installed the necessary (and available) patches.
How widespread and alarming is this problem? In 2020, yet again, more cybersecurity vulnerabilities were discovered than the year before. Specifically, 18,353 new vulnerabilities were added to the National Vulnerability Database (NVD), including a record number of 4,381 high-severity vulnerabilities over the course of the year – an average of 12 every single day.
These unpatched vulnerabilities are one of the biggest sources of data breaches and other risks for companies and organizations. As of 2018, according to Ponemon, 60% of organizations that had suffered a data breach in the previous two years said the culprit was a known vulnerability for which they had not yet patched.
The real challenge here is the necessary patching. If this process were easier, by now vulnerabilities would have been relegated to a lower gear of security control, just like antivirus and other such measures. However, vulnerability patching is a complex process that is usually managed by teams outside of security organizations, and it is time-consuming. In fact, Ponemon has found that it takes an average of 12 days for teams to coordinate and apply a patch across all devices.
There’s an open secret in the world of cybersecurity: Most of the prioritization of vulnerabilities is driven by CVSS scores. While these scores can evaluate the severity of a given vulnerability, they do not adequately factor in the question of how likely that vulnerability is to be exploited in the first place. Moreover, once a vulnerability is discovered, it typically takes between two and five days for it to be assigned a CVSS score. Not only does this system often result in outdated CVSS scores, but it can delay an organization’s response to a discovered vulnerability – even as attackers get to work trying to exploit that vulnerability.
The combination of stale CVSS scores and the wait for a score to be assigned leaves too many security teams with a limited understanding of their risk environment. Meanwhile, vulnerability overload adds to the challenge security teams face in prioritizing their remediation efforts. Consequently, approaches to cybersecurity tend to be more reactive than proactive and more tactical than strategic. In particular, it can be difficult to align organizational priorities with the threats posed by potential attackers.
To enable cybersecurity teams to prioritize patches as quickly and effectively as necessary, we at Cybersixgill have developed our Dynamic Vulnerability Exploit (DVE) Score, which predicts the probability of a CVE being exploited in the near future. The scoring system is dynamic, reflecting the likelihood that threat actors will take advantage of a given vulnerability in the next 90 days. This information then enables cybersecurity and IT teams to focus on the most pressing vulnerabilities.
The DVE Score actively incorporates attacker capability, intent, and interest in real time. And because this score takes a comprehensive and dynamic approach to evaluating vulnerabilities, companies and organizations can confidently make it a major factor they use when deciding which patches to apply and in what order.
By tapping into the dark web’s value as a source of cyberthreat intel, the Cybersixgill DVE Score takes into account footprints that bad actors often leave behind as they communicate about their plans in underground forums. Because the dark web is where threat actors go to communicate online when they want to stay anonymous, it is often the first place where evidence of a future cyberattack appears. And, with the world’s largest data lake of information from the dark web, Cybersixgill is uniquely capable of finding and utilizing this type of intelligence.
How does all of this help companies and organizations stay safe in light of the reality that zero-day attacks are not the only type of cyberthreat they face? It empowers them with the information they need to make well-informed decisions about which patches to implement first. Although the Cybersixgill DVE Score does not in itself eliminate the vulnerabilities these organizations face, it gives them the threat intelligence they need to set their cybersecurity priorities effectively in light of the latest online discourse.
This way, cybersecurity and IT professionals can rest assured that they have the insights they need to keep up with whichever patches are the most urgent at any given time.
How can the Cybersixgill Dynamic Vulnerability Exploit (DVE) Score help you pinpoint the most urgent patches to protect your company or organization? To see for yourself, request a demo.