Software updates are a critical line of defense to prevent exploitation. Still, enterprises often keep outdated software for several months. When dealing with targeted attacks performed by Advanced Persistent Threats (APTs), this behavior does not seem appropriate. However, we tend to focus on specific APT campaigns and we miss the general picture. In this talk, we provide a broader view of the APT landscape with an analysis of more than 350 campaigns by 86 different APTs collected from open-source resources. Contrary to common belief, APTs are work-averse and prefer to exploit known vulnerabilities. We will share an analysis of different approaches to software updates, from enterprises that update as soon as a new release is out to enterprises that wait for the presence of a CVE. We observed that, given the need to perform regression testing before applying an update, enterprises that update only when a known vulnerability is patched present the same risk of being compromised as enterprises that always update to each new version but perform significantly fewer updates. The key takeaways of this talk are the following: -We provide a broader view of the APTs, their attack vector preferences, and the use of 0-days vs publicly known vulnerabilities. -We show the effectiveness and cost of different software update strategies in preventing APT campaigns.

1. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
Why are you not updating?
The effectiveness of
Software Updates against
Advanced Persistent
Threats Campaigns
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 830929 and No
952647
Giorgio Di Tizio1, Michele Armellini1, Fabio Massacci1,2
1University of Trento
2Vrije Universiteit Amsterdam

2. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
2
Facing APTs

3. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
3
Facing APTs: Where is the Truth?

4. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
4
The Software Update Problem
• Software updates reduce the opportunity for exploitation but can introduce breaking
changes in a software product
• Reservation, disclosure, and exploitation of software vulnerabilities in a software product
can occur at any time before or after the release of an update
• If and when to apply an update is thus a complex problem. Enterprises can decide to:
• Update immediately
• Wait some time to perform regression testing and then update
• Skip the update
• In reality, enterprises struggle to keep up with the updates and wait several months
before deploying one

5. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
5
Investigate the APTs
• We collected information about more than 350
campaigns performed by 86 APTs in more than
10 years
• We enriched data about APTs with information
about CVEs, software versions affected, and
available updates
• We looked at the effectiveness of keeping the
software up-to-date for 5 widely used software
products in the decade under study (Office,
Acrobat Reader, Air, JRE, and Flash Player) from
three major software companies (Microsoft,
Adobe, and Oracle)

6. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
6
The APTs Landscape: Attack Vectors and Targeted Software
• Spear phishing is the favorite attack vector employed with or without a software
vulnerability.
• In more than 50% of the cases having software up to date does not make any difference
• Office, Flash Player, Acrobat Reader, Air, and JRE are the most exploited client-side
products grouped by vendor

7. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
7
The APTs Landscape: Preference on Software Vulnerabilities
• Observed a total of 118 unique software vulnerabilities exploited by APTs
• Only 8 out of 86 APTs did not share any software vulnerability with other groups in their
campaigns
Campaigns exploiting at least a publicly
known vulnerability in NVD
Campaigns exploiting at least a reserved
vulnerability in NVD
Campaigns exploiting at least an unknown
vulnerability
119
10
24
2
1
3
3

8. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
8
Effectiveness and Cost of Software Update Strategies

9. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
9
Effectiveness and Cost of Software Update Strategies
Ideal: update to each newest
version as soon as it is
available from the vendor

10. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
10
Effectiveness and Cost of Software Update Strategies
Industry:
update to each
newest
version but
with a delay of
1 month
before
deployment

11. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
11
Effectiveness and Cost of Software Update Strategies
Reactive: update
to the first new
(not vulnerable)
version when a
CVE is publicly
available in NVD
with a delay of 1
month before
deployment

12. Grant Agreement 952647
Project Title Assurance and certification in secure Multi-
party Open Software and Services
Project Acronym AssureMOSS
Project Start Date 01 October 2020
Number of Deliverable XX
Report title XXX
Related Work Package WPX: XXX
Related Task(s) TX.X: XXX
Lead organization XXX
Submission date: Day Month Year
Last Change Date Day Month Year
Dissemination Level Confidential/Public
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 952647
PRESENTATION
TEMPLATE
12
Software Update Strategies against APTs
• We built a structured, manually verified dataset of 86 APTs and more than 350
campaigns based on an exhaustive search of over 500 technical reports and blogs
• We investigated the effectiveness of software updates against APTs
• Key Takeaways:
• Most APTs are not as sophisticated in their initial access as we think and prefer to exploit
publicly known vulnerabilities
• The effectiveness of an update strategy that is reactive on the publicly known vulnerable
releases has the same risk profile as a strategy that always updates with a delay but costs
significantly less in terms of updates
• More details in our IEEE TSE paper: https://doi.org/10.1109/TSE.2022.3176674
• Check out our APT Dataset using the QR code