The State of Software Security 2022 SOSS - Solution
Verizon 2015 DBIR VM portion
1. 2015 DATA BREACH INVESTIGATIONS REPORT 15
Of all the risk factors in the InfoSec domain, vulnerabilities are probably the most discussed,
tracked, and assessed over the last 20 years. But how well do we really understand them? Their
link to security incidents is clear enough after the fact, but what can we do before the breach to
improve vulnerability management programs? These are the questions on our minds as we enter
this section, and Risk I/O was kind enough to join us in the search for answers.
Risk I/O started aggregating vulnerability exploit data from its threat feed partners in late 2013.
The data set spans 200 million+ successful exploitations across 500+ common vulnerabilities
and exposures (CVEs)11
from over 20,000 enterprises in more than 150 countries. Risk I/O does
this by correlating SIEM logs, analyzing them for exploit signatures, and pairing those with
vulnerability scans of the same environments to create an aggregated picture of exploited
vulnerabilities over time. We focused on mining the patterns in the successful exploits to see if
we could figure out ways to prioritize remediation and patching efforts for known vulnerabilities.
‘SPLOITIN TO THE OLDIES
In the inaugural DBIR (vintage 2008), we made the following observation: For the overwhelming
majority of attacks exploiting known vulnerabilities, the patch had been available for months prior
to the breach [and 71% >1 year]. This strongly suggests that a patch deployment strategy focusing
on coverage and consistency is far more effective at preventing data breaches than “fire drills”
attempting to patch particular systems as soon as patches are released.
Wedecidedtoseeiftherecentandbroaderexploitdatasetstillbackedupthatstatement.We
foundthat99.9%oftheexploitedvulnerabilitieshadbeencompromisedmorethanayearafterthe
associatedCVEwaspublished.OurnextstepwastofocusinontheCVEsandlookattheageofCVEs
exploitedin2014.Figure10arrangestheseCVEsaccordingtotheirpublicationdateandgivesa
countofCVEsforeachyear.Apparently,hackersreallydostillpartylikeit’s1999.Thetallyofreally
oldCVEssuggeststhatanyvulnerabilitymanagementprogramshouldincludebroadcoverageofthe
“oldiesbutgoodies.”JustbecauseaCVEgetsolddoesn’tmeanitgoesoutofstylewiththeexploit
crowd.Andthatmeansthathangingontothatvintagepatchcollectionmakesalotofsense.
11 Common Vulnerabilities and Exposures (CVE) is “a dictionary of publicly known information security vulnerabilities and
exposures.”—http://cve.mitre.org
VULNERABILITIES
Do We Need Those Stinking Patches?
99.9%
OF THE EXPLOITED
VULNERABILITIES
WERE COMPROMISED
MORE THAN A YEAR
AFTER THE CVE
WAS PUBLISHED.
10
30
50
70
90
’99 ’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12 ’13 ’14
YEAR CVE WAS PUBLISHED
NUMBEROFPUBLISHEDCVE’SEXPLOITED
Figure 10.
Count of exploited CVEs in 2014 by CVE
publish date
2. 16 VERIZON ENTERPRISE SOLUTIONS
NOT ALL CVES ARE CREATED EQUAL.
If we look at the frequency of exploitation in Figure 11, we see a much different picture than
what’s shown by the raw vulnerability count of Figure 12. Ten CVEs account for almost 97%
of the exploits observed in 2014. While that’s a pretty amazing statistic, don’t be lulled into
thinking you’ve found an easy way out of the vulnerability remediation rodeo. Prioritization will
definitely help from a risk-cutting perspective, but beyond the top 10 are 7 million other exploited
vulnerabilities that may need to be ridden down. And therein, of course, lies the challenge; once the
“mega-vulns” are roped in (assuming you could identify them ahead of time), how do you approach
addressing the rest of the horde in an orderly, comprehensive, and continuous manner over time?
FROM PUB TO PWN
If Figure 11—along with our statement above from 2008—advocates the turtle method of
vulnerability management (slow and steady wins the race), then Figure 12 prefers the hare’s
approach. And in this version of the parable, it might just be the hare that’s teaching us the lesson.
Half of the CVEs exploited in 2014 fell within two weeks. What’s more, the actual time lines in
this particular data set are likely underestimated due to the inherent lag between initial attack
and detection readiness (generation, deployment, and correlation of exploits/signatures).
These results undeniably create a sense of urgency to address publicly announced critical
vulnerabilities in a timely (and comprehensive) manner. They do, however, beg the question:
What constitutes a “critical vulnerability,” and how do we make that determination?
WHAT’S IN A SCORE, THAT WHICH WE ALL COMPOSE?
The industry standard for rating the criticality of vulnerabilities is CVSS,12
which incorporates
factors related to exploitability and impact into an overall base score. Figure 13 (next page)
displays the CVSS scores for three different groupings of CVEs: all CVEs analyzed (top), all CVEs
exploited in 2014 (middle), and CVEs exploited within one month of publication (bottom). The idea
is to determine which CVSS factors (if any) pop out and thus might serve as a type of early warning
system for vulnerabilities that need quick remediation due to high likelihood of exploitation.
12 The Common Vulnerability Scoring System (CVSS) is designed to provide an open and standardized method for rating
IT vulnerabilities.
0%
20%
40%
60%
80%
100%
CVE−1999−0517
CVE−2001−0540
CVE−2002−0012
CVE−2002−0013
CVE−2014−3566
CVE−2012−0152
CVE−2001−0680
CVE−2002−1054
CVE−2002−1931
CVE−2002−1932
TOP 10 CVE'S EXPLOITED
PERCENTOFEXPLOITEDCVE'S
Figure 11.
Cumulative percentage of exploited
vulnerabilities by top 10 CVEs
About half of the CVEs
exploited in 2014 went
from publish to pwn in
less than a month.
0%
20%
40%
60%
80%
100%
0 4 8 12 16 20 24 28 32 36 40 44 48
WEEK EXPLOIT OCCURED AFTER CVE PUBLISH DATE
PROPORTIONOFCVE’SEXPLOITED
Figure 12.
Cumulative percentage of exploited
vulnerabilities by week(s) from CVE
publish dates
3. 2015 DATA BREACH INVESTIGATIONS REPORT 17
None of the exploitability factors appear much different across the groups; it seems that just
about all CVEs have a network access vector and require no authentication, so those won’t be
good predictors. The impact factors get interesting; the proportion of CVEs with a “complete”
rating for C-I-A13
rises rather dramatically as we move from all CVEs to quickly exploited CVEs.
The base score is really just a composite of the other two factors, but it’s still worth noting that
most of those exploited within a month post a score of nine or ten. We performed some statistical
significance tests and found some extremely low p-values, signifying that those differences are
meaningful rather than random variation. Even so, we agree with RISK I/O’s finding that a CVE
being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.14
Outside the CVSS score, there is one other attribute of a “critical” vulnerability to bring up, and
this is a purely subjective observation. If a vulnerability gets a cool name in the media, it probably
falls into this “critical vulnerability” label.15
As an example, in 2014, Heartbleed, POODLE, Schannel,
and Sandworm were all observed being exploited within a month of CVE publication date.
In closing, we want to restate that the lesson here isn’t “Which of these should I patch?” Figure
13 demonstrates the need for all those stinking patches on all your stinking systems. The real
decision is whether a given vulnerability should be patched more quickly than your normal cycle
or if it can just be pushed with the rest. We hope this section provides some support for that
decision, as well as some encouragement for more data sharing and more analysis.
13 As all good CISSPs know, that’s Confidentiality, Integrity, and Availability.
14 www.risk.io/resources/fix-what-matters-presentation
15 As this section was penned, the “Freak” vulnerability in SSL/TLS was disclosed. http://freakattack.com
Figure 13.
CVSS attributes across classes of CVEs
EXPLOITABILITY IMPACT CVSS BASE SCORE
50%
100%
50%
100%
50%
100%
ALL CVEs (n= 67,567)
Local
Adjacent
Network
Low
Medium
High
None
Single
Multiple
Complete
Partial
None
Complete
Partial
None
Complete
Partial
None
1
2
3
4
5
6
7
8
9
10
JUST EXPLOITED (n=792)
CRITICAL (exploited within one month of publication; n=24)
AccessVector
AccessComplexity
Authentication
Confidentiality
Integrity
Availability
NUMBEROFCVE’s
A CVE being added to
Metaspoit is probably
the single most reliable
predictor of exploitation
in the wild.