SlideShare a Scribd company logo

Verizon 2015 DBIR VM portion

Tawnia Beckwith
Tawnia Beckwith
1 of 3
Download to read offline
2015 DATA BREACH INVESTIGATIONS REPORT 15 Of all the risk factors in the InfoSec domain, vulnerabilities are probably the most discussed, tracked, and assessed over the last 20 years. But how well do we really understand them? Their link to security incidents is clear enough after the fact, but what can we do before the breach to improve vulnerability management programs? These are the questions on our minds as we enter this section, and Risk I/O was kind enough to join us in the search for answers. Risk I/O started aggregating vulnerability exploit data from its threat feed partners in late 2013. The data set spans 200 million+ successful exploitations across 500+ common vulnerabilities and exposures (CVEs)11 from over 20,000 enterprises in more than 150 countries. Risk I/O does this by correlating SIEM logs, analyzing them for exploit signatures, and pairing those with vulnerability scans of the same environments to create an aggregated picture of exploited vulnerabilities over time. We focused on mining the patterns in the successful exploits to see if we could figure out ways to prioritize remediation and patching efforts for known vulnerabilities. ‘SPLOITIN TO THE OLDIES In the inaugural DBIR (vintage 2008), we made the following observation: For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach [and 71% >1 year]. This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than “fire drills” attempting to patch particular systems as soon as patches are released. Wedecidedtoseeiftherecentandbroaderexploitdatasetstillbackedupthatstatement.We foundthat99.9%oftheexploitedvulnerabilitieshadbeencompromisedmorethanayearafterthe associatedCVEwaspublished.OurnextstepwastofocusinontheCVEsandlookattheageofCVEs exploitedin2014.Figure10arrangestheseCVEsaccordingtotheirpublicationdateandgivesa countofCVEsforeachyear.Apparently,hackersreallydostillpartylikeit’s1999.Thetallyofreally oldCVEssuggeststhatanyvulnerabilitymanagementprogramshouldincludebroadcoverageofthe “oldiesbutgoodies.”JustbecauseaCVEgetsolddoesn’tmeanitgoesoutofstylewiththeexploit crowd.Andthatmeansthathangingontothatvintagepatchcollectionmakesalotofsense. 11 Common Vulnerabilities and Exposures (CVE) is “a dictionary of publicly known information security vulnerabilities and exposures.”—http://cve.mitre.org VULNERABILITIES Do We Need Those Stinking Patches? 99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED. 10 30 50 70 90 ’99 ’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12 ’13 ’14 YEAR CVE WAS PUBLISHED NUMBEROFPUBLISHEDCVE’SEXPLOITED Figure 10. Count of exploited CVEs in 2014 by CVE publish date
16 VERIZON ENTERPRISE SOLUTIONS NOT ALL CVES ARE CREATED EQUAL. If we look at the frequency of exploitation in Figure 11, we see a much different picture than what’s shown by the raw vulnerability count of Figure 12. Ten CVEs account for almost 97% of the exploits observed in 2014. While that’s a pretty amazing statistic, don’t be lulled into thinking you’ve found an easy way out of the vulnerability remediation rodeo. Prioritization will definitely help from a risk-cutting perspective, but beyond the top 10 are 7 million other exploited vulnerabilities that may need to be ridden down. And therein, of course, lies the challenge; once the “mega-vulns” are roped in (assuming you could identify them ahead of time), how do you approach addressing the rest of the horde in an orderly, comprehensive, and continuous manner over time? FROM PUB TO PWN If Figure 11—along with our statement above from 2008—advocates the turtle method of vulnerability management (slow and steady wins the race), then Figure 12 prefers the hare’s approach. And in this version of the parable, it might just be the hare that’s teaching us the lesson. Half of the CVEs exploited in 2014 fell within two weeks. What’s more, the actual time lines in this particular data set are likely underestimated due to the inherent lag between initial attack and detection readiness (generation, deployment, and correlation of exploits/signatures). These results undeniably create a sense of urgency to address publicly announced critical vulnerabilities in a timely (and comprehensive) manner. They do, however, beg the question: What constitutes a “critical vulnerability,” and how do we make that determination? WHAT’S IN A SCORE, THAT WHICH WE ALL COMPOSE? The industry standard for rating the criticality of vulnerabilities is CVSS,12 which incorporates factors related to exploitability and impact into an overall base score. Figure 13 (next page) displays the CVSS scores for three different groupings of CVEs: all CVEs analyzed (top), all CVEs exploited in 2014 (middle), and CVEs exploited within one month of publication (bottom). The idea is to determine which CVSS factors (if any) pop out and thus might serve as a type of early warning system for vulnerabilities that need quick remediation due to high likelihood of exploitation. 12 The Common Vulnerability Scoring System (CVSS) is designed to provide an open and standardized method for rating IT vulnerabilities. 0% 20% 40% 60% 80% 100% CVE−1999−0517 CVE−2001−0540 CVE−2002−0012 CVE−2002−0013 CVE−2014−3566 CVE−2012−0152 CVE−2001−0680 CVE−2002−1054 CVE−2002−1931 CVE−2002−1932 TOP 10 CVE'S EXPLOITED PERCENTOFEXPLOITEDCVE'S Figure 11. Cumulative percentage of exploited vulnerabilities by top 10 CVEs About half of the CVEs exploited in 2014 went from publish to pwn in less than a month. 0% 20% 40% 60% 80% 100% 0 4 8 12 16 20 24 28 32 36 40 44 48 WEEK EXPLOIT OCCURED AFTER CVE PUBLISH DATE PROPORTIONOFCVE’SEXPLOITED Figure 12. Cumulative percentage of exploited vulnerabilities by week(s) from CVE publish dates
2015 DATA BREACH INVESTIGATIONS REPORT 17 None of the exploitability factors appear much different across the groups; it seems that just about all CVEs have a network access vector and require no authentication, so those won’t be good predictors. The impact factors get interesting; the proportion of CVEs with a “complete” rating for C-I-A13 rises rather dramatically as we move from all CVEs to quickly exploited CVEs. The base score is really just a composite of the other two factors, but it’s still worth noting that most of those exploited within a month post a score of nine or ten. We performed some statistical significance tests and found some extremely low p-values, signifying that those differences are meaningful rather than random variation. Even so, we agree with RISK I/O’s finding that a CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.14 Outside the CVSS score, there is one other attribute of a “critical” vulnerability to bring up, and this is a purely subjective observation. If a vulnerability gets a cool name in the media, it probably falls into this “critical vulnerability” label.15 As an example, in 2014, Heartbleed, POODLE, Schannel, and Sandworm were all observed being exploited within a month of CVE publication date. In closing, we want to restate that the lesson here isn’t “Which of these should I patch?” Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest. We hope this section provides some support for that decision, as well as some encouragement for more data sharing and more analysis. 13 As all good CISSPs know, that’s Confidentiality, Integrity, and Availability. 14 www.risk.io/resources/fix-what-matters-presentation 15 As this section was penned, the “Freak” vulnerability in SSL/TLS was disclosed. http://freakattack.com Figure 13. CVSS attributes across classes of CVEs EXPLOITABILITY IMPACT CVSS BASE SCORE 50% 100% 50% 100% 50% 100% ALL CVEs (n= 67,567) Local Adjacent Network Low Medium High None Single Multiple Complete Partial None Complete Partial None Complete Partial None 1 2 3 4 5 6 7 8 9 10 JUST EXPLOITED (n=792) CRITICAL (exploited within one month of publication; n=24) AccessVector AccessComplexity Authentication Confidentiality Integrity Availability NUMBEROFCVE’s A CVE being added to Metaspoit is probably the single most reliable predictor of exploitation in the wild.

Recommended

Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperTawnia Beckwith
 
Acoso escolar
Acoso escolarAcoso escolar
Acoso escolarNubiaOmana
 
Lucia francisco y santiago
Lucia francisco y santiagoLucia francisco y santiago
Lucia francisco y santiagosanfranlu
 
Pasos para abrir mi blogger
Pasos para abrir mi bloggerPasos para abrir mi blogger
Pasos para abrir mi bloggerschavezuniandesr
 
Big Data Processing With Spark
Big Data Processing With SparkBig Data Processing With Spark
Big Data Processing With SparkEdureka!
 
ECHO PowerPoint logos
ECHO PowerPoint logosECHO PowerPoint logos
ECHO PowerPoint logosErica Lengermann
 

Recommended

Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperTawnia Beckwith
 
Acoso escolar
Acoso escolarAcoso escolar
Acoso escolarNubiaOmana
 
Lucia francisco y santiago
Lucia francisco y santiagoLucia francisco y santiago
Lucia francisco y santiagosanfranlu
 
Pasos para abrir mi blogger
Pasos para abrir mi bloggerPasos para abrir mi blogger
Pasos para abrir mi bloggerschavezuniandesr
 
Big Data Processing With Spark
Big Data Processing With SparkBig Data Processing With Spark
Big Data Processing With SparkEdureka!
 
ECHO PowerPoint logos
ECHO PowerPoint logosECHO PowerPoint logos
ECHO PowerPoint logosErica Lengermann
 
Ids 004 cve
Ids 004 cveIds 004 cve
Ids 004 cvejyoti_lakhani
 
Comparing vulnerability and security configuration assessment coverage of lea...
Comparing vulnerability and security configuration assessment coverage of lea...Comparing vulnerability and security configuration assessment coverage of lea...
Comparing vulnerability and security configuration assessment coverage of lea...Principled Technologies
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
Cloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decCloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decgusbarrett
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101FINOS
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Integration of Qualys with HCL BigFix Insights for Vulnerability Remediation
Integration of Qualys with HCL BigFix Insights for Vulnerability RemediationIntegration of Qualys with HCL BigFix Insights for Vulnerability Remediation
Integration of Qualys with HCL BigFix Insights for Vulnerability RemediationHCLSoftware
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
modeling and predicting cyber hacking breaches
modeling and predicting cyber hacking breaches modeling and predicting cyber hacking breaches
modeling and predicting cyber hacking breaches Venkat Projects
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Eoin Keary
 
We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...Ampliz
 
The State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionThe State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionNeelKamalSingh8
 

More Related Content

Similar to Verizon 2015 DBIR VM portion

Comparing vulnerability and security configuration assessment coverage of lea...
Comparing vulnerability and security configuration assessment coverage of lea...Comparing vulnerability and security configuration assessment coverage of lea...
Comparing vulnerability and security configuration assessment coverage of lea...Principled Technologies
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
Cloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decCloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decgusbarrett
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101FINOS
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Integration of Qualys with HCL BigFix Insights for Vulnerability Remediation
Integration of Qualys with HCL BigFix Insights for Vulnerability RemediationIntegration of Qualys with HCL BigFix Insights for Vulnerability Remediation
Integration of Qualys with HCL BigFix Insights for Vulnerability RemediationHCLSoftware
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
modeling and predicting cyber hacking breaches
modeling and predicting cyber hacking breaches modeling and predicting cyber hacking breaches
modeling and predicting cyber hacking breaches Venkat Projects
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Eoin Keary
 
We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...Ampliz
 
The State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionThe State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionNeelKamalSingh8
 

Similar to Verizon 2015 DBIR VM portion (20)

Ids 004 cve
Ids 004 cveIds 004 cve
Ids 004 cve
 
Comparing vulnerability and security configuration assessment coverage of lea...
Comparing vulnerability and security configuration assessment coverage of lea...Comparing vulnerability and security configuration assessment coverage of lea...
Comparing vulnerability and security configuration assessment coverage of lea...
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
Cloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-decCloud activ8 state of ransomware report_2021-dec
Cloud activ8 state of ransomware report_2021-dec
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Integration of Qualys with HCL BigFix Insights for Vulnerability Remediation
Integration of Qualys with HCL BigFix Insights for Vulnerability RemediationIntegration of Qualys with HCL BigFix Insights for Vulnerability Remediation
Integration of Qualys with HCL BigFix Insights for Vulnerability Remediation
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
modeling and predicting cyber hacking breaches
modeling and predicting cyber hacking breaches modeling and predicting cyber hacking breaches
modeling and predicting cyber hacking breaches
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...
 
The State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionThe State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - Solution
 

Verizon 2015 DBIR VM portion

  • 1. 2015 DATA BREACH INVESTIGATIONS REPORT 15 Of all the risk factors in the InfoSec domain, vulnerabilities are probably the most discussed, tracked, and assessed over the last 20 years. But how well do we really understand them? Their link to security incidents is clear enough after the fact, but what can we do before the breach to improve vulnerability management programs? These are the questions on our minds as we enter this section, and Risk I/O was kind enough to join us in the search for answers. Risk I/O started aggregating vulnerability exploit data from its threat feed partners in late 2013. The data set spans 200 million+ successful exploitations across 500+ common vulnerabilities and exposures (CVEs)11 from over 20,000 enterprises in more than 150 countries. Risk I/O does this by correlating SIEM logs, analyzing them for exploit signatures, and pairing those with vulnerability scans of the same environments to create an aggregated picture of exploited vulnerabilities over time. We focused on mining the patterns in the successful exploits to see if we could figure out ways to prioritize remediation and patching efforts for known vulnerabilities. ‘SPLOITIN TO THE OLDIES In the inaugural DBIR (vintage 2008), we made the following observation: For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach [and 71% >1 year]. This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than “fire drills” attempting to patch particular systems as soon as patches are released. Wedecidedtoseeiftherecentandbroaderexploitdatasetstillbackedupthatstatement.We foundthat99.9%oftheexploitedvulnerabilitieshadbeencompromisedmorethanayearafterthe associatedCVEwaspublished.OurnextstepwastofocusinontheCVEsandlookattheageofCVEs exploitedin2014.Figure10arrangestheseCVEsaccordingtotheirpublicationdateandgivesa countofCVEsforeachyear.Apparently,hackersreallydostillpartylikeit’s1999.Thetallyofreally oldCVEssuggeststhatanyvulnerabilitymanagementprogramshouldincludebroadcoverageofthe “oldiesbutgoodies.”JustbecauseaCVEgetsolddoesn’tmeanitgoesoutofstylewiththeexploit crowd.Andthatmeansthathangingontothatvintagepatchcollectionmakesalotofsense. 11 Common Vulnerabilities and Exposures (CVE) is “a dictionary of publicly known information security vulnerabilities and exposures.”—http://cve.mitre.org VULNERABILITIES Do We Need Those Stinking Patches? 99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED. 10 30 50 70 90 ’99 ’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12 ’13 ’14 YEAR CVE WAS PUBLISHED NUMBEROFPUBLISHEDCVE’SEXPLOITED Figure 10. Count of exploited CVEs in 2014 by CVE publish date
  • 2. 16 VERIZON ENTERPRISE SOLUTIONS NOT ALL CVES ARE CREATED EQUAL. If we look at the frequency of exploitation in Figure 11, we see a much different picture than what’s shown by the raw vulnerability count of Figure 12. Ten CVEs account for almost 97% of the exploits observed in 2014. While that’s a pretty amazing statistic, don’t be lulled into thinking you’ve found an easy way out of the vulnerability remediation rodeo. Prioritization will definitely help from a risk-cutting perspective, but beyond the top 10 are 7 million other exploited vulnerabilities that may need to be ridden down. And therein, of course, lies the challenge; once the “mega-vulns” are roped in (assuming you could identify them ahead of time), how do you approach addressing the rest of the horde in an orderly, comprehensive, and continuous manner over time? FROM PUB TO PWN If Figure 11—along with our statement above from 2008—advocates the turtle method of vulnerability management (slow and steady wins the race), then Figure 12 prefers the hare’s approach. And in this version of the parable, it might just be the hare that’s teaching us the lesson. Half of the CVEs exploited in 2014 fell within two weeks. What’s more, the actual time lines in this particular data set are likely underestimated due to the inherent lag between initial attack and detection readiness (generation, deployment, and correlation of exploits/signatures). These results undeniably create a sense of urgency to address publicly announced critical vulnerabilities in a timely (and comprehensive) manner. They do, however, beg the question: What constitutes a “critical vulnerability,” and how do we make that determination? WHAT’S IN A SCORE, THAT WHICH WE ALL COMPOSE? The industry standard for rating the criticality of vulnerabilities is CVSS,12 which incorporates factors related to exploitability and impact into an overall base score. Figure 13 (next page) displays the CVSS scores for three different groupings of CVEs: all CVEs analyzed (top), all CVEs exploited in 2014 (middle), and CVEs exploited within one month of publication (bottom). The idea is to determine which CVSS factors (if any) pop out and thus might serve as a type of early warning system for vulnerabilities that need quick remediation due to high likelihood of exploitation. 12 The Common Vulnerability Scoring System (CVSS) is designed to provide an open and standardized method for rating IT vulnerabilities. 0% 20% 40% 60% 80% 100% CVE−1999−0517 CVE−2001−0540 CVE−2002−0012 CVE−2002−0013 CVE−2014−3566 CVE−2012−0152 CVE−2001−0680 CVE−2002−1054 CVE−2002−1931 CVE−2002−1932 TOP 10 CVE'S EXPLOITED PERCENTOFEXPLOITEDCVE'S Figure 11. Cumulative percentage of exploited vulnerabilities by top 10 CVEs About half of the CVEs exploited in 2014 went from publish to pwn in less than a month. 0% 20% 40% 60% 80% 100% 0 4 8 12 16 20 24 28 32 36 40 44 48 WEEK EXPLOIT OCCURED AFTER CVE PUBLISH DATE PROPORTIONOFCVE’SEXPLOITED Figure 12. Cumulative percentage of exploited vulnerabilities by week(s) from CVE publish dates
  • 3. 2015 DATA BREACH INVESTIGATIONS REPORT 17 None of the exploitability factors appear much different across the groups; it seems that just about all CVEs have a network access vector and require no authentication, so those won’t be good predictors. The impact factors get interesting; the proportion of CVEs with a “complete” rating for C-I-A13 rises rather dramatically as we move from all CVEs to quickly exploited CVEs. The base score is really just a composite of the other two factors, but it’s still worth noting that most of those exploited within a month post a score of nine or ten. We performed some statistical significance tests and found some extremely low p-values, signifying that those differences are meaningful rather than random variation. Even so, we agree with RISK I/O’s finding that a CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.14 Outside the CVSS score, there is one other attribute of a “critical” vulnerability to bring up, and this is a purely subjective observation. If a vulnerability gets a cool name in the media, it probably falls into this “critical vulnerability” label.15 As an example, in 2014, Heartbleed, POODLE, Schannel, and Sandworm were all observed being exploited within a month of CVE publication date. In closing, we want to restate that the lesson here isn’t “Which of these should I patch?” Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest. We hope this section provides some support for that decision, as well as some encouragement for more data sharing and more analysis. 13 As all good CISSPs know, that’s Confidentiality, Integrity, and Availability. 14 www.risk.io/resources/fix-what-matters-presentation 15 As this section was penned, the “Freak” vulnerability in SSL/TLS was disclosed. http://freakattack.com Figure 13. CVSS attributes across classes of CVEs EXPLOITABILITY IMPACT CVSS BASE SCORE 50% 100% 50% 100% 50% 100% ALL CVEs (n= 67,567) Local Adjacent Network Low Medium High None Single Multiple Complete Partial None Complete Partial None Complete Partial None 1 2 3 4 5 6 7 8 9 10 JUST EXPLOITED (n=792) CRITICAL (exploited within one month of publication; n=24) AccessVector AccessComplexity Authentication Confidentiality Integrity Availability NUMBEROFCVE’s A CVE being added to Metaspoit is probably the single most reliable predictor of exploitation in the wild.