New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development.
The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.
The research was conducted by Kenna Security and the Cyentia Institute. It examines how the common practices among security researchers impact the overall security of corporate IT networks.
The importance of timing
The analysis found that when exploit code is made public prior to the release of a patch, cybercriminals get a critical head start. At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released.
“The debate over responsible disclosure has existed for decades, but this data provides an objective correlation between vulnerability discovery, disclosure, and patch delivery for the first time ever,” said Ed Bellis, CTO of Kenna Security.
“However, the results raise several questions about responsible exposure, demonstrating that the timing of exploit code release can shift the balance in favor of attackers or defenders.”
Whether exploit code is released first or a patch is released first, the research found that there are periods of time when attackers have the momentum and when defenders have momentum – a reflection of the fact that no matter when a patch is released, some companies simply don’t or can’t install it before attackers make their move.
For approximately nine of the 15 months studied in this analysis, attackers were able to exploit vulnerabilities at a higher rate than defenders were patching, while defenders had the upper hand for six months.
The vulnerability disclosure practice
At the heart of the vulnerability disclosure practice is a mix of competing incentives for software publishers, IT teams, and the independent security researchers that find software vulnerabilities.
When a vulnerability is found, researchers disclose its existence and the relevant code they used to exploit the application. The publisher sets about creating a patch and pushing the patch to its user base. Occasionally, however, software publishers don’t engage, declining to create a patch or notify users of a vulnerability.
In these cases, researchers will publicly disclose the vulnerability to warn the larger community and spur the publisher to take action. Google, for example, tells software publishers that it will release details of the vulnerabilities it discovers within 90 days of notification, except in a few scenarios.
- When exploit code is publicly released before a patch, attackers get, on average, a 47 day head start
- Only 6% of those exploits were detected by more than 1/100 organizations
- Exploit code was already available for over 50% of the vulnerabilities in our sample by the time they were published to the CVE List
- In great news for defenders, over 80% of exploited vulnerabilities have a patch available prior to, or along with, CVE publication
- About one-third of vulnerabilities have exploit code published before a patch is made available
- About 7% of vulnerabilities are exploited before a CVE is published, a patch is available, and exploit code is released
“For decision-makers and researchers across the cybersecurity community, this research provides a vital, never before seen window into the lifecycle of vulnerabilities and exploitations,” said Jay Jacobs, partner, Cyentia Institute.
“These findings offer prominent paths for future research that could ultimately make the IT infrastructure more secure.”
Despite the strong relationship between disclosure of exploitation code and weaponization, the research requires some caveats. It’s possible that release of exploit code doesn’t facilitate exploitation, but detection of exploits in the wild, because the release of the code enabled faster creation of anti-virus signatures.
“This new report reignites the conversation on responsible disclosure. More research will help draw more definitive conclusions, but for now, we can say that where there’s smoke, there’s fire,” said Wade Baker, partner and co-founder of Cyentia Institute. “Release of exploit code before a patch seems to have a negative effect on corporate security.”
33% of companies within the digital supply chain expose common network services such as data storage, remote access and network administration to the internet, according to RiskRecon. In addition, organizations that expose unsafe services to the internet also exhibit more critical security findings.
The research is based on an assessment of millions of internet-facing systems across approximately 40,000 commercial and public institutions. The data was analyzed in two strategic ways: the direct proportion of internet-facing hosts running unsafe services, as well as the percentage of companies that expose unsafe services somewhere across their infrastructure.
The research concludes that the impact is further heightened when vendors and business partners run unsafe, exposed services used by their digital supply chain customers.
“Blocking internet access to unsafe network services is one of the most basic security hygiene practices. The fact that one-third of companies in the digital supply chain are failing at one of the most basic cybersecurity practices should serve as a wake up call to executives third-party risk management teams,” said Kelly White, CEO, RiskRecon.
“We have a long way to go in hardening the infrastructure that we all depend on to safely operate our businesses and protect consumer data. Risk managers will be well served to leverage objective data to better understand and act on their third-party risk.”
Expose unsafe network services: Key findings
- 33% of organizations expose one or more unsafe services across hosts under their control. As such, admins should either eliminate direct internet access or deploy compensating controls for when/if such services are required.
- Direct internet access to database services should be prohibited or secured. Within the top three unsafe network services, datastores, such as S3 buckets and MySQL databases are the most commonly exposed.
- Digital transformation and the shift to remote work needs to be considered. Remote access is the second most commonly exposed service; admins should consider restricting the accessibility of these services only to authorized and internal users.
- Universities are woefully exposed. With a culture that boasts open access to information and collaboration, the education sector has the greatest tendency to expose unsafe network services on non-student systems, with 51.9% of universities running unsafe services.
- Global regions lack proper security posture. Countries such as the Ukraine, Indonesia, Bulgaria, Mexico and Poland confirm the highest rate of domestically-hosted systems running unsafe services.
- Beware of ElasticSearch and MongoDB. Firms that expose these services to the internet have a 4x to 5x higher rate of severe security findings than those who do not run on internet-facing hosts.
- Unsafe services uncover other security issues. Failing to patch software and implement web encryption are two of the most prevalent security findings associated with unsafe services.
“This research should be welcome news to organizations struggling under the pressure to conduct exhaustive and time-consuming security assessments of their external business partners,” said Jay Jacobs, partner, Cyentia Institute.
“Similar to how medical doctors diagnose illnesses through various outward signs exhibited by their patients, third-party risk programs can perform quick, reliable diagnostics to identify underlying cybersecurity ailments.
“Not only is the presence of unsafe network services a problem in itself, but the data we examine in this report also shows that they’re a symptom of broader problems. Easy, reliable risk like this offer a rare quick win for risk assessments.”
Over 60% of the Fortune 1000 had at least one public breach over the last decade, according to a Cyentia Institute research. On an annual basis, it is estimated one in four Fortune 1000 firms will suffer a cyber loss event. That ratio approaches 50% for the Fortune 250.
Annual percentage of Fortune 1000 firms with known breaches
Moving beyond mega-corporations, the probability of cyber incidents drop substantially. SMBs have breach rates below 2% and are orders of magnitude less likely to suffer 10 or more in a year.
Estimating breach losses
The likelihood of breaches also varies by industry. Government agencies, information services, financial firms, and educational institutions have the highest rates. Construction, agriculture, and mining occupy the lower end of the frequency spectrum.
The traditional method of estimating breach losses—using a flat cost per record—is flat-out harmful. It results in $1.7 trillion of error due to overestimating losses compared to actual recorded values. We demonstrate a better method for more accurate cyber risk assessments.
We can use the number of exposed records to estimate breach losses, but it’s probabilistic rather than deterministic. An exposure of 1,000 records has a 6% chance of exceeding $10M. By comparison, a massive breach of 100M records has a better than 50% chance of racking up at least $10M in losses.
The financial impact
Financial losses following a cyber event typically run about $200K, but 10% of breaches exceed $20M. The cost of extreme events (95th percentile) to the mega corporations in the Fortune 250 approaches $100M (or more).
Typical and extreme losses differ substantially among industries. The information services and retail sectors show abnormally high losses that exceed many other sectors by a factor of 10.
Cyber events show harsh economies of scale. A $100B enterprise that experiences a typical cyber event ($292K) should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings ($24K) or more.