The Ongoing Battle: Is Time on the Side of Hackers or Defenders?

After a new CVE (common vulnerabilities and exposures) is made public, cybercriminals often start searching the internet for systems that can be exploited within an hour. However, what happens if the developers of the vulnerable software do not release patches quickly? This prompts the question of how much time organizations that utilize potentially vulnerable software have to enhance their security and how best to address the issue.

Hackers run active scans of IP addresses to identify vulnerable services during the initial intelligence-gathering stage (based on the MITER ATT&CK matrix). Again, according to expert estimates, this can be observed a few minutes after the publication of the CVE.

But after identifying vulnerable systems, cybercriminals still need time to develop an exploit themselves or wait for it to appear on specialized dark web sites. For high-profile but simple vulnerabilities, hackers can prepare instructions and a set of commands for developing attack vectors within a couple of hours.

Will the exploit be available to a wide range of attackers? Will the exploit be free? In the early days, usually not. It may take several days before the mass exploitation of the vulnerability begins. It takes several hours to prepare an exploit. At the same time, it can take weeks, months, and in complex cases, even years, for manufacturers of vulnerable software to release patches. According to reports, less than half of all vulnerabilities identified and submitted to vendors are fixed within a reasonable time. On average, it takes 246 days to fix high-severity vulnerabilities.

The Difficulty of a Task Affects the Speed 

If an attacker seeks just to breach an endpoint or get access, or run a crypto miner, then he can get by with one exploit. A cyberattack that would have significant consequences for the target would require a larger investment of time, resources, and effort from the perpetrators. It will take a lot of time for an attacker to overcome the network perimeter, gain initial access, elevate privileges, gain access to key network segments and target servers, collect additional data, and finally implement unacceptable events. Not many criminal groups can do it quickly and effectively. Some of the tasks can be performed only by highly "professional" attackers who offer their services to specialized groups. It all takes time and lengthens the attack chain. As a result, the attack may take not 15 minutes but several weeks for cybercrooks.  

Making Life More Difficult for Hackers 

It is crucial to make the work of a cybercriminal as difficult as possible, namely, to make the implementation of a potential attack unprofitable in terms of the resources spent. To do this, you can carry out the following tactical measures:

• First, identify your own unacceptable events.
• Identify key business processes and target systems that these unacceptable events may influence.
• Finally, divide the network into segments.
• Fourth, improve the basic level of security by hardening the settings of target systems.
• Regularly inventory assets. Keep an eye on the network perimeter and critical areas of the network for any new nodes or services, and pay attention to any changes in settings.
• Take care of security monitoring and incident response measures, which includes distracter recovery. Ransomware authors terribly dislike when encrypted data is restored from backups.
• Utilize penetration testing and cyber exercises to test your system's defenses and provide advanced training for the information security team.
• Improve the security habits of employees.

Ahead of the Curve

Attackers are in a hurry to release exploits, which means that it is important to act proactively:

• Analyze cyber threats and monitor news about new vulnerabilities. Use the expertise of security vendors in prioritizing and managing vulnerabilities.
• If new infrastructure-relevant vulnerabilities are discovered, analyze the possibility of detecting the facts of their exploitation by indirect signs in the network or on endpoints and list the results obtained in the rules for detecting threats.
• Detect network anomalies using specialized solutions like NTA and XDR. 
• Monitor incidents with SIEM solutions using appropriate detection rules.
• Respond according to strict procedures within a clearly defined time frame.

Where to Look For Help

When implementing security measures, it should be taken into account that an attacker will exploit a vulnerability faster than it can be fixed, and an update from the software manufacturer will appear. Defense in depth, network segmentation, and system hardening is a minimal but insufficient sets of measures. The analysis of cyber threats and the development of rules for their detection require unique competencies that few companies have. It is challenging to cope with the protection of target systems in such conditions alone. 

It is generally believed that as time goes on, the tools and techniques available to hackers tend to become more sophisticated and effective. At the same time, the tools and techniques available to defenders also improve but at a slower rate. Unfortunately, this means that the "arms race" between hackers and defenders is ongoing, and it is difficult to predict which side will have the upper hand at any given time.

However, it is essential to note that the effectiveness of both hackers and defenders also depends on factors such as the resources available to them, the specific technologies and systems they are targeting or protecting, and the level of awareness and training of the people using these tools. Therefore, it is important to stay up-to-date on the latest cybersecurity threats and best practices in order to protect themselves as effectively as possible.

The use of vulnerability management (VM), network activity analysis (NTA), security event monitoring (SIEM), and advanced response (XDR) systems with extensive developer expertise can significantly increase the level of threat awareness and actual security. Combining the expertise of security providers and knowledge of your own infrastructure makes it possible to achieve good results in the face of targeted attacks that exploit both zero-day and old vulnerabilities.