Data-backed insights for future-proof cybersecurity strategies

The Qualys Threat Research Unit (TRU) has been hard at work detecting vulnerabilities worldwide, and its latest report is set to shake up the industry.

In this Help Net Security interview, Travis Smith, VP of the Qualys TRU, talks about the 2023 Qualys TruRisk Threat Research Report, which provides security teams with data-backed insights to help them better understand how adversaries exploit vulnerabilities and render attacks.

What are the most dangerous cyber threats to look out for in 2023? How do these threats compare to those of previous years, and what makes them particularly dangerous?

First and foremost (as expected), ransomware remains a top threat to organizations worldwide. But how this trend has and continues to evolve is becoming more sophisticated and specific.

Over the last few years, threat actors have shifted tactics to mature into extortion-ware, whereby they exfiltrate and encrypt data. In addition, ransomware-as-a-service groups are lowering the barrier of entry for less sophisticated threat actors to monetize their nefarious intentions providing step-by-step attack playbooks.

Supply chain attacks, as seen with the recent 3CX Desktop App software compromise, are another threat to pay close attention to in 2023. These are especially dangerous for organizations since they inherently trust legitimate software to run within their organization. It is important for organizations to not only reduce their attack surface by patching and addressing misconfigurations but also by focusing on detection strategies looking for abnormal behaviors.

What tactics have threat actors used to exploit the most critical vulnerabilities, and what can organizations do to protect themselves?

The high-level tactics threat actors continue to leverage remain relatively unchanged year over year. However, what is in a constant state of flux are the vulnerabilities that threat actors look to leverage in their victims’ environments. In 2022 there were more than 25,000 vulnerabilities published in the industry, with only a small portion weaponized or are known to be exploited by threat actors.

It is critical for all organizations to follow a threat informed defensive strategy that allows them to prioritize remediation in their unique environment.

While the 2023 TruRisk Research report conducted an in-depth review of the top 163 vulnerabilities, there were an additional 500 vulnerabilities released prior to 2022 that were weaponized or exploited for the first time in 2022. While threat actors add new and novel vulnerabilities to their Swiss Army Knife of tools, they also target older unpatched vulnerabilities similarly.

Why are misconfigurations among the top reasons for data breaches in web applications?

Anonymized detections in 2022 from the Qualys Web Application Scanner – which globally scanned 370,000 web applications and correlated data against the OWASP Top 10 – revealed more than 25 million vulnerabilities, 33% of which were classified as OWASP Category A05: Misconfiguration. These misconfiguration vulnerabilities cause malicious actors to spread malware in about 24,000 web applications.

Security misconfigurations are a top reason for data breaches because they cover a wider category of areas – dependent on administrators. Misconfigurations largely entail improper controls used to protect web applications. Oftentimes this occurs when security best practices are not followed, such as not changing default permissions or passwords.

Another type of misconfiguration can be applications that share too much information, such as detailed stack traces for errors. By not following security best practices, these web applications are vulnerable to various attacks. For example, sophisticated attackers may use information disclosed in a verbose stack trace to identify web application technologies and mount a more advanced attack to breach a site. Even a simple error, such as not disabling directory listings, can trigger long-term issues if personally identifiable information (PII) is inadvertently exposed through misconfigurations.

All organizations must tighten processes across the various platforms – dev, testing, staging, and production. A misconfigured system can be abused for various reasons, with many configuration issues in 2022 related to ransomware. Utilizing ‘Level 1 of CIS Hardening Benchmarks’ is an effective starting point to address this threat and improve security posture. Individual controls associated with ransomware-specific techniques must be reviewed carefully when found failing in your environment. Additionally, it is vital to understand the shared security model for cloud infrastructure. Leveraging the CIS Hardening Benchmarks or other best practices to protect cloud workloads will reduce the overall risk to your organization.

What is the average time it takes organizations to patch weaponized vulnerabilities, and what is the patching success rate?

On average, weaponized vulnerabilities are patched within 30.6 days (about one month) while only being patched an average of 57.7% of the time. Attackers weaponize these same vulnerabilities in 19.5 days (about 3 weeks) on average. This means attackers have 11.1 days (about one and a half weeks) of exploitation opportunities before organizations begin patching.

Arguably the remediation activity accelerates after weaponization happens. Hence, it is essential to predict which vulnerabilities could be weaponized and patch them as early as possible to avoid an emergency drill.

A defender’s mean time to remediation (MTTR) shows a slight change in how organizations respond to urgent threats. Vulnerabilities known to be leveraged by named threat actors were remediated eight days faster than those without association with known threat actors. While defenders are quick to address these, attackers are quick to weaponize them.

What is the mean time to remediate weaponized vulnerabilities related to Chrome or Windows, and what is the effective patch rate? How do the patching rates for Windows and Chrome compare to other applications?

Most weaponized vulnerabilities discussed in the 2023 TruRisk Research Report were in Chrome or Windows – due to the high prevalence of that browser and operating system. Chrome and Windows comprise one-third of the weaponized vulnerabilities dataset, with 75% leveraged by named threat actors. Knowing these are prime risk vectors, organizations typically patch them first and most thoroughly.

The mean time to remediation for these products globally is 17.4 days (about two and a half weeks) with an effective patch rate of 82.9%. This means that Windows and Chrome are patched twice as fast and twice as often as other applications.

The major differentiator between vulnerabilities found in Windows and Chrome versus the larger set of weaponized vulnerabilities was the maturity of the patching processes. This underscores that the ability to automate the remediation of vulnerabilities makes a huge difference. In fact, all automatable vulnerabilities are patched faster and more often across the board.

What is the mean time to remediation for IAB vulnerabilities, and how does it compare to the remediation time for Windows and Chrome?

A growing trend in the threat actor landscape is a category called Initial Access Brokers (IABs), sometimes called “affiliates.” IABs primarily add new exploits to their toolkits outside of Windows and Chrome. While they still find those exploits appealing when they encounter them, externally facing systems were targeted most in 2022 – likely because these vulnerabilities taargeted throughout the year were patched.

Remediation timelines for CVEs leverage by IABs are much worse than for Windows and Chrome. IAB vulnerabilities have a mean time to remediation of 45.5 days, compared to 17.4 days for Windows and Chrome. The patch rates are also lower, patched at a rate of 68.3% compared to 82.9% for Windows and Chrome.

Did any of the discoveries in the report catch you off guard while you were working on it? How do you see the threat landscape evolving in the near future?

For me, this report largely reaffirmed that adversaries continue to make it their business to understand the vulnerabilities and weaknesses within their victims’ environments. The report underscores that this could shift the balance of power and control in their favor, enabling cybercriminals to exploit vulnerabilities that organizations may not be aware of.

The most eye-catching piece of this research was the state of misconfigurations – specifically related to preventing ransomware. The fact that it was hovering at around a 50% pass rate was a shocking discovery – especially considering the default pass rate of a Windows 10 instance sitting at 34%. The 16% improvement in passing rate from default signals that organizations are addressing the misconfiguration risks in their environment. However, there is still room for improvement that reduces the risk posed by ransomware.

At the end of the day, no one has a crystal ball to be able to predict what the future holds. What we do know is that threat actors will only continue to grow increasingly sophisticated, finding new and unique ways into their victims’ environments. They will continue to add any new vulnerabilities to their Swiss Army Knife of exploits in addition to targeting those that remain unpatched.