Critical CVEs: Why Chasing Squirrels is Driving the Whole Industry Nuts
By Josh Campbell from Cyborg Security
Let’s face it: if you’ve been in the cyber security industry more than about 5 minutes, you’ve probably experienced the chaos that ensues when critical vulnerabilities, like zero days, are announced. The mayhem is always the same: CISOs scrambling to find out if their organization is exposed; patch management teams working to update vulnerable software; and security teams are desperately trying to answer the big question: “have we been compromised?” If you have been in a SOC during these events, it can often seem as if every team is chasing proverbial squirrels madly off in all directions.
And if you’ve been paying attention lately, it probably hasn’t escaped your notice that these events (or “squirrel moments” as I have come to call them) seem to be happening with greater frequency. And that is, in this author’s humble opinion, a pretty serious problem for the whole industry.
Why? Well, there are several reasons.
Critical CVEs are Time Sinks
The first reason is simply this: these squirrel moments are massive time-sinks for security teams. Security practitioners everywhere will tell you that the two most important resources they have are caffeine and time, and it is the latter that is continually in short supply and that makes security a zero-sum game. So, when a critical vulnerability drops, and security teams are forced to divert their time to chase these squirrels, it is always at the expense of other things, things that may age out, things that may be missed, and things that could have just as devastating an effect as that critical CVE.
Critical CVEs are on the Rise
The second reason is that, by every account, these squirrel moments are not going away, and in fact by many measures they are growing at a rather rapid pace. This means that, as we move forward, we can expect what might have been once-a-year events to turn into quarterly, or even monthly, occurrences. This kind of disruption to security teams (and even whole organizations) would likely take a heavy toll on already thinly stretched resources.
Chasing Critical CVEs is Reactive
The third reason is that chasing critical CVEs is wholly reactive. By its very nature, to chase a squirrel, there must be a squirrel to chase. To react to vulnerabilities, you first need to be alerted to the existence of vulnerability and this often comes long after active exploitation is detected. And, once alerted, then the organization must figure out if they are affected. And lastly, they must figure out a solution — especially if a patch is not yet available. This means that by the time an organization has mounted any response, they are entirely in defense mode.
As a example of this last point, let’s examine the recent (and now infamous) log4j vulnerability. This vulnerability was announced in December but it turns out that a working proof-of-concept (PoC) had been publicly available since early 2021. This means organizations needed to assume that the adversaries that truly matter have been using it at least that long (if not longer). Once that is the case, to mix a metaphor, the squirrel is out of the barn.
Additionally, because the vulnerability affected a library used by thousands or millions of software packages, many organizations are still, more than a month later, trying to figure out if they are even vulnerable, let alone impacted. Should an organization find that not only are they vulnerable, but that they have been compromised, a lot of the damage is already done.
Are You Saying Security Teams Shouldn’t Care About Critical CVEs?
No. Major weaknesses within a kingdom’s defenses should always be investigated and patched as soon as possible. What I am saying is that the, often times uncontrolled, chaos surrounding detecting these squirrel moments is time and effort better spent on the already overwhelming job of day-to-day security.
So, What’s the Solution?
I will forewarn you, the reader, that the solution to this problem is far from simple and will not happen overnight or with the addition of “one more” appliance or agent. But it is an achievable goal, I think.
The solution requires organizations to reconsider their security strategy to incorporate true behavioral threat hunting into their program and then to assume that their organization, if not yet, will eventually be breached by an actor probably leveraging some critical CVE, or phishing, or some other as-yet-unknown method. But instead of panicking every time a new vulnerability is publicly announced, they focus their capabilities on ensuring that any adversary that breaches the wall for initial access will undoubtably be quickly discovered. Afterall, while the method of initial access might be novel — exploiting a new vulnerability — the behaviors the actor exhibits after the fact are often programmatically routine. So, an organization that can reliably detect suspicious and malicious behaviors internally will be much less concerned when critical CVEs drop.
How Do We Get There?
The typical question I get from security practitioners when I bring this whole concept up is: “well, how do we get there from here?”
In my opinion, the answer to that is simple. Organizations need to push away the mentality that they can rely on the legacy one-size-fits-all “black box” mentality of security where an appliance or agent will protect you, exclusively. Instead, they need to focus on building a proactive strategy that focuses on robust and confident detection of malicious and suspicious behaviors in their environment so that when a new vulnerability rears its head, the security teams don’t have to get all squirrely.
If you want to see how behavioral threat hunting can help reduce the squirrels your security team has to chase, sign up here and use Promocode ‘SQUIRRELS’ for EXCLUSIVE access to Cyborg Security’s threat hunting content platform, HUNTER.