Skip to main content

The Vulnerabilities of the Past Are the Vulnerabilities of the Future

 Major software vulnerabilities are a fact of life, as illustrated by the fact that Microsoft has patched between 55 and 110 vulnerabilities each month this year – with 7% to 17% of those vulnerabilities being critical.

May had the fewest vulnerabilities, with a total of 55 and only four considered critical. The problem is that the critical vulnerabilities are things we have seen for many years, like remote code execution and privilege escalation.

Microsoft isn't the only big name regularly patching major vulnerabilities: We see monthly security updates coming from Apple, Adobe, Google, Cisco, and others.

Everything old is new again

With major vulnerabilities in so many applications, is there any hope for a secure future? The answer is, of course, yes, but that does not mean there won't be challenges getting there.

The vulnerabilities being seen may not be new to those of us who have been defending against attackers for years or even decades, but the adversaries continually change their tactics.

It is not uncommon for them to use legitimate resources for nefarious purposes, and it may not always be possible to plan for this misuse when an application is being built.

It's your privilege

With 80% of security breaches involving privileged accounts, a major vulnerability we will increasingly see exploited is privilege escalation. A common tactic of ransomware operators and other threat actors is to achieve elevated privileges on a system to help legitimize their actions and gain access to sensitive data.

If an info stealer has the same access as the current user, the chances of exfiltrating sensitive data are significantly increased. Meanwhile, admin access nearly guarantees access to juicy data.

In addition to keeping software updated, this is where Zero Trust initiatives and data flow monitoring become critical. At a minimum, Zero Trust means that the principle of least privilege should be applied, and multi-factor authentication should be required wherever it is available.

Essentially, this ensures that anyone who does not need access to a system or file cannot access it – while those who do must prove that they are whom they say they are. Monitoring the flow of data can also help catch a breach early on, limiting the amount of data stolen.

Remote control

Remote code execution (RCE) is not going away any time soon. These attacks accounted for around 27% of the attacks in 2020, up from 7% the prior year. If an attacker can find a way to run arbitrary code on your system remotely, they have a lot more control than they would from just getting a user to run a piece of malware with predefined functions unwittingly.

If the attacker can run arbitrary code remotely, they gain the ability to move around the system and possibly the network – enabling them to change their goals and tactics based on what they find.

Behavioral monitoring is one of the best ways to detect RCE on your systems. If an application begins running commands and spinning up processes that are not a part of its normal behaviors, you can put a stop to an attack early on. The fact that RCE is so common also mandates that you keep security patches up-to-date to stop many of these attacks before they even start.

Who needs malware anyway?

Today, a favorite attack method is using legitimate processes and trusted applications to accomplish nefarious goals. These fileless, or living off the land, attacks can be difficult to detect because the malware does not need to be installed.

One of the most common applications to be exploited this way is PowerShell. This makes sense because PowerShell is a powerful application used to script and run system commands.

This is another instance where monitoring the behaviors of applications and processes can be vital in stopping an attack quickly. Does PowerShell really need to disable security features?

In most cases, probably not. Behaviors like this can be monitored, even from trusted applications like PowerShell. Combine this monitoring with advanced machine learning and AI, and you can begin fingerprinting normal behaviors on your network, with automated responses to unusual activity.

Go forth and repeat yourself

While the common types of attacks may not change much, any changes to application or code have the potential to introduce new vulnerabilities. This doesn't mean we should give up and just let the adversaries win – it means that now is the time to double down on our efforts to thwart their attempts.

Implement a patch management strategy, monitor the network, use behavioral detection, and avoid complacency. The fact that major software providers are regularly patching major vulnerabilities is actually a good thing because the attackers are not giving up, so neither should we.

Comments

Popular posts from this blog

Applications and Threats Content Release Notes

  Threat Intelligence Report Top Attacks and Breaches The biochemical systems at an Oxford university research lab currently studying the Covid-19 pandemic has been  breached . Clinical research was not affected by the incident. Breached systems include machines used to prepare biochemical samples, and hackers are currently attempting to  sell  their access to those machines. Twitter has permanently  suspended  multiple accounts found to be part of four disinformation campaign networks, most likely operated by state-sponsored actors associated with Iran, Russia and Armenia. The Iranian infrastructure was previously used to disrupt the 2020 US presidential campaign discourse. Gmail accounts of global pro-Tibet organizations have been  targeted  by the Chinese APT TA413, an espionage group known for its operations against civil dissidents. The campaign leverages a customized malicious Mozilla Firefox browser extension to gain control over the victims’ Gmail accounts. Npower, a British ga

Cisco Releases Security Updates for Cisco ASA 5506-X, 5508-X, 5516-X and Firepower// Cisco Bug IDs: CSCvp36425

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note:  Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability. Cisco has rel

Site-to-site IPsec VPN with two FortiGates

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's   Site to Site - FortiGate   template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1. Configuring the HQ IPsec VPN On the HQ FortiGate, go to  VPN > IPsec Wizard . Select the  Site to Site  template, and select  FortiGate . In the  Authentication  step, set  IP Address  to the IP of the Branch FortiGate (in the example,  172.20.120.135 ). After you enter the gateway, an available interface will be assigned as the  Outgoing Interface . If you wish to use a different interface, select it from the drop-down menu. Set a secure  Pre-shared Key . In the  Policy & Routing  step, set the  Local Interface . The  Local Subnets  will be added automatically. Set  Remote