Equifax back in the news reminds us why Predictive Patching matters
So a few days back, Equifax made the news again when it was discovered that an additional 2.4 million names and drivers licenses were exposed. In 2017, the Equifax along with the WannaCry and NoPetya attacks served as a sober reminder: many enterprises were simply doing a bad job on patching. Why are the IT folks behind on something with the servers that is pretty much automated on our laptops?
The answer is simple: at the enterprise level patching is hard.
The simple truth is that old vulnerabilities persist because patching can easily become an expensive and costly task. Consider CVE-2017–5638 exploited in the Equifax breach. Patching this vulnerability actually required a major rebuild of Apache Struts and applications developed. Development and testing takes significant time and resources — often taking weeks of dedicated effort.
So the question becomes, how does one decide what to patch? For instance, when the vulnerability associated with WannaCry was disclosed by NIST, there were 60 other vulnerabilities with a higher severity rating released during that same week. While factors, such as the severity of a vulnerability as well as understanding the impact to the specific enterprise, are important and network defenders should consider them, they fall short in considering the threat — those that are actually performing the attack. In other words: Is there someone actively creating or dispatching an exploit for the vulnerability in question? An answer to this question would provide insight into the existence of an attack in the planning stages.
Understanding hacker communities on the deep- and darkweb can enable an understanding of threat behavior — particularly with respect to assessing vulnerabilities for their risk of exploitation. However this effort raises its own set of challenges. Deep and darkweb crawling is difficult in its own right as these communities are well-protected. Even when the data is obtained, there are significant challenges with finding the most relevant information and understanding its reliability. Some companies are fortunate enough to have a dedicated data scientist for this task or the ability to leverage extensive third-party consultants. But many firms may see this as a near-term drain on resources.
Studies conducted over the past year by our group has shown that we can predict which vulnerabilities are going to be exploited based on darkweb communications. Many different factors are taken into consideration. Here are but a few:
- textual analysis of what potential attackers are saying
- availability and price of exploits on underground markets
- established reliability of the source (deepweb or darkweb site)
- information about threat actors involved in the conversation
We also found studying the interactions between individuals on the darkweb measured with advanced graphical models to be very helpful. Additionally, combining darkweb information with technical aspects about the vulnerability itself also yields surprisingly good predictive power. Good machine learning goes beyond the quality of the data sources used and must take into account which algorithm is best suited for the task by conducting thorough evaluations. We have taken these steps and are currently partnering with a number of MSSP’s and cyber security consultants who actively use this information to augment risk assessments and add value to other tools, such as vulnerability scans. We typically find that 10–30 per cent of vulnerabilities in a scan are associated with elevated risk of exploitability based on our combination of machine learning and deep/darkweb information.
The method works well. In nearly every major cyber attack this year, the system has flagged the involved vulnerability well in advance of attacks — including WannaCry, Petya, SambaCry, CopyCat, as well as Equifax. Understanding which vulnerabilities are high-risk is crucial in improving the allocation of IT resources. The complexity of modern IT infrastructure has led to a more risk-based approach to cyber security. Identifying and mitigating the risks that an adversary is likely to exploit well enough in advance is crucial to such a strategy — and threat-based vulnerability prioritization is an important step in that direction.
Think of it as “Predictive Patching” — patching the vulnerabilities that the hackers are preparing to exploit… but before they are used in an attack. Predictive patching is real. It can reduce the occurrence of breaches like Equifax.
Paulo Shakarian is CEO of CYR3CON, a cybersecurity company that specializes in identifying cyber-threats in their earliest stages, leveraging both human analysts and advanced machine learning capabilities. In 2017, CYR3CON was named finalist in PwC’s Cybersecurity Day, the Arizona Technology Council’s “Startup of the year”, and MD5 Starts Austin in addition to winning a Defense Innovation Challenge award. Most recently, CYR3CON was named a finalist in SixThirtyCYBER’s startup competition.