Major software vulnerabilities are a fact of life, as illustrated by the fact that Microsoft has patched between 55 and 110 vulnerabilities each month this year – with 7% to 17% of those vulnerabilities being critical.
May had the fewest vulnerabilities, with a total of 55 and only four considered critical. The problem is that the critical vulnerabilities are things we have seen for many years, like remote code execution and privilege escalation.
Microsoft isn’t the only big name regularly patching major vulnerabilities: We see monthly security updates coming from Apple, Adobe, Google, Cisco, and others.
Everything old is new again
With major vulnerabilities in so many applications, is there any hope for a secure future? The answer is, of course, yes, but that does not mean there won’t be challenges getting there.
The vulnerabilities being seen may not be new to those of us who have been defending against attackers for years or even decades, but the adversaries continually change their tactics.
It is not uncommon for them to use legitimate resources for nefarious purposes, and it may not always be possible to plan for this misuse when an application is being built.
It’s your privilege
With 80% of security breaches involving privileged accounts, a major vulnerability we will increasingly see exploited is privilege escalation. A common tactic of ransomware operators and other threat actors is to achieve elevated privileges on a system to help legitimize their actions and gain access to sensitive data.
If an info stealer has the same access as the current user, the chances of exfiltrating sensitive data are significantly increased. Meanwhile, admin access nearly guarantees access to juicy data.
In addition to keeping software updated, this is where Zero Trust initiatives and data flow monitoring become critical. At a minimum, Zero Trust means that the principle of least privilege should be applied, and multi-factor authentication should be required wherever it is available.
Essentially, this ensures that anyone who does not need access to a system or file cannot access it – while those who do must prove that they are whom they say they are. Monitoring the flow of data can also help catch a breach early on, limiting the amount of data stolen.
Remote code execution (RCE) is not going away any time soon. These attacks accounted for around 27% of the attacks in 2020, up from 7% the prior year. If an attacker can find a way to run arbitrary code on your system remotely, they have a lot more control than they would from just getting a user to run a piece of malware with predefined functions unwittingly.
If the attacker can run arbitrary code remotely, they gain the ability to move around the system and possibly the network – enabling them to change their goals and tactics based on what they find.
Behavioral monitoring is one of the best ways to detect RCE on your systems. If an application begins running commands and spinning up processes that are not a part of its normal behaviors, you can put a stop to an attack early on. The fact that RCE is so common also mandates that you keep security patches up-to-date to stop many of these attacks before they even start.
Who needs malware anyway?
Today, a favorite attack method is using legitimate processes and trusted applications to accomplish nefarious goals. These fileless, or living off the land, attacks can be difficult to detect because the malware does not need to be installed.
One of the most common applications to be exploited this way is PowerShell. This makes sense because PowerShell is a powerful application used to script and run system commands.
This is another instance where monitoring the behaviors of applications and processes can be vital in stopping an attack quickly. Does PowerShell really need to disable security features?
In most cases, probably not. Behaviors like this can be monitored, even from trusted applications like PowerShell. Combine this monitoring with advanced machine learning and AI, and you can begin fingerprinting normal behaviors on your network, with automated responses to unusual activity.
Go forth and repeat yourself
While the common types of attacks may not change much, any changes to application or code have the potential to introduce new vulnerabilities. This doesn’t mean we should give up and just let the adversaries win – it means that now is the time to double down on our efforts to thwart their attempts.
Implement a patch management strategy, monitor the network, use behavioral detection, and avoid complacency. The fact that major software providers are regularly patching major vulnerabilities is actually a good thing because the attackers are not giving up, so neither should we.