In a sea of vulnerabilities clamoring for attention, it’s almost impossible to know which IT security issues to address first. Vendor advisories provide a tried-and-true means for keeping on top of known attack vectors. But there’s a more expedient option: Eavesdrop on attackers themselves.
Given their increasingly large attack surfaces, most organizations tie their vulnerability management cycle to vendor announcements. But initial disclosure of security vulnerabilities doesn’t always come from vendors, and waiting for official announcements can put you days, or even weeks, behind attackers, who discuss and share tutorials within hours of a vulnerability becoming known.
“Online chatter typically [begins] within 24 to 48 hours of the initial public disclosure,” says Levi Gundert, vice president of threat intelligence at Recorded Future, citing the firm’s in-depth analysis of discussions on foreign-language forums.
Vendor advisories, blog posts, mailing list messages, Homeland Security CERT alerts -- defenders aren’t the only ones reading these announcements. Knowing what piques attackers’ interest -- and how they plan to exploit holes before vendors can respond -- is a great way to get a jump on the next wave of attacks.
Last year’s Java object serialization flaw provides a perfect example. First disclosed in a conference talk in January 2015, the flaw didn’t attract attention until Nov. 6, when researchers at FoxGlove Security found that the issue impacted multiple core enterprise applications, such as WebSphere and JBoss. It took Oracle another 12 days and Jenkins 19 days to release formal announcements addressing the vulnerabilities in WebLogic Server and Jenkins.
Attacker communities, however, began discussing the FoxGlove Security blog post within hours, and a proof-of-concept exploit code appeared six days later, Recorded Future found. A detailed exploit tutorial describing how to execute the attack was available Nov. 13, five days before Oracle released anything. By the first week of December, attackers were already trading names of vulnerable organizations and specific links to trigger the flaw for those targets.
“Obviously the time between vulnerability recognition and vendor patch release or workaround is valuable for threat actors, but when detailed exploit guides are available in multiple languages, that time delta can be disastrous for businesses,” Gundert says.
The OPcache Binary Webshell vulnerability in PHP 7 is another example of attackers jumping ahead of the game. Security firm GoSecure described the new exploit on April 27, and Recorded Future uncovered a tutorial explaining how to use the proof of concept referenced in GoSecure’s blog post on April 30. As GoSecure noted, the vulnerability didn’t universally affect PHP applications. But with the resulting tutorial, attackers could have an easier time finding servers with potentially dangerous configurations that make them vulnerable to the file upload flaw.
Sign up for CIO Asia eNewsletters.