Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
At the time of writing, there are hundreds of thousands of publicly known vulnerabilities. These range from critical flaws that could cause irreparable damage if exploited to low-severity issues that might seem barely even worth bothering with.
With vulnerability management, the challenge is knowing which is which.
With so many vulnerabilities across operating systems, networks, software, and more, it’s easy to get lost in the noise and lose perspective. After all, most vulnerabilities either won’t affect you or aren’t critical enough to worry about. But a small number can cause irreparable damage, meaning it’s hugely important to identify and remediate these.
This is harder than it might seem on the surface, because a particular vulnerability can have wildly different levels of risk to different organizations, depending on the way their IT environment is architected and the specific IT assets it might target. While some ‘standard’ risk scores (eg CVSS) exist, only you can decide how that relates to your specific organization.
Needless to say, getting this call right is easier said than done.
In this blog, we discuss five key questions you need to ask in order to decide how effective your vulnerability strategy is. But first, it’s helpful to understand how hackers target your environment and exploit the most critical vulnerabilities.
Heimdal enables customers to scan, prioritize, and remediate vulnerabilities for all their IT assets through one centralized dashboard. Find out more.
Disclosure to breach: How hackers gain, sell, and exploit access
Cybersecurity vulnerabilities fall into two main categories:
- Zero-day – These vulnerabilities haven’t been discovered by the software manufacturer and therefore cannot be patched.
- Known vulnerabilities – As the name would suggest, these have been discovered. Patches are generally released shortly after the vulnerabilities are made known.
Both known and unknown vulnerabilities can be exploited by hackers at any time. Sadly, there’s no straightforward way to prevent zero-day vulnerabilities being targeted, since no patches exist.
But luckily, hackers are much more likely to target known vulnerabilities. In fact, hackers regularly exploit issues that have been known for years, because there will always be some organizations that haven’t installed the relevant patch. This is why effective patch management is so important.
When a vulnerability is discovered, the software vendor will announce it to the cybersecurity community via the CVE database and release a patch as soon as possible. They will then encourage software users to install the patch, therefore making sure their IT environment can’t be exploited by the vulnerability.
So far so good. But here’s the challenge: you can’t tell customers about a new vulnerability without also informing the hackers. If all patches were installed immediately, there wouldn’t be an issue. But even the most proactive cybersecurity teams can’t install every patch as soon as it’s released.
This means that the disclosure of a new vulnerability often creates a frantic race where hackers attempt to exploit it before customers can patch it. That process looks something like this:
CVE disclosure
The software vendor discovers and announces the vulnerability, and an entry is made in the CVE database. Customers are informed of the issue and encouraged to install the patch.
Hackers scan for vulnerable systems
Hackers get news of the new vulnerability and start scanning for IT environments that both use the relevant software and haven’t installed the patch. At this early stage, finding a company that fits this profile is comparatively easy.
- Cybercrime chatter – At this point, hackers start discussing how to exploit the vulnerability on online forums, largely on the dark web.
- POC exploit code offered – The real danger begins when an ‘exploit’ is released. This is essentially a toolkit that enables hackers to easily target an organization via that vulnerability. The exploit kit enables them to do so quickly and without significant technical expertise.
- Access gained via exploit – Then, a hacker will use the exploit to either gain access or acquire additional privileges. Often, they’ll use phishing to infiltrate the IT environment and then exploit the vulnerability to gain admin-level privileges – known as ‘escalation of privilege’.
Initial access brokers
At this stage, many hackers will choose to sell the access to other hackers rather than escalating to a full attack. These are known as ‘initial access brokers’ (IABs). Generally, access is sold through auctions on the dark web, often with some information about the company and its security defenses, which may already have been disabled at this point.
Lateral movement
Whether access has been gained manually or via IABs, hackers now have several choices for how to proceed. They can continue to escalate privileges, or move laterally through the IT environment to understand more about its defenses. They may also aim to disable antiviruses and other tools, or remove evidence of their activity to better conceal and carry off their ultimate attack.
Data exfiltration
The hackers may also steal sensitive data, generally of employees or customers. This may include addresses, login details, financial information, passwords, and more. These can then be sold through the dark web or extorted for ransom.
Extortion and loss of reputation
Now, it’s time for the hacker’s ultimate goal. Often, this will include installing ransomware and extorting the company’s encrypted data for as much as they can. At this point, it’s very difficult for the target company to effectively defend against the attack which, if successful, could have crippling financial and reputational damage.
Why vulnerability management is so critical
When a hacker is planning their attack, they’ll often pack up your data one gigabyte at a time, and then sell it through the dark web on combo lists.
Some other attackers might then take those lists and pay for another service called account checkers, who go through the data and filter it to check it’s still valid. Whatever they can discover that’s reusable in an attack, they’ll then test and often put back on sale. So, right now, this is basically a self-sustaining ecosystem.
Andrei Hinodache, Cybersecurity Architect and Technical Product Marketing Manager, Heimdal
By now, this whole process has become an incredibly well-oiled machine. Most hackers will specialize in one specific part of the chain, either scanning for known vulnerabilities, building POC exploits, or gaining initial access. Many hackers don’t even need strong technical skills, since they can buy access through exploits and IABs.
Crucially, any sensitive data or login details that are released on the dark web can be used to aid future attacks.
But the most important thing to remember is this: It’s much easier and cheaper for a hacker to exploit a known vulnerability than it is to research and discover something entirely new. Even if an update is available, there will always be organizations that haven’t installed it.
This is why it’s so important to have an effective vulnerability management system. Your goal should be to identify and install those patches that pose the highest risk to your specific organization – before the hackers can exploit them.
So how do you do this?
Read more: What Is Vulnerability Assessment?
How effective is your vulnerability management strategy?
By now, we’ve established why vulnerability management is so important. But how do you get it right?
In truth, this is easier said than done. In an ideal world, we would simply install all patches as soon as they’re released. But this process can take time and cause downtime for key apps and systems. This is why it’s important to pick your battles.
For critical vulnerabilities, you need to install patches as soon as possible. You may choose to wait for a scheduled maintenance window in case of lower-severity issues or (if the risk is small enough) ignore them entirely. Either way, you need to understand the unique context and setup of your IT environment in order to effectively diagnose how risky a particular vulnerability is to you.
To identify how effective your patching process is, there are five questions it’s helpful to ask:
How do you identify vulnerabilities?
The first step is to understand what vulnerabilities exist in your environment in the first place. To do this, you’ll need to use technology, since there are simply too many vulnerabilities to understand and manage manually.
Vulnerability scanners can be found as stand-alone products, or packaged into larger security platforms, such as EDRs and XDRs. Generally, they will scan your environment to identify any known unpatched vulnerabilities, according to the CVE database.
Read more: What Is Vulnerability Scanning: Definition, Types, Best Practices
Can you prioritize critical vulnerabilities?
The hardest thing about vulnerability management is knowing what to patch and when. The most critical vulnerabilities need to be patched immediately. Less urgent issues can wait for scheduled maintenance, and the lowest-risk patches can often be ignored entirely.
Here’s the issue: No tool or scanner can tell you which is which. The same vulnerability can be critical to one company and fairly inoffensive to another, depending on the company’s specific context. Some products may use frameworks like the CVSS to give some indication of risk. But they can’t tell you how damaging a vulnerability is to your specific infrastructure and business profile.
For that reason, it’s important to have a trained security team with a deep understanding of your IT environment. They can analyze the results of your vulnerability scans and make effective, strategic decisions about what to patch and when.
Read more: How To Break The Metrics Mirage in Vulnerability Management
Are you using automation?
Automation plays a key role in any effective vulnerability strategy, since installing patches can be time-consuming and needs doing regularly. The more manual this whole process is, the less likely it is to happen as regularly and effectively as you need.
Ideally, an organization should be using automation to carry out a range of vulnerability-related tasks, including
- Regular vulnerability scanning
- Risk scoring and prioritization
- Remediating vulnerabilities (where appropriate)
The best patch management tools will offer a wide range of options to help you customize your own policies. This will give you control over which vulnerabilities get automated patching and when. Also, top solutions will alert you for particular events, like the discovery of a new critical vulnerability.
Read more: Free & Downloadable Threat & Vulnerability Management Templates
Are you patching across the whole IT environment?
Vulnerabilities can span a whole range of different IT assets and systems. Most will be for specific software tools, but others may occur at the network or operating system level.
This is an issue because many vulnerability scanners only specialize in a particular asset or operating system. EDR products will generally focus on vulnerabilities at the endpoint level, and network security tools will focus on network-related vulnerabilities. Other tools, like MDMs, might specialize in scanning mobile or IoT devices – since these will have operating systems (and therefore patches) of their own.
The more complicated your IT environment, the more of an issue this becomes. And the more products you’re using, the more difficult it is to spot the most critical vulnerabilities when they’re released.
Whatever combination of tools you’re using, it’s important to make sure your scanners, policies, and automations apply to the whole range of IT assets you may use.
Are you getting real time vulnerability updates?
New vulnerabilities are released daily, so your security processes need to be continuous and iterative. There’s no point installing the most critical patches one day and waiting a year to run another scan.
As I explained above, the most dangerous vulnerabilities are those that allow hackers to infiltrate your environment and escalate privileges. When these are revealed, hackers and IABs will be racing to exploit them. So, you’ll need to patch them as quickly as possible. Ideally, automated policies will alert you as soon as the patches are released.
Otherwise, you need to ensure you’re constantly scanning for new vulnerabilities across your IT environment and assessing the risk. You don’t need to install all patches at once. But you should know which ones have been deprioritized, why, and when the update is scheduled (if at all).
Again, this is where a trained security team can help. When information about new vulnerabilities is made available, they can quickly identify its scope and risk, before deciding the necessary response.
Vulnerability management is a hugely important topic. When somebody is inside your IT environment, they’re largely going to be relying on unpatched vulnerabilities to elevate access.
If I’m assessing a company’s vulnerability posture, I’ll first look to see if they’ve mapped out everything that needs to be patched and whether they have procedures or automated systems to manage the process.
Secondly, patching endpoints and operating systems is realistically a minimum requirement. But I’m also looking to see if companies have looked at vulnerabilities across networks, applications, and third-party apps, which can easily be missed.
The third level is around vulnerability management. Are companies proactively using tools to find vulnerabilities in their systems? And do they have a good way of deciding how critical those vulnerabilities are and in what timeframe they need to be patched?
This is all the essence of a healthy approach to managing vulnerabilities.
– Thomas Engli Baasnes, Cybersecurity Director, Verdane
A holistic approach to managing vulnerabilities
An effective vulnerability management strategy requires the right patch management tools. Without them, you can’t hope to effectively apply patches on the most relevant vulnerabilities.
With Heimdal’s Patch and Asset Management solution you can schedule and automate patch deployment across the full scope of IT assets from one centralized dashboard.
Want to find out more? Check out our full page today.
Vulnerability management FAQs
What is vulnerability management?
Vulnerability management is the process of identifying, prioritizing, and installing patches across endpoints, operating systems, networks, software, and more. The goal is to identify the highest-risk issues and remediate them as quickly as possible.
What are the four stages of vulnerability management?
Effective vulnerability management requires a five-stage process:
- Identify vulnerabilities to patch
- Prioritize the most critical patches
- Deploy automation policies where possible
- Report on patching activities
- Repeat the cycle regularly
What are vulnerability management tools?
There is a whole range of tools that help to identify, prioritize, and patch vulnerabilities. They can work as stand-alone products or be integrated into platforms like EDRs, MDMs, or XDRs.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
