If you’re feeling scared or overwhelmed by a never ending flow of new security vulnerabilities, you are not alone. Critical vulnerabilities seem to be constantly popping up, and vulnerability exploitation has become the leading entry point for cyber attacks – almost 40% of investigated cyber incidents were initiated by an exploitation of a known vulnerability, according to Mandiant.
How did we get here? It seems that leveraging bugs in software for hacking has been around pretty much from the moment computers were widely adopted. Haven’t we, as an industry, made any progress to battle these mundane but constantly appearing bugs?
Actually - in some regards, we definitely have progressed since the 90s. Exploiting buffer overflow vulnerabilities with self-executing code is certainly not as simple as it used to be. Moreover, memory corruption bugs (historically, the most popular type of software bug), have become so difficult to exploit nowadays – especially in endpoint devices (mobile & desktop PCs), due to significant advancements introduced by Microsoft, Google and Apple.
Exploit mitigation techniques are now baked-in, by default, to all end-user devices’ operating systems including address space randomization, to control flow guards, memory-tagging and pointer authentication and many more.
The impact of these mitigation techniques is clear. In a report published a year ago, Google revealed that reports of critical memory-safety vulnerabilities in Android had actually dropped by 40% in recent years, quite the opposite trend to the overall discovery of vulnerabilities which had gone up by ~40% in similar years (2020-2023). An additional report from Google (published yesterday), found that none of the Chrome user-after-free vulnerabilities discovered in 2023 were successfully exploited in-the-wild, likely due to a relatively new exploit mitigation (MiraclePtr) that was introduced a year ago.
So given all of these advancements, why is vulnerability exploitation still the leading initial access vector for cyber attacks?
Exploit mitigations for endpoints - are they mitigating enterprise risk?
There seems to be a significant gap between the advancements introduced in endpoint operating systems against exploitation, and the lack of such advancements in all other types of computer systems.
Microsoft introduced CFI (Control Flow Integrity, a significant exploit mitigation technique) in Windows 10 more than 7 years ago, for example, while most enterprise-grade Linux distributions nowadays still don’t support it!
In network appliances, VPN servers, and similar unmanaged devices – even basic address space randomization is still lacking in many widely used solutions today.
This means that the weakest link of enterprise networks – their production systems, that mostly run on Linux, and their peripheral network apparatus, is completely open to attack.
And in fact, a recent report from Google revealed that enterprise-specific technologies saw a 64% increase in vulnerabilities used in-the-wild last year, many of them impacting security and network appliances.
This was also the case in the ransomware attack that crippled a major hospital in Israel during the COVID pandemic. This attack, too, was initiated by a vulnerability in a peripheral network appliance.
At the time, I was the VP of Research at Armis Security, and had the opportunity to investigate this attack alongside Sanaz Yashar and Snir Havdala, who would later become my co-founders at Zafran. Examining the logs and leveraging threat intelligence, we found that attackers exploited the peripheral network appliance with a vulnerability that was already known to the hospital’s security teams. In fact, it was a publicly-known vulnerability that had originally been disclosed as a zero-day vulnerability. Despite the significant time that had passed since the vulnerability was publicly disclosed, the hospital was not able to properly patch, or mitigate the vulnerability using their available security controls.
Adding insult to injury, the tools used by the attackers to move laterally within the network, and ultimately encrypt all of the hospitals’ computers, were not sophisticated or unique. Rather, they were off-the-shelf, open-source tools that could have been easily detected and blocked. Unfortunately, the lack of proper configurations led to the fact that the hospital’s defenses failed to prevent or contain the attack.
The simplicity of the attack weighed against the devastating results was heartbreaking. The hospital could not pay the ransom and restoring the systems and medical records cost tens of millions of dollars.
We Need Enterprise Mitigations
It was clear from this incident, as it is clear across the industry – the advancements that are taming exploits on consumer-grade endpoints, are not likely to slow down attackers that are targeting enterprises. Baking in exploit mitigations across existing applications and assets of huge enterprises is not in the cards. Enterprises contain so many legacy applications and too much technological variety that simply cannot be ripped and replaced overnight.
Despite this – enterprises do have an underutilized advantage at their disposal. They have invested tremendous amounts of effort (and money) in creating multiple layers of defense – ‘defense-in-depth’, where both network controls, and host-based controls aim to complement one another and offer substantial detection and prevention capabilities. And the truth of the matter is that when these tools are properly configured, most exploits break, and exploitation can be prevented.
The only missing piece is knowing which control, and which feature is effective against which vulnerability, and mobilizing these controls in a timely manner.
This is why we created Zafran, a risk assessment and enterprise mitigation solution. As Snir details in his own blog - at least half of the challenge of defusing the risk of exploitation is knowing which portion of the millions of vulnerabilities that impact an enterprise at any given time, is already mitigated by compensating controls. The second half of the challenge, is to then automate the response, and mobilize the right control, that will reduce the risk of exploitation as much as possible without creating significant operational risk to the organization.
Zafran’s approach against exploitation is to empower enterprises to excel where they are strong. When life gives you lemons - make lemonade. Or in the case of enterprises – when life gives you compensating controls – use them, and mitigate the risk of exploitation!