So this one goes out to the young DevOps, shift left automation folk. I don’t think any of this is going to be new if you are an OG sysadmin and ever waited with dread for the next Patch Tuesday.
I’m not sure modern DevSecOps practices really address the duality of exploitation. At this rate we are going to have more than 20.000 CVEs in 2021 and maybe ~150 of those will ever be exploited. Those are the ones that matter the most to everybody and for a lot of us nearly only those matter.
If you patch all your issues within 1 month, great you are in the top tier! It is still useless because the ones that will get exploited, will have been exploited by then.
If the goal of your patching is not to get hacked your ability to patch within hours the handful that will get exploited matter more than if you ever patch the rest.
To be clear I’m not saying you should not patch the rest. In fact, I believe if we want to be serious about all those vulnerabilities we should focus on finding way to be able to automatically update everything instead of better triage. But that is a story for another day.
Let’s see what you do to get into the top tier. Let me guess:
- You build most of you things in pipelines you run one of the CVE scanners there or you even use something like dependabot to bump your versions automatically with a PR
- When you started doing it you realised you already have 800+ CVEs for your service, so you will have to wait till the next trainee joins to clean those up. You put the pipeline in not breaking so you can continue working and left the notification level on High risk to have an honest shot and since you realised a lot of stuff doesn’t even have a fix. Well that, or your enthusiasm about dependabot faded after getting 200 PRs in a week.
- Now somebody bites the bullet every other sprint to triage everything that comes up and and rolls the “important” updates. Plus you also update main components every once in while for hygiene.
- Assumption is if something would be urgent enough, somebody in the team would inevitably figure that out by randomly reading on of the “You wouldn’t believe, which web server made bzillion servers vulnerable?!” articles.
To my experience as a consultant if you are doing these you are indeed in the top tier! Unfortunately that will miss the the main issues, because you are addressing the noise.
Your first priority for patching is: know about the issues that matter and be able to patch/remediate them within hours. If you are addressing other vulnerabilities or you are outside of that timeframe the return becomes negligible.
If you know there is only 50 vulnerabilities out of 20k that matters for you and you only have hours it is clear asking the question “what vulnerabilities do I have” is not just a bad approach but it is a waste of time that you don’t have.
There is a lot of cool services, both paid and free, that will tell you all about the vulnerabilities you have, provide details that help you triage them or even tries to tell you if they are exploitable in your context.
Unfortunately if you are looking for information on what is being exploited it is not as easy anymore. There are some paid Threat Intelligence feeds that might give you great information on this but open information is not scattered and not easy to search which would be essential if you are working against the clock.
We are here to change this. We created inthewild.io to collect exploitation and exploit information about vulnerabilities as we believe this is the most important data for you triage.
This is what you need to do:
If you want to know when to panic, hook up our exploitation RSS feed to a Slack channel and immediately triage whatever comes in there! RSS is oldskol?! We got an API, and even exports of our database. Do whatever floats your boat! Ok, you can also just follow us on Twitter.
If you want to work with out data, check out our hourly export or just use the CLI tool in our Docker image that comes with the pre-loaded database.
Call for contribution
For those of you out there that have some good TI and you found or, know from an authentic source, something is getting exploited in the wild, please let us know so we can spread the word.
Why would you do that?
- This information is really about the safety of the Internet. If we can create a quick and low singal-to-noise ratio channel, everybody wins
- Because it is easy, you would Tweet or write on LinkedIn about it anyway, just tag our account, refer to your source and we do the rest. There is also an API if you are not big on social media
- Our database is and will be open source. We are publishing exports every hour and our API is free to use. We will actually encourage even vendors to use the data, the easier and faster it gets to more people the better
- If you specify we are going to credit you as a source