TL DR: most vulnerabilities that you must patch are in collaboration tools, CMSs, web frameworks, web servers, administrative and developer tools and security appliances. You should also set automatic updates for Windows.
Our goal is to provide you up-to-date and actionable information for your vulnerability triage based on real world exploitation information. However, We can also use this information to make more informed decisions: doing what sounds reasonable is a good start but having data is always better. Exploitation information can be used to drive better Vulnerability / Patch Management practices and help understand what you can concieavbly even cover with them and where is Security Monitoring and Incident Response more adequate. We beleive this informaiton can help you to balance proactive and reactive measures better.
- We have analized over 750 vulnerabilities that are confirmed to have been exploited
- We looked at vulnerabilities that were added to the CVE catalog since 2017 to understand current trends
Limitations and bias
We beleive we have to most comprehensive list of verifiably exploited vulnerabilities. That said it is likely that there is a bias in our data. Please help us providing exploitation data in case you come accross something to make sure we get better. But let's see where we expect bias:
- More advanced vendors such as Apple, Google, Microsoft or security vendors are more likely to proactively collect and disclose exploitation information related to their products. This is also more reasily available for us to collect.
- Threat Intelligence companies likely also focus on "interesting" vulnerabilities when setting up honeypots and doing their research
- Larger companies with better funded Incident Response teams will more likely find and disclose exploitation information. It is reasonable to think this will add some bias towards vulnerabilities that will be exploited to target such companies
According to our anaylsis most of the "bad day" vulnerabilites are in these types of applications:
- Collaboration tooling: ticketing/workflow management systems (like Jira), knowledge managment systems (like Confluence), billing systems or document readers/editors
- Content Management Systems: things like Wordpress, Drupal but also message boards and ecommerce frameworks
- Web/Application servers: think of WebSphere, Apache or even ColdFusion. These would include some of the runner infrastructure (think of things like php-fpm) or plugins.
- Web/Application Frameworks: like Struts, Spring or .Net Framework
- Security tooling: firewalls, VPNs, Device Management and Asset Management tooling were one of the top exploited categories
- Administration and monitoring tools: monitoring tools like Nagios, remote management like TeamViewer and configuration management like Salt, Ansible or DNS, network devices like routers and switches had high numbers of exploited vulnerabilities. It is also reasonable to think that individual vulnerabilities in this category are widely exploited.
- Developer tools: CICD tooling (like Jenkins and Gitlab) and repositories (like Nexus)
- Mail servers: especially Exchange but after going through the data we wouldn't be comfortable running any email server again
- Virtualisation and orchestration: like different VMware tools or Docker
- Operating Systems: these vulnerabilities are mostly privilege escalations with exceptions like file sharing or Domain Controller functionality
Individual products or providers are used as examples to help think about your stack, in most cases there is no reason to beleive the specific ones listed are less safe.
Interesting patterns in the exploitation data
- Large percentage of vulnerabilities that are exploited are in fact 0days, patching will not help you in most cases with them
- Quite a lot of vulnerabilities are in consumer grade devices, hacked to be used in botnets, run crypto miners, etc. While not great, in most companies' security models these would not be considered critical compromises if at all they are present.
- Quite a lot of vulnerabilities are likely exploited by APTs only (e.g. browser exploits), these may not be relevant for most of us
- There are very few exploitation reports that are related to software dependencies. These are nearly exclusively web and application frameworks. Understanding this better might help to focus your vulnerability remediation efforts
What you should do
- Not run your own email servers and try to pick managed solutions from established providers when it comes at least to collaboration tools, security solutions (including VPNs), Content Management Systems or developer tooling
- For administration or developer tooling consider not making the directly accessible on the Internet. Large number of their exploited vulnerabilities are authorization bypasses or can be exploited without authentication
- If you chose not to pick managed services and for tools that most of us run ourselves (like admin/virtualisation tooling, web servers) and web/application frameworks that you have to maintain yourself: set up proactive monitoring of new CVEs, with something like opencve.io that monitors the CVE catalog, and patch them ASAP. It seems like it is best to do this even before NVD would publish information on them. Subscribe to our RSS or follow us on Twitter to make sure you know when to panic.
- Have automatic updates enabled for your operating systems especially for Windows
If you are able to cover these you should be in a good shape.
Next up - in the coming days we plan to publish more research
- Dig into some of the trends mentioned in more detail to give you precise percentages so that you can decide what they mean for you
- Give you statistics on expected time between disclosure and exploitation so you can fine-tune your patching efforts
- Give you more information the reliability of information you might use in triage like CVSS Score
- Provide research on type of weaknesses that are actually exploited to help guide prioritization
- If we manage to clean up our gigantic sheet we will provide the raw data so you can do your own analysis
Interesting research we came accross as we were doing are research
We were examining past research in the area and came accross quite a few interesting reports. Here's a list of them if you want to read up on these topics:
- On 0days: Zero Days, Thousands of Nights
- Vulnerability exploitation frequencies and forecasting: The Heavy Tails of Vulnerability Exploitation
- Exploited vulnerabilities in IOT: An analysis of the use of CVEs by IoT malware and The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle
- Patching and exploitation timelines: Patch Before Exploited: An Approach to Identify Targeted Software Vulnerabilities
- Unit42 publishes really good reports on vulnerability epxloitation trends e.g: Network Attack Trends: February-April 2021