APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days

Research indicates that organizations should make patching existing flaws a priority to mitigate risk of compromise.

Most advanced persistent threat groups (APTs) use known vulnerabilities in their attacks against organizations, suggesting the need to prioritize faster patching rather than chasing zero-day flaws as a more effective security strategy, new research has found.

Security researchers at the University of Trento in Italy did an assessment of how organizations can best defend themselves against APTs in a recent report published online. What they found goes against some common security beliefs many security professionals and organizations have, they said.

The team manually curated a dataset of APT attacks that covers 86 APTs and 350 campaigns that occurred between 2008 to 2020. Researchers studied attack vectors, exploited vulnerabilities–e.g., zero-days vs public vulnerabilities–and affected software and versions.

Infosec Insiders Newsletter

One belief the research debunked is that all APTs are highly sophisticated and prefer attacking zero-day flaws rather than ones that have already been patched. “Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” they wrote in the report.

Indeed, of the 86 APTs that researchers investigated, only eight–Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus and Rancor—exploited vulnerabilities that others didn’t, researchers found.

This demonstrates that not all the APTs are as sophisticated as many think, as the groups “often reuse tools, malware, and vulnerabilities,” they wrote in the report.

Faster Updates Reduce Risk

This finding promotes faster updates to fix known flaws in organizations’ systems rather than taking their time to apply updates that are released for known vulnerabilities, which seems to be the trend right now.

It typically takes more than 200 days for an enterprise to align 90 percent of their machines with the latest software patches due to regression testing, which ensures that updated systems function properly after the update, researchers found.

“Such behavior is rational because not all vulnerabilities are always exploited in the wild,” they wrote. However, to combat APTs, “slow updates do not seem appropriate,” researchers wrote.

In fact, faster updating could significantly lower odds of being compromised if organizations could “update as soon as an update is released,” they wrote.

Indeed, the study found that if an organization waits one month to update, they are 4.9 times more likely to be compromised; waiting three months made them 9.1 times as likely.

Still, immediate patching doesn’t guarantee that organizations won’t be compromised, researchers found. Enterprises that apply timely fixes “could still be compromised from 14 percent to 33 percent of the time,” they wrote.

Update-Strategy Challenges

Overall, researchers acknowledged that APTs present a unique challenge to organizations, as it’s difficult to predict if and when an attack will occur and thus it’s basically out of their control, they said.

“Unfortunately, a company cannot fully decide in advance the configuration they will have when hit (or most frequently not hit) by an attacker as it depends on the attacker’s choice,” researchers wrote.

What a company can control, however, it’s its software-update strategy, with organizations typically employing one of three options: Update immediately when new updates to software are available; wait some time to update to perform regression testing; or skip updates altogether.

Instead of updating for all new versions of software, researchers suggested a streamlined approach to focus on patching known flaws, which seems to have impact on an organization’s risk of APT attack, they said.

Organizations could perform “12 percent of all possible updates, restricting themselves only to versions that fix publicly known vulnerabilities” without significantly changing their odds of being compromised, researchers wrote.


Suggested articles