“Another day, another vulnerability” is a familiar refrain among security teams worldwide. One of the most intriguing findings from our latest Fortinet Global Threat Landscape Report is that attackers are exploiting vulnerabilities faster than ever before. This average time-to-exploitation, 4.76 days, is 43% faster than our FortiGuard Labs team observed in the first half of the year.
Response time has always played a significant role in cybersecurity operations. But as adversaries execute their strategies faster, it’s easy to see why security teams—especially those under-resourced—worry about staying one step ahead. While there’s no single solution for outpacing today’s cybercriminals, there are several steps you should take now to ensure your team is prepared to guard against attackers’ evolving methods.
Use ‘red zone’ insights to prioritize responses to predictable patterns
Prioritizing vulnerabilities for remediation is more critical than ever given that the rate of discovery and disclosure continues to quicken. As of writing this piece, there are over 240,000 vulnerabilities on the Common Vulnerabilities and Exposures (CVE) list. We saw a new record in 2023, with approximately 30,000 new vulnerabilities published, representing a 17% increase from 2022.
With so many historical vulnerabilities, defenders must focus on what’s actively under attack in the wild. Several years ago, we introduced the concept of the “red zone,” which helps us collectively better understand how likely (or unlikely) it is that threat actors will exploit a specific vulnerability. Using these red zone insights, your team can focus on the vulnerabilities that present the most significant risk to your organization, prioritizing responses to predictable attacker patterns.
Revisit your patch management strategy
A failure to patch continues to contribute to intrusions. In 86% of the cases the FortiGuard incident response (IR) and managed detection and response (MDR) teams investigated, where unauthorized access occurred through the exploitation of a vulnerability, the vulnerability was already known at the time and a patch was readily available.
Of course, security leaders are well aware of the importance of regular patching. In our observations, when organizations fail to respond to direct, targeted threat intelligence, it’s typically due to a resourcing issue. However, the data underscores the importance of reassessing your security investments and making necessary adjustments, given how vital regular patching is to protect against breaches.
It’s also a great reminder to all security practitioners to act quickly through a consistent patching and updating program when new vulnerabilities emerge that are likely to be exploited. And don’t discount “old” vulnerabilities, as they’re still popular among adversaries. In the second half of 2023, 98% of organizations reported detecting exploits that have existed for at least five years.
Practically speaking, this reinforces the importance of remaining vigilant about security hygiene overall, as attackers will continue embracing both the old and the new to compromise networks.
Tidy up your overall cyber hygiene
Refreshing your organization’s cyber hygiene can take many forms, from updating your processes to implementing the appropriate security controls. However, based on the incidents our IR and MDR teams addressed in the second half of the year, there are a few specific cyber hygiene considerations that should be on every security team’s radar.
First, ensure your team has accurate, actionable IR plans in place. Without these, teams often act impulsively, resulting in investigations and remediation actions that are left incomplete. Our teams observed many cases where a poorly scoped remediation added more fuel to the attacker’s fire, with adversaries responding by deploying ransomware to cause significant and unnecessary damage.
Additionally, consider the state of your backups and how easy (or difficult) it is for attackers to gain access. We observed instances where organizations used backup solutions that authenticated with their main corporate environment. In these situations, threat actors were able to access, manipulate, and encrypt the backup solutions during the intrusions, making them worthless. Backup solutions must be adequately separated from the main environment to be effective.
Finally, ensure your team is monitoring for the suspicious use of valid accounts in your environment. We observed that threat actors operating on the dark web most often advertised access to organizations via VPN, Remote Desktop Protocol, and compromised accounts. Valid accounts continue to offer a fast track through the cyber kill chain and are increasingly accessible to bad actors.
Public and private organizations must collaborate to disrupt cybercrime
Evolving your organization’s risk management strategy is a crucial step in guarding against attackers who are picking up their pace. Still, even the most skilled security teams can’t disrupt global cybercrime on their own.
Finding choke points on the attackers’ chessboard requires a coordinated effort. That’s what makes collaboration and knowledge sharing so important. And as cybercriminals become more adept, now is the ideal time to work across the public and private sectors to collectively enhance cybersecurity worldwide.
