Illusive Blog February 25, 2019

Vulnerability Management: 3 Issues in Prioritizing Patching

By Jason Silberman

Let’s tackle a familiar, yet daunting problem for vulnerability management (VM) teams: The patching “to-do” list in most organizations is so long that having some way to prioritize patching of networked endpoints, servers and other assets is essential for limiting exposure to cyberattacks.

There are three questions that are important in the process of prioritizing vulnerabilities.

1. What have threat actors done in recent attacks?  What have been their targets, and what software exploits have they used? Maintaining up-to-date cyber awareness is important, of course. Closely researching and following recently revealed cyberattacks, attack methods, device vulnerabilities and cybersecurity news in general is a good way, at a high level, to keep your eyes and ears attuned to potential threats. Additionally, if there have been recent attacks on your internal networks, collaborating with forensics and threat hunting teams can provide insights on attacker methods and behavior.

2. How relevant are specific vulnerabilities to my organization?  This question ties to the age-old problem of internal audit and asset awareness. Some vulnerabilities—even ones getting lots of public attention—may not be relevant for you. Vulnerabilities that map to your most critical assets obviously deserve higher prioritization, though given the complexity of today’s application architecture, service dependencies, and virtual infrastructure, critical vulnerabilities can be hidden in the shadows. A granular understanding of the components supporting each critical service is essential.

These first two areas are common practices in most environments. But a third question needs to come to the fore:

3. Which systems sit along the paths that cyberattackers could take to reach critical assets?  This question assumes a basic understanding of how attackers move laterally within a network. Once an attacker has landed, he or she normally must undertake a cumbersome process to move from his or her point of entry to the eventual target. This requires finding credentials and connections that will facilitate passage from one machine to another. Systems that connect directly to critical systems, or are within a few “hops,” could pose greater risk than others if left unpatched.

Another factor for prioritizing vulnerability patching is, therefore, to focus on systems that are in these critical attack pathways. But most organizations don’t begin to have that visibility.

There is usually a significant delta between intended network segmentation and access rights, and what actually exists. Credentials and connections that introduce risk get set up in a variety of ways. We call this actual connectivity the “access footprint.” Throughout the normal work day, users connect and disconnect from various systems and applications, leaving behind cached credentials and potential “live” connections. The access footprint changes constantly. Some risky conditions are fleeting; others can persist for a very long time. But even if these conditions are short-lived, an attacker situated in the right place at the right time (“right” for them, wrong for you!) has plenty to work with.

A new report published by CrowdStrike underscores the importance of proactively hardening the network against lateral movement. It’s a vitally important complement to traditional vulnerability management.

Of course, it wouldn’t be feasible to manually eliminate excess credentials and connections at enterprise scale. Illusive’s Attack Surface Manager finally provides an efficient, automated solution:

  • Illusive discovers and displays the actual paths between ordinary endpoints and all systems classified as critical “crown jewels.”
  • Attack Surface Manager also provides an easy interface for defining where and how domain admin user and other privileged credentials are allowed to persist on systems, and then automatically discovers and enables easy remediation of violations.
  • Illusive provides the ability to examine cyberattack pathways to critical assets and use risk metrics to determine which paths are high-priority ones to eliminate, and which can be eliminated without preventing valid users from reaching necessary resources.

This visibility on attack paths to critical assets is “gold” to vulnerability management teams. Not all of these pathways can be eliminated, of course; the business couldn’t function without a network. But understanding which necessary pathways warrant extra protection should be a top criteria for determining how to prioritize vulnerability patching.

This method of reducing attack pathways, incidentally, can also be used to help to protect assets that can’t be patched. With awareness of the real connection matrix, organizations can reduce pathways to mainframes, unpatchable OT devices, or legacy systems that can’t be patched for fear of causing disruption.

Want to find out how vulnerable your network is to advanced attackers and APTs? For a limited time, Illusive is providing a free cybersecurity Attack Risk Assessment, which provides extensive visibility into how easily attackers could move laterally.