23 Jan The Race Against Time Between Vulnerability and Patch
It is becoming clear that the Equifax breach may be the most significant and damaging network security breach in history. It is estimated that half the population of the United States was affected.
With personal details, including social security numbers and driver’s licenses, being leaked, the shockwaves of this breach will be felt for years to come. It could well result in significant changes to the way we track credit going forward.
It is broadly accepted that this breach was caused by an unpatched exploit in the Apache Struts library on the Equifax web servers. This vulnerability was first disclosed in early March 2017, when a patch for the vulnerability was made generally available.
When security patches are introduced, it begins an arms race between the security community and adversaries that would utilize the exploit. Once a vulnerability is disclosed, attackers know there is a narrow window with which to operate before the community applies this update.
Attackers will move rapidly to identify users that have not updated.
The Gap Between Vulnerability and Patch
In a perfect world, once a security patch has been made available, it will get pushed into production immediately to prevent adversaries from taking advantage of the vulnerability. In the real-world, large organizations do not have the luxury operate this quickly.
Enterprises have change control processes to ensure that new patches, updates, and fixes are thoroughly tested before introducing them into production environments to prevent costly downtime. This ensures the patch will not introduce instability, or even introduce new security vulnerability, as a byproduct of rushing a patch to market.
This conservative approach balances the likelihood of a breach against the probability of instability. As such, they are introduced as quickly as possible but there is always a gap between the patch introduction and the eventual deployment.
Hackers operate within these two events.
Narrowing the Field of High-Value Targets
In the time immediately following the disclosure of a new vulnerability, the number of unpatched systems is high. This decreases over time as users begin to address the problem. While one particular system may be lost in a sea of other potential targets initially, the field starts to clear out rapidly.
As time goes on, the chances of an unpatched system becoming targeted go from likely to probable. For an organization that is already a high-value target, the chances go from probable to inevitable.
Cyber Defense During the Time of Vulnerability
One hallmark of a sound cybersecurity posture is a layered defense. As such, there are still strategies to protect enterprises during this time of vulnerability as the change management process unfolds.
While an adversary can turn a known vulnerability into an exploit in pretty rapid fashion, threat intelligence such as a Snort rule, that detects the use of a vulnerability, can be created even faster. Fortunately, or unfortunately, that’s exactly what happened in this case.
The first Snort rules to detect someone exploiting the Apache Struts vulnerability was introduced the day after it was disclosed. Even in a circumstance where an enterprise is unable to patch the environment, a security team can be monitoring for, or even blocking the use of, an exploit very soon after disclosure.
Equifax has been broadly criticized for the length of time – a reported two months – it took them to implement the patch that would have prevented the breach. There may have been a number of extremely valid reasons for not patching immediately. However, knowing that the vulnerability existed and that it affected their servers, means that this delay should have also precipitated aggressive monitoring for this exploit.
A responsible enterprise should either patch or aggressively monitor a new vulnerability – and preferably they do both. The longer Equifax stayed vulnerable to this exploit, the more inevitable such a breach became.
Security is a Leadership Responsibility
It is clear that the responsibility of mishandling of customer data is no longer limited to just the IT organization. The consequences in the aftermath have been significant and Equifax CEO Richard Smith resigned following the uproar surrounding the breach. This mirrors a similar path as Target CEO Gregg Steinhafel, who also resigned in the wake of that breach in May 2014.
This goes to show it is important for all levels of an organization, to have an established procedure following a significant vulnerability announcement. This includes both how and when to deploy a patch, as well as implementing alternative measures to protect the enterprise and the vast volumes of personal data that may be in their possession.
Note: A version of this post was originally published in “MacFarlane’s Lantern” as part of the CSO Online contributor network under the title, Change management: Equifax highlighted the vulnerability gap between disclosure and patch.
If you enjoyed this post, you might also like:
Threat Trends: Nation State Capabilities for the Casual Adversary