Analysis has surfaced what many would consider a surprising insight: Organizations that always update to the newest versions of all of their software have roughly the same risk of being compromised in cyber-espionage campaigns as those that apply only specific updates after a vulnerability is disclosed.
A quantitative look at data from 350 advanced persistent threat (APT) campaigns between 2008 and 2020 by researchers from University of Trento, Italy, shows that organizations with a purely reactive software update strategy had roughly the same risk exposure to advanced cyberattacks as those that keep up to date on everything. This is despite the fact that the subjects deployed only 12% of the updates that organizations that always updated immediately did.
The data shows that the same holds true for organizations that might apply updates to patch vulnerabilities based on information they have received in advance — for example, by paying for information about zero-days. Even these entities do not have a significant advantage over those that patch only on a reactive basis when it comes to breach risk, the study shows.
Why Reactive Patching Might Be OK for APTs
Though this flies in the fact of conventional wisdom, the study results reflect two realities: 1) APTs tend to be reactionary themselves, and 2) time-to-patch metrics matter.
In analyzing some 350 campaigns dating back to 2008 (including information on vulnerabilities exploited, attack vectors, and affected software products), researchers found that APTs targeted publicly disclosed vulnerabilities more often than they did zero-days, overall. They also tended to frequently share or target the same known vulnerabilities in their campaigns.
In all, the researchers identified 86 different APT groups exploiting a total of 118 unique vulnerabilities in their campaigns between 2008 and 2020. Just eight of these threat groups used exclusive vulnerabilities in their campaigns: Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor.
That means there's an opportunity for IT teams to prioritize those bugs that are known to be APT favorites, in order to eliminate most of the risk of compromise.
Risk Remains Roughly the Same
Organizations that can apply software updates as soon as they're released naturally still face the lowest odds of being compromised, the study showed. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. It's here that the researchers found little difference in risk exposure between those that apply all software updates, those that apply on a reactive basis, and those that update based on information they might have received in advance of others.
After all, the advantage of receiving vulnerability information in advance goes away completely the longer an organization takes to act upon the information.
For example, organizations that applied all software updates within one month of the updates being released were roughly at between five and six times higher risk of being compromised than organizations that updated immediately. That number was lower than (but not significantly so) for those that patched on a reactive basis (roughly between five-and-a-half to seven times higher risk); and those acting upon advance information (approximately between five and seven times higher).
The researchers found that organizations which acted on a reactive basis deployed far fewer updates than those that applied all updates. "Waiting to update when a CVE is published presents eight times fewer updates," the researchers said. "Thus, if an enterprise cannot keep up with the updates and needs to wait before deploying them, it can consider being simply reactive [as an alternative]."
A Critical Issue
The issue of patch prioritization has become increasingly critical for resource- and time-strapped IT departments and security organizations. The growing use of open source components — many with vulnerabilities in them — has only exacerbated the problem. A study that Skybox Research Lab conducted last year showed a total of 20,175 vulnerabilities were disclosed in 2021. Another study by Kenna Security showed that nearly 95% of all enterprise assets contain at least one exploitable vulnerability. The trend has heightened interest in risk-based patch prioritization and pushed the US Cybersecurity and Infrastructure Agency to publish a catalog of exploited vulnerabilities so organizations know on which ones to focus first.
For its part, the University of Trento study specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment.
"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers said.