Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/15/2021
10:00 AM
Fred Langston
Fred Langston
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Nation-State Attacks Force a New Paradigm: Patching as Incident Response

IT no longer has the luxury of thoroughly testing critical vulnerability patches before rolling them out.

Patching security vulnerabilities has always been the most important security activity an IT team does. For the 25+ years I've spent in security, keeping systems up to date with security patches has been recommendation No. 1 in any set of IT best practices. And during most of this time, we have had the luxury of patching at our own pace.

We've agreed that 30 days to apply patches is the standard of good practice and that the IT team should expedite applying critical severity security patches. But now, after a three-month period when zero-day exploits were identified for SolarWinds, Accellion, Exchange, Chrome, iOS, Android, BIG-IP, and more, and with 11 zero-days identified in just one week, we must accept the reality that the old best practices are just not good enough anymore.

Related Content:

Rethinking Cyberattack Response: Prevention & Preparedness

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

Every time we begin the next wave of incident responses (IRs) after each zero-day exploit is identified in the wild, we send out urgent messaging to help address these critical emerging threats. And the primary thing I've said over and over again is that any security patch for a zero-day or that addresses a critical severity vulnerability must be treated as a Level 1 security incident.

Because the bad actors know that most organizations do not patch faster than 30 days, and a huge number do not patch well at all, it's open season for the nation-states and their criminal advanced persistent threat (APT) groups to literally lay waste to wide swaths of industry and government. Our current approach to address these threats is failing in epic fashion right before our eyes.

Why It's Better to Risk an Outage
Security practitioners have long sympathized with the risks IT faces in emergency security patching. We have even tacitly suggested that, since it is a massive problem to risk bringing down critical systems and affecting operations when deploying a patch, it's OK to move methodically, take the time to test thoroughly, and plan a measured rollout. The bad actors' tactics are forcing us to change, no matter how strong the resistance. Once a zero-day is in the wild, every potential threat actor on the planet will sprint at top speed to use that zero-day exploit as widely as possible.

And if you wait to patch, you will be victimized and likely suffer a massively disruptive IR event that is likely to flatten the systems you were trying so hard to keep operating, with the data on those systems staged for sale on Dark Web auction sites. Ransom demands are hitting tens of millions of dollars — especially if more than one APT group is actively exploiting the same vulnerability.

Even if you pay the ransom, you'll spend $20,000 to $500,000 or more in response and rebuilding costs, not to mention the expense of service disruptions, lost revenue, fines, audits, higher insurance premiums, public relations campaigns to repair your reputation, and more.

In nearly every case, if the victimized organization had treated the zero-day vulnerability patch as an emergency, Level 1 security incident, activated their IR plan, and developed and implemented a real-time method to rapidly test and deploy the security patch, they would have avoided the costs of rebuilding from the ground up. They could also have avoided disruption of business operations, loss of service and revenue, lower customer retention, tarnished company reputation, increased regulatory scrutiny and potential fines, etc.

Incipient Security Events Require a Level 1 Response
It is vastly less expensive, less disruptive, and less impactful to call a cybersecurity incident and activate an IR plan that includes a playbook for responding to an incipient security event whose remediation is emergency testing and patching of systems.

The paradigm shift here is the concept of an incipient security event — one that hasn't happened yet, but it will, if given enough time. And that window before the bad actors try to use the exploit against your assets has already started to close.

IT and security operations must adopt the concept of an incipient security event that requires a Level 1 incident response. The inconvenience of an Exchange outage over a weekend due to a patch is insignificant in cost and impact when compared to a cyberattack on that same Exchange server that takes down every system on your network.

This is the new reality. This is not the security team harping about good cyber hygiene; this is a new paradigm forced by attackers who are more sophisticated, organized, and motivated and have found an attack methodology that pays off like a rigged slot machine.

Crucial severity vulnerabilities must be treated as incidents requiring an emergency response. This means changing foundational concepts in IT management and building something new. But because we cannot control the attackers' methods, and they have found the holes in our IT processes, they will bury us if we fail to respond.

Fred Langston CISSP, CCSK, a co-founder of CI Security, has long been at the forefront of information security. He has over 28 years of professional information security experience working for hundreds of clients to create effective information security strategies and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22382
PUBLISHED: 2021-06-22
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. A...
CVE-2021-22383
PUBLISHED: 2021-06-22
There is an out-of-bounds read vulnerability in eCNS280_TD V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a message-handling function that contains an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by se...
CVE-2021-22342
PUBLISHED: 2021-06-22
There is an information leak vulnerability in Huawei products. A module does not deal with specific input sufficiently. High privilege attackers can exploit this vulnerability by performing some operations. This can lead to information leak. Affected product versions include: IPS Module versions V50...
CVE-2021-22363
PUBLISHED: 2021-06-22
There is a resource management error vulnerability in eCNS280_TD V100R005C10SPC650. An attacker needs to perform specific operations to exploit the vulnerability on the affected device. Due to improper resource management of the function, the vulnerability can be exploited to cause service abnormal ...
CVE-2021-22377
PUBLISHED: 2021-06-22
There is a command injection vulnerability in S12700 V200R019C00SPC500, S2700 V200R019C00SPC500, S5700 V200R019C00SPC500, S6700 V200R019C00SPC500 and S7700 V200R019C00SPC500. A module does not verify specific input sufficiently. Attackers can exploit this vulnerability by sending malicious parameter...