How to Decrease Risk While 
Patching Less

2021 – The Year of Vulnerabilities

The progression in yearly vulnerability emergence in the last decade is frightening. Checking the MITRE CVE list shows that the 4816 new CVEs registered in 2011 jumped to 20184 in 2021.

That’s an alarming 400% increase (or 12% of all CVEs registered since 1999) in a single year!

Picture1

At the dawn of 2022, the number of CVE with a CVSS score of nine or above already reached 19086.

There are a variety of reasons for this dizzying increase in uncovered CVEs: progress in self-policing, higher payouts for bug bounty programs, the temptation to incorporate insufficiently vetted open-source code to accelerate development, the increased network complexities between on-prem, hybrid, and cloud-native networks, or a combination of all of the above.

 

Attack Based Vulnerability Management – Decrease Risk While Patching Less

In 2022, we can expect this level of CVE quantities to continue increasing. Time from vulnerability to exploit will get shorter as well. This has serious ramifications for enterprises already having trouble keeping up. Disruptive, time-consuming, and arduous, patching cycles have always been troublesome, and the periods in between have been fraught with increased risk. There is a need to approach patching differently.

 

Cymulate’s achieved what others thought impossible: a way to decrease risk while decreasing the number of disruptive patching windows.

 

It required a very different view of offensive cybersecurity testing, which in the past, only cared about existing real-world exploits and now cares about the vulnerabilities themselves. Combining the offensive testing techniques with a focus on vulnerabilities yielded highly effective results.

It can test environments, discover vulnerable assets, and check if first-party (operating systems, virtual instances themselves, applications) and third-party cybersecurity controls can block the threat to a new vulnerability without requiring patching. The underlying idea was that, if threats were effectively blocked even without patching, it would enable reduced patching cycles to only when necessary or during larger enterprise maintenance windows. In practice, it often did, and Cymulate’s customer base reacted extremely positively.

 

Real-World Example: Invoke-noPac

Let’s see how this works in practice – using a new and very dangerous vulnerability that affects enterprises right now – and see how using attack-based vulnerability management techniques can prevent future exploits.

December 2021 had been a busy final month of the year for cybersecurity. Beyond most of us tackling the far-reaching Apache server log4J vulnerability and subsequent log4shell exploits, another very serious series of two vulnerabilities need to be immediately discussed and attended to. Here, at Cymulate, we’ve been tracking two Microsoft vulnerabilities CVE-2021-42287 & CVE-2021-42278. These two vulnerabilities can be exploited together in a SAMAccountName spoofing and escalation attack. Frighteningly, this uncomplicated exploit can be used even by novice hackers and grant them domain administration rights to the Active Directory.

Multiple exploits PoCs for these vulnerabilities are already available across GitHub and various hacking blog sites, so this might well be keeping cyber-defender busy in 2022.

For a description of how these vulnerabilities can be exploited, check my post on the VM blog.

 

Attack Based Vulnerability Management Put into Practice

While I would argue these two vulnerabilities, CVE-2021-42287 & CVE-2021-42278, (for which patches were released on Tuesday, November 9th), are examples where even I may pull the patching trigger, there are things we can do to reduce the burden on emergency patching and hold off until a periodical maintenance window.

At Cymulate, we created a purple team test to exploit these two vulnerabilities. The test included a removal at the end of the test to ensure we left no elevated account in Active Directory when we were finished testing. This enabled our customers to test to see if they were vulnerable to these exploits and should apply the patch or not. More importantly, clients using the purple teaming test discovered that there were third-party controls they could use to segment off access to the Active Directory by using behavior-based anti-malware on the domain controllers and could remove unelevated customers’ ability to register systems in a domain by modifying the default Active Directory configuration.
That protected them not only against exploits stemming from unpatched CVE-2021-42287 & CVE-2021-42278 vulnerabilities but also from other vulnerabilities, known and unknown, that might want to exploit access to the Active Directory.

In other words, they improved their overall resilience far more efficiently than simply patching.

 

Summary

With 2022 slated to see more and more high severity vulnerabilities, it’s imperative to shore up security. Continuously monitoring and correcting security drift is critical to increasing resilience and can be drastically improved and streamlined by applying Attack Based Vulnerability Management (ABVM), currently the most advanced Vulnerability Prioritization Management (VPT) technology.