Why Do Our Adversaries Prey on Years-Old Vulnerabilities? Because You Let Them

Apr 28, 2021
4 minutes

This post is also available in: 日本語 (Japanese)

The cybersecurity threats that marked the end of 2020 only seem to be escalating as we move into 2021. Since the SolarStorm crisis that bled over into the beginning of this year, we have seen not one, but two sets of Microsoft Exchange Server vulnerabilities and, most recently, a list of five CVEs that the U.S. Government assessed to be used by the Russian Foreign Intelligence Service (SVR).

This final item is unique: while SolarStorm was a novel supply chain attack and the Microsoft Exchange Server vulnerabilities were newly discovered, the National Security Agency, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency highlighted five CVEs between one and three years old, all with known mitigations.

The continued threat from these outdated CVEs should serve as a valuable lesson. As noted in the government’s joint memo, the SVR's exploitation of public-facing applications as an attack vector means defenders didn’t understand their Internet attack surface. Put another way, the SVR and other malicious actors can continue to rely on years-old security vulnerabilities on the Internet because defenders frequently take too long to patch while leaving infrastructure open to scanning.

Whether through poor documentation of network deployments, rapid spin-ups of development and cloud architecture, or malicious insider threats, keeping track of all public-facing applications is a significant challenge in today’s IT security environment. What used to be “knowable” via a spreadsheet and strict governance of managed IP space is now more dynamic than ever due to cloud IPs and agile web development.

The only way to meet this challenge is to see your Internet attack surface as the attackers do — first, by mapping out all of the potentially vulnerable services on the public Internet, then filtering down to those associated with targets of interest, and finally, identifying whether those services are vulnerable to a specific attack.

Cortex® Xpanse™’s technology does just this. Our distributed scanning architecture blends into the background noise of the Internet to scan the entire Internet multiple times per day. Then, our proprietary AI/ML algorithms comb through petabytes of data to identify which Internet-facing assets belong to a given organization and enumerate the services running on them. Based on this information, we provided the world’s largest organizations with comprehensive lists of all assets that might have been impacted by these five vulnerabilities — in a fraction of the time that a traditional data call would have taken.

From those lists, our customers were able to target vulnerability management (VM) scans to further assess vulnerability or simply run patch hygiene processes on potentially-impacted assets to protect themselves against malicious attacks. Without those lists, organizations would have to rely on their own internal records, which are sometimes maintained across multiple levels of bureaucracy and multiple different databases, to target either VM programs or free or low-cost scanners that, by nature, rely on a probably-incomplete list of Internet-facing assets.

Now that Xpanse is a part of Palo Alto Networks, our integrations with other parts of the product portfolio provide more capabilities. Our integration with Cortex XSOAR means automatic:

  • Enrichment and context addition for vulnerabilities before handing off control to the analyst, ensuring time is spent not in executing repetitive tasks, but in making critical decisions; and
  • Remediation with workflows that extract reports from your vulnerability scanner, open tickets and remind users to patch their systems/products, making required compliance processes more predictable and measurable.

So, as your company reacts to the recent revelations regarding the continued threat from these outdated CVEs and searches for old vulnerabilities across a dynamic attack surface, ask yourself: would you rather rely on the view of your network as your administrators remember it, or the view of your network as attackers see it?

Download our 5 Common Perimeter Exposures white paper to learn more about what you can do about common network attack vectors.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.