In our last article about the National Vulnerability Database (NVD), we discussed a concept known as vulnerability disclosure time latency. Vulnerability disclosure time latency is the time delay between when a vulnerability is disclosed by the vendor and when a vulnerability is published to the NVD. Figure 1 shows an example of events that could occur during latency. In addition to vulnerability disclosure time latency, another significant factor to discuss is weaponization. In this context, weaponization is defined as taking a vulnerability and constructing an exploit for it. In this blog post, we will discuss what key elements are involved, the different weaponization state types, and what lessons organizations can learn from weaponization patterns.
There are three key elements involved with each weaponization trend, as shown in Figure 2. The first element is NVD publication. NVD publication indicates that the vulnerability has been recognized and publicly documented. Another element of weaponization is patching. Patching is where an organization releases a fix (patch) for a currently present vulnerability. The third element of weaponization is the release of an exploit. An exploit is designed to take advantage of a vulnerability, providing attackers access to protected information, allowing privilege escalation, and more.
When discussing weaponization trends, the important thing to remember is that the order in which these events happen determines the severity of the weaponization state.
We define weaponization states through relationships between the three key weaponization elements. Using these elements, we mapped four unique weaponization states, which we will discuss in additional detail below. We determined the frequency and the severity of these weaponization states through researching years’ worth of vulnerability, patch, and exploit patterns. It is also important to note that each weaponization state element does not immediately occur one right after another. It is possible that each state can last days, if not months or years.
The most severe weaponization state (as shown in Figure 3) also happens to be the second most common state we observed. This weaponization state is where an exploit is released into the wild, then the NVD discloses the exploit, and finally the vendor releases the patch for the exploit. This state is considered the most severe weaponization state because the exploit is available in the wild before the public even know the weakness is present. This allows malicious actors to take advantage of a weakness before the public knows an exploit is available.
The most common weaponization state is where the NVD discloses a vulnerability, an exploit is released based on the information provided by the NVD, then the vendor releases a patch (shown in Figure 4). This state is considered somewhat less severe than the prior weaponization state mentioned because the public is aware that the vulnerability is present when an exploit is released; however, organizations are vulnerable until the patch is released.
The next weaponization state, as shown in Figure 5, is where the NVD discloses a vulnerability, the vendor releases a patch for an exploit related to a vulnerability, and then the exploit is released for the vulnerability. This weaponization state is considered the least severe of the four because there is already a patch available for the weakness before the exploit is released. Of course, an organization may still be at risk if they have not applied the patch, but if the organization maintains regular patching cycles, as per optimal security hygiene practices, they would be better protected against this exploit.
Figure 6 shows the least common weaponization state, which is where a patch is released for a vulnerability, an exploit is then released for the vulnerability, and then the NVD discloses the vulnerability to the public. As mentioned in our previous article about the NVD, organizations relying on NVD disclosure may be vulnerable if they wait for notification. If organizations maintain regular patching cycles, they should be protected against these kinds of threats.
Illustrating the various weaponizations states really highlights how important patching and patch cycles really are. Keeping your organization’s hardware and software up-to-date with current patches helps circumvent a variety of issues. The next article in this series will discuss how understanding trends in company patch cycles and weaponization states can further assist organizations in defending against cyber threat and prioritizing remediation strategies.
RiskSense provides organizations with a compass guiding them to direct their resources in the most effective manner to reduce cyber risk. The RiskSense Platform is designed to assist organizations in identifying, prioritizing, and orchestrating cyber risk remediation. The Platform gives organizations the means to measure and manage mitigations and maneuver within complex environments to decisively respond to cyber risk exposure. To schedule a demonstration of our Platform, visit www.RiskSense.com.