The amount of time it takes for a vulnerability to be exploited after discovery, or time-to-exploit (TTE), is on the decline as cybercriminals are always honing their techniques and adapting their attacks for optimal efficiency and success. The recent drop in TTE is especially steep, down to an average of only five days, according to cybersecurity consulting and intelligence firm Mandiant.
This statistic is indicative of an alarming trend. Attackers are improving their tactics too rapidly for cyber defenses to keep up. In the face of exploitation timelines becoming shorter and shorter, it is important to consider whether organizations are equipped to take the urgent action necessary to respond to these threats.
The Acceleration of Exploitation Timelines
Mandiant’s data, pulled from analysis of 138 vulnerability exploits disclosed in 2023, shows a sharp decrease in the average TTE compared to previous years. The average TTE was 63 in 2018-19, 44 in 2020-21, and 32 in 2021-22, making this the largest drop in a years-long trend of declining TTE averages. These lower TTEs are a consistent pattern in cyberattacks, not an anomaly. Threat actors are constantly working to perfect their methods and exploit vulnerabilities faster than they can be patched.
Cyber defense efforts face significant challenges in attempting to keep up with progressively faster exploit times. The difficulties of patching vulnerabilities faster than cybercriminals can exploit them means that the bulk of the burden of protection falls on incident response teams. This puts excessive pressure on these teams and can lead to burnout and mistakes, highlighting the need for a proactive approach to vulnerability mitigation and patching.
Why Attackers Are Gaining Speed
One of the main factors in decreasing TTE averages is the rise of zero-day exploits. The ratio of n-day exploits to zero-day exploits analyzed in 2023 was 30:70, whereas in previous years it has been closer to 40:60. Mandiant notes that this is likely a result of an increase in zero-day usage and detection, as opposed to a decrease in n-day usage.
Attackers are motivated to pursue zero-day exploits for a variety of reasons. Researchers were able to attribute around half of the zero-day exploits analyzed to espionage, and almost one-ninth to financial motivations. Leveraging zero-day vulnerabilities enables attackers to launch stealthier and more successful attacks, increasing payouts and decreasing risk to themselves.
Threat actors are able to exploit vulnerabilities faster due to factors like technology, accessibility, and sophistication in their attacks. These attacks are enabled by improvements in the tools they use to detect vulnerabilities, access to exploit kits, and increasingly powerful threat actor groups. “Instead of ‘lone wolves,’ cybercriminals are now members of cybercrime cartels which have the time, resources, and money to execute these more sophisticated attacks,” according to Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software.
Organizational Vulnerabilities: Challenges in Keeping Pace
Organizations have a hard time keeping up with shortened TTEs because of struggles with patch management. Traditional patching cycles cannot move faster than cybercriminals, especially as many vulnerability exploits are the actions of threat groups with massive resources on their hands for launching quick and effective attacks.
Organizations, on the other hand, are often restrained by staffing and budgetary limitations making it difficult to respond quickly to vulnerabilities and attacks. These resource constraints are accompanied by an onerous patching process and resistance to new patches from end users. Rushing patches can also lead to incomplete or ineffective fixes, or even create new vulnerabilities or operational difficulties.
With these struggles complicating the picture and making it difficult to outpace attackers, it is vital for organizations to utilize solutions to aid them. There is a critical need for organizations to implement tools with automated detection and real-time response capabilities to improve organizations’ chances against accelerating exploitation timelines.
Key Exploited Vulnerabilities
One of the zero-day exploits recorded in 2023 was CVE-2023-5217, a buffer overflow in libvpx, which affected Chrome, Firefox, iOS, and Android systems. Two other vulnerabilities, CVE-2023-4863 and CVE-2023-41064, are believed to actually be the same bug; it impacted Android systems and Firefox in addition to Chrome and Safari.
These vulnerability exploits point to a trend of cybercriminal interest in taking advantage of issues that allow them to compromise multiple products with one attack. Bugs like these in third-party components are high value and often easier to exploit than attempting to attack large corporations directly by pursuing gaps in their security. Using one vulnerability to affect multiple high-profile products is more efficient than attacking each product separately. Protecting against these vulnerabilities requires proactive action and defense strategies to mitigate third-party risks.
Proactive Steps to Keep Up with Attackers
Keeping pace with attackers looking to exploit vulnerabilities as quickly as possible can be daunting, but organizations can take steps to proactively protect against security risks. One of the most important parts of protecting against potential vulnerabilities and exploits is implementing continuous monitoring solutions to detect anomalous behavior.
It is also crucial for organizations to use threat intelligence to their benefit in their defense strategies. Heeding threat intelligence and using it to inform security decisions is a vital step in predicting, identifying, and prioritizing vulnerabilities based on which ones pose the most risk.
Adopting advanced security measures and solutions can also go a long way toward protecting organizations against increasingly sophisticated threats. Average TTE is on the decline due to the technologies and techniques behind vulnerability exploitations continuing to evolve, and employing advanced tactics is essential for fighting these threats. Solutions like endpoint detection and response (EDR), zero-trust architecture, and real-time attack surface management can empower organizations to mitigate vulnerabilities faster and prevent malicious exploits.
The Path Forward
The research from Mandiant is indicative of a shocking trend, demonstrating a sharper drop in average TTE than any previous years. This is a significant change, highlighting the critical need for a paradigm shift in how we approach vulnerability management and response. Organizations should embrace a mindset of expecting exploitation and proactively protecting against it, and this demands the adoption of advanced and agile defenses.
It is vital for organizations to assess their current response capabilities to determine how well they are equipped to handle vulnerability exploitation attacks. They should consider investing in enhanced and sophisticated vulnerability management tools and features in order to detect and remediate vulnerabilities before cybercriminals can have the chance to exploit them.
