[This was originally published on RiskBasedSecurity.com and was included in the 2021 Mid Year Vulnerability QuickView Report.]
It seems like every day that we hear about a new hack and read headlines that tell us that so-called advanced persistent threats (APT) are compromising major organizations. These APT and nation-state actors have incredible skill and seemingly an arsenal of zero day vulnerabilities, and apparently no one is safe. Consider them the sharks of the digital criminal world. They are definitely to be feared and certainly fun to read about, as long as it isn’t your organization that got popped by one.
But like those APTs, shark attacks get all the headlines. In reality, sharks attack very few people worldwide every year and kill even fewer. Instead, it’s the mosquitoes you may need to worry about as they kill over 400,000 every year. Hell, even hippos who are considered the deadliest land mammal kill more every year, averaging around 500.
But are the numbers the real story here? Partially! If you don’t swim in the ocean or live in Africa the odds of you dying by either are essentially nil. So, the numbers give us some perspective on perception of attack and understanding risk. But the analogy breaks down there as any organization is theoretically at risk to the “shark” since they too are connected to the Internet (ocean).
Real-world analogies for computer crime are often good on the surface but break down with casual thought. However, that surface can be beneficial sometimes, like the sharks versus mosquitoes comparison. Instead of using those two as an analogy for the people carrying out the attack, let’s use them for types of vulnerabilities instead. Sharks are the zero day vulnerabilities that you have no chance of defending against. Mosquitoes are the tens of thousands of vulnerabilities disclosed every year. In the news now is the attack on Kaseya devices that is being touted as a supply chain attack.
Supply chain attacks have become a hot topic since the Solarwinds compromise late last year and resurfaced with Kaseya. Are they a threat to your organization? Yes. Are you doomed? Not necessarily. Every company in the world that uses technology relies on both hardware and software from sources out of their control. Pieces of your computer likely come from Malaysia, Indonesia, and Taiwan while software comes from all over the world. Can you trust it? That’s a misleading question most of the time because the answer is really in the form of a question: “Do I have a choice?” While every organization makes an effort to remain secure, even the biggest can fall victim to computer criminals including Google and Microsoft.
With more software using some form of automatic updates, the compromise of the parent company may pose a risk to you. However, the alternative is not enabling automatic updates and creating a process to verify those patches before they are deployed. We’re not aware of many places that can afford that level of time and expertise to examine every patch before installing it. Even using third-party integrations can be a big concern as we saw with the Codecov breach. You are hopefully aware of that breach since it earned some news cycles, but are you aware that to this day the vulnerability that led to it still doesn’t have a CVE ID?
The Codecov supply chain attack was originally assigned CVE-2021-1000009 by the DWF project because MITRE was too slow to assign. However, the DWF project folded again and renamed their IDS from CVE to UVI to be more clear that their assignments are not official CVEs. After that, MITRE still did not assign an ID to this issue which pushed malicious code into organizations. While this is what we would label a hybrid vulnerability, in that it involves a service and software, it is important to include it in vulnerability intelligence. Fortunately for some, MITRE was only a week late in publishing an anemic CVE ID for the Kaseya incident that involved on-prem equipment at customer networks. Days later we published our first blog summarizing what was known about the Kaseya compromise at the time, in the midst of a lot of confusing and contradictory claims. We went on to challenge if the incident was really a supply chain attack, while exploring the history of such incidents which actually date back to 1974.
APTs, sharks, hippos, mosquitoes, and a slew of other threats are out there but they aren’t all trying to kill you. Cozy Bear, Numbered Panda, Charming Kitten, and SandCat are also threats, but it doesn’t mean they are targeting your network. RBS’ understanding of this is what makes us the standard bearers for effective Risk-Based Vulnerability Management (RBVM). Devoting too many resources to protecting against the theoretical shark attack, while ignoring the thousands of mosquitos, is probably not the best strategy. Don’t lose sight of the daily grind and hundreds of vulnerabilities disclosed every week. They are annoying, persistent, and can cause trouble for you just the same. Perhaps that is the real APT.