A study of APT hacking campaigns conducted from 2008 to 2020 by University of Trento security researchers indicates enterprise IT security admins should worry most about fixing their systems for known vulnerabilities, rather than chasing a patch for every zero-day flaw that emerges.
The researchers analyzed the impact of 86 APTs and 350 attack campaigns and debunked the belief that all APTs are highly sophisticated and prefer targeting zero-day flaws rather than ones that have already been patched.
“Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” researchers Giorgio Di Tizio, Michele Armellini, and Fabio Massacci wrote in the report published on the pre-print server arXiv.
Indeed, out of the 86 APTs they examined, only eight – known respectively as Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor – exploited CVEs were not used by anybody else. This demonstrates that not all the APTs are as sophisticated as many thinks, as the groups “often reuse tools, malware, and vulnerabilities,” researchers wrote.
Faster updates minimize the threat
The study showed that organizations that apply software updates as soon as they're published face the lowest odds of being compromised. However, the need to do regression testing before applying an update means that entities often take far longer to update their software.
It typically takes more than 200 days for an organization to align 90 percent of their machines with the latest software patches due to regression testing, which ensures that updated systems function properly after the update, researchers found. Such behavior is rational because not all vulnerabilities are always exploited in the wild. However, to combat APTs, slow updates do not seem appropriate.
The study conducted by University of Trento researchers specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment.
"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers added.