Emerging Threats

Shifting focus from vulnerabilities to exploitabilities

Jul 15, 2022
Shifting focus from vulnerabilities to exploitabilities

Headed into the second half of 2022, the rate of new cybersecurity threats is not slowing but accelerating. Consider that, in June 2022, the United States Cybersecurity and Infrastructure Agency (CISA) listed 49 new "known-exploited" vulnerabilities in its online catalog (of those, 36 were added on June 8th alone). 

I’m a staunch advocate of CISA’s focus on exploitabilities rather than vulnerabilities. There is an alarming lack of comprehension regarding the difference between being vulnerable and being exploitable. Understanding the difference for your business is critical to making informed decisions about cybersecurity and avoiding misperceptions of risk. Instead of blindly patching every vulnerability that makes the security team’s radar, focus on those that will actually impact your business and are in fact exploitable due to the absence of control that minimizes the reachability of the asset. 

The diversity of affected assets is notable. Among other targets:

  • Google Chrome browser (and Chromium-based browsers derived from Google’s public code)
  • Apple macOS, iOS, tvOS, and watchOS products
  • Owl Labs, Meeting Owl Pro, and Whiteboard Owl
  • SAP, the enterprise resource planning solution
  • Cisco and NETGEAR routers
  • Adobe Acrobat, Reader, and Flash
  • Microsoft Office suite, Windows OS, XML Core Services, and the recently-retired Internet Explorer browser
  • Atlassian Confluence server

How should organizations best resolve such a wide range of vulnerabilities? Everything from client software, workload versions, network devices, wearables, and IoT is represented here. As usual, CISA wholeheartedly recommends applying vendor-supplied updates or retiring older assets. But while these steps are helpful, they are not a comprehensive strategy.

Security updates aren’t always available for known vulnerabilities, making them particularly concerning threat vectors. Many vulnerabilities are unknown, and hence there is no update to apply. An inevitable lag between update availability and deployment creates a window of opportunity for malicious actors. There is also a risk associated with applying patches that address zero-day vulnerabilities without the proper lead time for testing and validation. What if those updates render a core business application inoperable? 

Other vulnerabilities occur as a natural result of technological growth. Over time, assets multiply, infrastructures become more complex, and network topologies increasingly incorporate cloud services and remote workers. Keeping everything up-to-date in a growing and transitioning environment makes implementing adequate security extremely challenging.

For these reasons, organizations should seek a broader, more strategic approach to their cybersecurity architectures. Additional security steps can increase protection while complementing the CISA-endorsed strategy of rolling out security patches wherever possible and sunsetting outdated tech.

Build a new security strategy to address such vulnerabilities proactively

Of course, just as every cloud has a silver lining, every cybersecurity wish list creates a roadmap for improvement. We might reconsider the daunting list of vulnerabilities described above as a starting point in outlining a superior security architecture — then imagine how to implement such an architecture as a practical matter.

Many of the vulnerabilities listed above pertain to network endpoints owned and operated by individual workers. That’s not surprising given the explosion in remote workers since the outbreak of the COVID-19 pandemic. A new approach to security needs to handle remote workers at scale, regardless of their choice of browsers, operating systems, or hardware.

Similarly, we can consider public cloud services as another significant shift for enterprise networks. Most employees use these services at work for common tasks like emailing, scheduling appointments, and collaborative document production. A modern security architecture must also cover cloud services, regardless of their number, the range of providers in use, or the extent of their functionality. It is impossible to manage security posture without considering two key factors in any potential vulnerability or security flaw: reachability and risk. The two factors are related. Reachability defines the degree to which a given security vulnerability that is detected, such as a CVE, can actually be attacked and exploited to gain privileged access and directly or indirectly access critical systems or data. Risk is a business measurement that assesses the potential for a vulnerability to actually damage an enterprise or organization. In general, without reachability, there is less risk. 

Many attacks originate with the IP address of the targeted asset. These include enterprise assets like SAP servers that require that information. Concealing it requires a comprehensive network buffer to shield assets’ IP addresses from the public Internet, thus improving cybersecurity holistically for worker devices and data center assets.

Reachability and risk have dramatically shifted in recent years as we have moved from a hard perimeter “fortress” approach to security to more distributed systems, APIs, cloud computing, SaaS and we have far more potential points for attack ingress and exfiltration egress. To mitigate this new risk landscape, we have actually moved to fortify all the newly exposed internal elements and the critical systems of security. 

We have built a new perimeter around identity, with authentication, device posturing, and zero-trust. We have built perimeters around connected devices, around our cloud infrastructure and our virtualized environments, and our configuration of all these systems. At every point where there is a potential for risk, we must fortify these new mini-perimeters. Limiting the potential reach of an exploited vulnerability is another effective mitigation technique. No security architecture is perfect, but it should still be possible to contain an exploit even when it is successful.

Toward that end, microtunnels provide considerable protection. Using this approach, workers and their assets can only connect to the apps they require for their job roles – not to entire networks. This approach cuts attackers off from moving laterally through the environment.

Finally, all the modern techniques discussed culminate with the best protection against threat risk: zero trust architectures (ZTA). With ZTA, no entity, machine, or end user is presumed trustworthy. For every network transaction of every type, the requesting participant must authenticate and validate its identity and can only receive access based on privileges, limiting potential exposure. That’s why ZTA is, in fact, a must-have for any organization seeking top-tier security.

Simplify your cybersecurity journey with the right partner

Of course, not every organization has the in-house expertise required to implement these ideas at scale, based on the requisite best practices. Many organizations will need a trusted partner with expertise in this area.

Zscaler is just such an expert. We’ve helped hundreds of organizations in every business sector worldwide dramatically reduce the total attack surface using the strategies described.

What to read next

ThreatLabz June 2022 Report: Ransomware report, sextortion scams, new Lyceum APT backdoor, renewed Evilnum attacks, and PureCypter premier malware loader

The CISOs Report: A spotlight on today’s cybersecurity challenges