When exploit code precedes a patch, attackers gain a massive head start
Cybersecurity researchers that publicize exploit code used in cyberattacks are giving a clear and unequivocal advantage to attackers, new research conducted by Kenna Security and Cyentia Institute has found.
“This data-driven research, built over the course of several years, should remove any doubt,” said Ed Bellis, CTO of Kenna Security. “Practices that have long been central to the cybersecurity ecosystem, that many of us thought were beneficial, are in fact harmful to defenders.”
Exploit code publicly available before a patch
For years, the cybersecurity industry has relied on “white hat” hackers to identify potential vulnerabilities and develop exploit code to prove that security flaws are more than theoretical. About one-third of the time, that code is made publicly available before a software developer can make a patch available.
For decades, software developers and security researchers have debated whether the practice improves overall security because it identifies vulnerabilities and motivates security teams to patch them, or if the practice gives attackers an advantage because it essentially offers a road map for attacks.
The research found that when exploit code disclosure precedes a patch, attackers gain a 98-day advantage over defenders – that is, attackers deploy the exploit against more assets than defenders can mitigate for more than three months.
The release of exploit code also drives a massive volume of exploits. Just 1.3 percent of vulnerabilities have been exploited in the wild AND have publicly available exploit code. But vulnerabilities that fall into that tiny category are exploited, on average, 15-times more frequently than those that don’t, and they are used against six times as many companies.
Other key findings
- It takes organizations 40 times longer to fix vulnerabilities on Linux and SAP software (about 900 days) than it does Google and Microsoft products (about 22 days).
- When a published exploit allows remote code execution, it is used 30-times more frequently.
- Public exploit code exists for just 6.5 percent of vulnerabilities, but for the majority of them, there is no evidence of exploitation in the wild.
- For approximately two-thirds of exploitations observed in an enterprise environment, there is no known published exploit code, though many exploitations (such as SQL injection) do not require code.
“What we see is that the availability of exploit code drives both a volume of exploitation and makes it easier for hackers to deploy the types of attacks most likely to cause serious damage to an enterprise,” said Wade Baker, partner at Cyentia Institute.
“When exploit code is integrated into hacking tools – both legitimate and malicious – it becomes faster and cheaper to find and exploit security weaknesses.”
Exploit code disclosure benefits attackers more than defenders
Researchers eliminated several competing hypotheses to support their conclusion. They found little evidence that release of exploit code facilitated earlier detection of active exploits, nor did they find that it motivated faster mitigation.
Typically, security researchers will disclose vulnerabilities and exploits to software developers and give the developer time to offer a patch, a process known as security disclosure. But often, researchers may make details about the vulnerability, including working exploit code, available to the public.
“While there is no shortage of opinion on every side of the disclosure debate,” said Jay Jacobs, partner at Cyentia Institute.
“Very little objective research has been done on both the potential benefits and harm caused by well-intentioned security researchers releasing weaponized exploit code. The data provides clear guidance to the security community: publicly sharing exploit code benefits attackers more than defenders.”