threatpost.com Open in urlscan Pro
158.160.164.142  Public Scan

Form analysis
2 forms found in the DOM

GET https://threatpost.com/

<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
  <input type="text" class="c-site-search__field" name="s" placeholder="Search">
  <button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
      <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
    </svg> Search</button>
  <div class="c-site-search__overlay"></div>
</form>

GET https://threatpost.com/

<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
  <input type="text" class="c-site-search__field" name="s" placeholder="Search">
  <button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
      <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
    </svg> Search</button>
  <div class="c-site-search__overlay"></div>
</form>

Text Content

Threatpost
 * Podcasts
 * Malware
 * Vulnerabilities
 * InfoSec Insiders
 * Webinars

 * 
 * 
 * 
 * 
 * 
 * 
 * 

Search

 * April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4ShellPrevious
   article
 * DOJ Says Doctor is Malware MastermindNext article


APTS OVERWHELMINGLY SHARE KNOWN VULNERABILITIES RATHER THAN ATTACK O-DAYS

Author: Elizabeth Montalbano
May 18, 2022 10:01 am
2 minute read

Share this article:

 * 
 * 

Research indicates that organizations should make patching existing flaws a
priority to mitigate risk of compromise.

Most advanced persistent threat groups (APTs) use known vulnerabilities in their
attacks against organizations, suggesting the need to prioritize faster patching
rather than chasing zero-day flaws as a more effective security strategy, new
research has found.

Security researchers at the University of Trento in Italy did an assessment of
how organizations can best defend themselves against APTs in a recent report
published online. What they found goes against some common security beliefs many
security professionals and organizations have, they said.

The team manually curated a dataset of APT attacks that covers 86 APTs and 350
campaigns that occurred between 2008 to 2020. Researchers studied attack
vectors, exploited vulnerabilities–e.g., zero-days vs public vulnerabilities–and
affected software and versions.



One belief the research debunked is that all APTs are highly sophisticated and
prefer attacking zero-day flaws rather than ones that have already been patched.
“Contrary to common belief, most APT campaigns employed publicly known
vulnerabilities,” they wrote in the report.

Indeed, of the 86 APTs that researchers investigated, only eight–Stealth Falcon,
APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus and Rancor—exploited
vulnerabilities that others didn’t, researchers found.

This demonstrates that not all the APTs are as sophisticated as many think, as
the groups “often reuse tools, malware, and vulnerabilities,” they wrote in the
report.


FASTER UPDATES REDUCE RISK

This finding promotes faster updates to fix known flaws in organizations’
systems rather than taking their time to apply updates that are released for
known vulnerabilities, which seems to be the trend right now.

It typically takes more than 200 days for an enterprise to align 90 percent of
their machines with the latest software patches due to regression testing, which
ensures that updated systems function properly after the update, researchers
found.

“Such behavior is rational because not all vulnerabilities are always exploited
in the wild,” they wrote. However, to combat APTs, “slow updates do not seem
appropriate,” researchers wrote.

In fact, faster updating could significantly lower odds of being compromised if
organizations could “update as soon as an update is released,” they wrote.

Indeed, the study found that if an organization waits one month to update, they
are 4.9 times more likely to be compromised; waiting three months made them 9.1
times as likely.

Still, immediate patching doesn’t guarantee that organizations won’t be
compromised, researchers found. Enterprises that apply timely fixes “could still
be compromised from 14 percent to 33 percent of the time,” they wrote.


UPDATE-STRATEGY CHALLENGES

Overall, researchers acknowledged that APTs present a unique challenge to
organizations, as it’s difficult to predict if and when an attack will occur and
thus it’s basically out of their control, they said.

“Unfortunately, a company cannot fully decide in advance the configuration they
will have when hit (or most frequently not hit) by an attacker as it depends on
the attacker’s choice,” researchers wrote.

What a company can control, however, it’s its software-update strategy, with
organizations typically employing one of three options: Update immediately when
new updates to software are available; wait some time to update to perform
regression testing; or skip updates altogether.

Instead of updating for all new versions of software, researchers suggested a
streamlined approach to focus on patching known flaws, which seems to have
impact on an organization’s risk of APT attack, they said.

Organizations could perform “12 percent of all possible updates, restricting
themselves only to versions that fix publicly known vulnerabilities” without
significantly changing their odds of being compromised, researchers wrote.

 

Share this article:


 * Government
 * Hacks


SUGGESTED ARTICLES


TENTACLES OF ‘0KTAPUS’ THREAT GROUP VICTIMIZE 130 FIRMS

Over 130 companies tangled in sprawling phishing campaign that spoofed a
multi-factor authentication system.

August 29, 2022


TWITTER WHISTLEBLOWER COMPLAINT: THE TL;DR VERSION

Twitter is blasted for security and privacy lapses by the company’s former head
of security who alleges the social media giant’s actions amount to a national
security risk.

August 24, 2022


IPHONE USERS URGED TO UPDATE TO PATCH 2 ZERO-DAYS

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit
that can allow threat actors to take over devices and are under attack.

August 19, 2022


INFOSEC INSIDER


 * SECURING YOUR MOVE TO THE HYBRID CLOUD
   
   August 1, 2022


 * WHY PHYSICAL SECURITY MAINTENANCE SHOULD NEVER BE AN AFTERTHOUGHT
   
   July 25, 2022


 * CONTI’S REIGN OF CHAOS: COSTA RICA IN THE CROSSHAIRS
   
   July 20, 2022


 * HOW WAR IMPACTS CYBER INSURANCE
   
   July 12, 2022


 * RETHINKING VULNERABILITY MANAGEMENT IN A HEIGHTENED THREAT LANDSCAPE
   
   July 11, 2022




Threatpost

The First Stop For Security News

 * Home
 * About Us
 * Contact Us
 * RSS Feeds

 * Copyright © 2024 Threatpost
 * Privacy Policy
 * Terms and Conditions

 * 
 * 
 * 
 * 
 * 
 * 
 * 


TOPICS

 * Black Hat
 * Breaking News
 * Cloud Security
 * Critical Infrastructure
 * Cryptography
 * Facebook
 * Government
 * Hacks
 * IoT
 * Malware
 * Mobile Security
 * Podcasts
 * Privacy
 * RSAC
 * Security Analyst Summit
 * Videos
 * Vulnerabilities
 * Web Security

Threatpost
 * 
 * 
 * 
 * 
 * 
 * 
 * 


TOPICS

 * Cloud Security
 * Malware
 * Vulnerabilities
 * Privacy

Show all
 * Black Hat
 * Critical Infrastructure
 * Cryptography
 * Facebook
 * Featured
 * Government
 * Hacks
 * IoT
 * Mobile Security
 * Podcasts
 * RSAC
 * Security Analyst Summit
 * Slideshow
 * Videos
 * Web Security


AUTHORS

 * Elizabeth Montalbano
 * Nate Nelson


THREATPOST

 * Home
 * About Us
 * Contact Us
 * RSS Feeds

Search

 * 
 * 
 * 
 * 
 * 
 * 
 * 

InfoSec Insider


INFOSEC INSIDER POST

Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.

Sponsored


SPONSORED CONTENT

Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.

We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.

ACCEPT AND CLOSE