SixMap Insights from Kevin Mandia's RSAC Keynote

Although RSA Conference 2024 is now in the rear-view mirror, there is still plenty of great content available for security professionals to leverage, including free content from the conference on YouTube. One of my favorite presentations at RSA Conference was Kevin Mandia’s “The State of Cybersecurity-Year in Review”. Kevin covered five main points:

  1. Few risks or repercussions to attackers.
  2. Accelerated innovation on offense.
  3. Ransomware is evolving from data theft to extortion to harassment.
  4. Boards are more engaged in cybersecurity.
  5. Public-private cooperation continues to advance security practices.

This video is a must-watch from the conference, with point #2 being of particular interest from my point of view, especially given our mission at SixMap.

Accelerated innovation on offense

One of Kevin’s points related to accelerated innovation on offense is the big spike in disclosed Zero Days. He pointed out that until 2018, only 10 to 15 Zero Days were discovered yearly compared to 97 in 2023. Another interesting observation is that more Zero Days are being discovered across more vendors. In 2018, Zero Days were found for the Big Three (Microsoft, Google, and Apple) and four other vendors compared to 28 vendors in 2023. 

Although there are many theories around why there are so many more Zero Days now, Kevin argues that the main reason is that whether attacks are motivated by cyber espionage or crime, cyber intrusions are paying off since attackers are getting what they want. 

Another interesting point related to accelerated innovation on offense is that in 2023, the top initial entry point for security incidents investigated by Mandiant was via an exploit, and exploits have been at the top since 2020. This reverses a prior trend from 1998 to 2019, when the number one entry point was spearphishing. The bottom line, however, is that defenders must protect their organizations against both human-centric and network-centric attacks.

Kevin closed this section by advising the audience that organizations must do “attack surface management, patch management, and have great rules post those things” since breach should always be assumed. 

At SixMap, we agree with Kevin’s recommendation and argue that organizations need to take it further by also considering the following:

Attack surface management cannot cut any corners

One of SixMap’s Fortune 500 enterprise customers has an address space of 2.5 million. If you were to conservatively assume that only 25% of ports per IP address were open, this would still mean that 32.77 billion ports would need to be scanned. And the numbers get even bigger for organizations that have hybrid IPv4 and IPv6 networks. 

Simply ignoring open ports running in the dynamic range because it is difficult to scan in these ranges is not a solution since organizations could have exposed services with known vulnerabilities running in this port range. In doing a scan for one of our customers, SixMap found an exposed LimeWire server running on a port in the ephemeral/dynamic range that is not typically scanned by other solutions.

An exposed LimeWire service is risky for organizations because it is a well-known peer-to-peer (P2P) file-sharing application that attackers can exploit to distribute malware, conduct unauthorized data sharing, and access sensitive information. LimeWire is outdated and no longer supported, which means any vulnerabilities in the software remain unpatched, creating an easy entry point for cybercriminals. 

Patch management must be prioritized taking into account imminent threats

To borrow a phrase mentioned by Chris Krebs in the “World on Fire: Played Defense in a Digitized World and Winning” keynote session at RSA Conference 2024 (another must-see), who in turn borrowed the term from William Gibson’s science fiction novel “Neuromancer,” enterprise are dealing with the challenge of unthinkable complexity. 

This unthinkable complexity takes many forms, with the average large enterprise deploying more than 1,000 applications across a diverse infrastructure stack, making it hard for organizations to figure out which vulnerabilities to address first. The problem is further compounded by the sheer volume of CVEs. In 2023, 28,902 CVEs were disclosed, an increase of over 15% compared to the previous year.

The only way to address this challenge is to leverage systems like SixMap, which prioritize which vulnerabilities to patch first, considering which pose an imminent threat to their enterprise.

First, SixMap considers a CVE’s EPSS score, focusing on those with high exploitation probabilities. The Exploit Prediction Scoring System (EPSS) is a data-driven predictive vulnerability management framework that assesses vulnerabilities based on their potential for exploitation in the near future. The EPSS score ranges between 0 and 1 (0 to 100% exploitation chances). The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days.

Second, vulnerabilities known to be exploited for ransomware attacks are prioritized due to their potential for significant damage. Third, if a vulnerability is being actively exploited by a known threat actor, it is immediately prioritized for remediation to prevent further exploitation.

Security teams need to be open to automated cyber defense

Although not anything covered by Kevin Mandia in his keynote, our perspective is that security teams need to be open to automated cyber defense, especially as the time window from when a vulnerability is disclosed to when an exploit becomes available continues to shrink. 

Over recent years, the average time to exploit (TTE) has decreased significantly, from 63 days in 2018-2019 to just 32 days in 2021-2022. This trend highlights the urgency of automated solutions to quickly identify and remediate vulnerabilities, as nearly half of known vulnerabilities are now exploited within just weeks of disclosure. 

Automated cyber defense is essential to keep pace with these rapidly evolving threats, especially when dealing with vulnerabilities that involve remote code execution. For more insights, check out our blog on leveraging the platform to address the recent ConnectWise vulnerability.

Interested in learning more about how SixMap can help? Don’t hesitate to reach out!