Wade BakerNov 20, 2024

I'm fascinated by the concept of measuring attacker-defender advantage in software, devices, and even entire IT environments. What do I mean by "attacker-defender advantage?" Lemme sum up and then share a chart.

Let's say you could measure the speed at which defenders remediate various types of security vulnerabilities across all relevant assets. Then say you could detect and measure the speed at which attackers find/exploit those vulnerable assets across the target population of organizations using them. Finally, plot those curves (across time and assets) to see the delta between them and derive a measure of relative advantage for attackers and defenders. That relative value is what I mean by attacker-defender advantage.

Since a picture is worth a thousand words, here's a visual example of the concept. The blue line represents defenders, measuring the speed of remediation. Red measures how attacker exploitation activity spreads across the target population. When the blue line is on top, defenders have a relative advantage (remediating faster than attackers are attempting to exploit new targets). When red's on top, the opposite is true. The delta between the lines corresponds to the relative degree of advantage (also expressed by the number in the upper left).

This chart comes from prior Cyentia Institute research in which we were able to combine datasets from two different partners (with their permission). Unfortunately, those datasets/partners are no longer available to further explore this concept - but maybe this post will inspire new partnerships and opportunities!

Any surprises in the attacker-defender advantage results depicted in the chart? Has anyone measured this or something similar?

#cybersecurity #vulnerabilities #cyberattacks #infosec #exploitation

Show threaddragonfrogNov 20, 2024

@wade
I'd need to understand better what the percentages and lines really represent before I could be surprised or not.

Does the "remediation activity" represent the percentage of assets patched throughout organizations that report some kind of patch telemetry? Does it include delay between a zero-day getting exploited in the wild and the vendor getting a patch out? What does the "exploitation activity" line actually represent, exactly? What does the dotted vertical line mean?

Show threadWade BakerNov 20, 2024

@dragonfrog Yes - remediation activity is % of all detected vulnerable assets patched (or otherwise addressed).

The delay in start of exploit activity and patch availability roughly corresponds to the red line lifting off before that vertical dashed line that indicates CVE pub date.

Show threaddragonfrogNov 21, 2024

@wade Oh so the reference line isn't publication of the patch, it's the CVE.

I'm still mystified at the big jumps in remediation percentage right around 2 months after the CVE comes out. Huge with Apache, Apple, and F5, pronounced with all the Linux distros. Do they regularly publish CVEs 2 months in advance of publishing patches for some reason?

Show threadWade BakerNov 21, 2024
@dragonfrog I thought the jumpiness might be a result of relatively low sample size but this chart shows a large number of debian systems in this data. So it's not that. I don't recall measuring time between CVE pub and patch specific to linux distros...wonder if there's a regular lag. Windows CVEs generally aren't released before there's a patch.
Show threadWade BakerNov 21, 2024

@dragonfrog Actually, I take that back - smaller sample size is still my hypothesis for the jumpiness. That last chart showed prevalence of all assets associated with each vendor and total exploitation activity (number of detections, I think).

But there could still be a smaller sample size of debian, F5, etc vulns that have exploit activity in the timeframe we studied.

Worth another look at some point...you got me thinking...

Show threaddragonfrogNov 21, 2024

@wade but the jumpiness isn't in exploit activity, it's in patch coverage.

What I wonder is if the sample size skew isn't from the number of vulns and exploits in the platform, but in the number of organisations that use Kenna to monitor platforms of the types that show the 2 month jump - if a sizable fraction of the F5 boxes Kenna monitors are at one org whose patch process means they patch their production F5 boxes 2 months after a CVE comes out...

Show threaddragonfrogNov 21, 2024
@wade or at least - they patch and run Kenna scans on such a schedule that the first scan that detects the patch is in place is the 2 month one.
Show threadWade Baker

@dragonfrog These could all be contributors. One clarification:

- even though the jumpiness is for remediation rather than exploitation, the sample of vulns for which we're measuring remediation data is only those with exploitation. So the line would be different for all vulns for *nix. We were trying for an "apples to apples" here so the lines are relative for the same vulns.

Nov 21, 2024 at 3:43amWeb