A team of researchers from Virginia Tech, Cyentia and RAND, results of risk analysis when applying various strategies for remediation of vulnerabilities. After studying 76 thousand vulnerabilities found from 2009 to 2018, it was revealed that only 4183 of them (5.5%) were used to carry out real attacks. The resulting figure is five times higher than previously published forecasts, in which the number of exploited problems was estimated at about 1.4%.
At the same time, no correlation was found between the publication of exploit prototypes in the public domain and attempts to exploit the vulnerability. Of all the facts of exploitation of vulnerabilities known to researchers, only in half of the cases for a problem before that a prototype of the exploit was published in open sources. The absence of an exploit prototype does not stop attackers from creating exploits on their own if necessary.
From other conclusions, one can note the demand for exploitation mainly of vulnerabilities that have a high level of danger according to the CVSS classification. Almost half of the attacks used vulnerabilities with a weight of at least 9.
The total number of exploit prototypes published during the period under review was estimated at 9726. The exploit data used in the study was obtained from
Exploit DB, Metasploit, D2 Security's Elliot Kit, Canvas Exploitation Framework, Contagio, Reversing Labs, and Secureworks CTU collections.
Information about vulnerabilities was obtained from the database (National Vulnerability Database). Exploitation data has been summarized based on information from FortiGuard Labs, SANS Internet Storm Center, Secureworks CTU, Alienvault's OSSIM, and ReversingLabs.
The study was conducted to determine the optimal balance between applying updates when any vulnerabilities are identified and fixing only the most dangerous problems. In the first case, high protection efficiency is provided, but large infrastructure maintenance resources are required, which are spent mainly on fixing minor problems. In the second case, there is a high risk of missing a vulnerability that can be used to attack. The study showed that when deciding whether to install an update to fix a vulnerability, one should not rely on the absence of a published exploit prototype, and the chance of exploitation directly depends on the severity level of the vulnerability.
Source: opennet.ru