Content, Breach, Content

How Frequently Do Hackers Exploit Zero-Day Vulnerabilities? Here’s the Math

Old Ladder leading to the light. 3d Render. Freedom concept.

More than half of widespread threats in 2021--vulnerabilities that are exploited by many attackers across many different organizations and industries--began with a zero-day exploit, Rapid7 said in a new report.

In detailing 50 vulnerabilities from 2021, the security provider found that 43 had been exploited in the wild. These vulnerabilities were unearthed and weaponized by hackers before they could be patched, in a trend line saw a much higher proportion of zero-day attacks threatening many organizations from the outset rather than being used in more targeted operations as previously leveraged.

Rapid7 called 2021 a “truly harrowing year for risk management teams.” There’s no hyperbole there: Not only did widespread threats increase by more than 130 percent compared with 2020 but also half of the vulnerabilities in the report came under attack within a week. Indeed, the average time to exploitation is down to 12 days, a dramatic diminution from the 42 days of the prior year.

Fully one-third of the vulnerabilities analyzed in the report were exploited to carry out ransomware attacks.

As with most studies, the news is not all bad: The security community can better detect and analyze zero-day attacks; there are better commercial security solutions and open source rules; and, there’s more public/public collaboration to prevent and recover from ransomware attacks.

Organizations that hope to at least stay in shouting distance of hackers must have “battle-tested” emergency patching and incident response procedures in place, Rapid7 said. Here are five steps organizations can take to get there:

  1. Asset inventory is the foundation of any security program. Responding quickly and decisively to high-urgency threats requires knowing which technologies you use across your stack, how they are configured, and who has access to them.
  2. Limit and monitor your internet-facing attack surface area. Pay particular attention to security gateway products, such as VPNs and firewalls.
  3. Establish emergency zero-day patching procedures and incident response playbooks that go hand-in-hand with regular patching cycles.
  4. Conduct incident response investigations that look for indicators of compromise and post-exploitation activity during widespread threat events in addition to activating emergency patching protocols.
  5. Employ in-depth security measures to protect your development pipelines from supply chain attacks. These pipelines are often targets as are developers.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.