The term “In the Wild” is broadly used to refer to any activity that has been observed outside of a controlled environment. It’s an important metric in security because criminals don’t typically duplicate their efforts over and over in the exact same way– if they did, it would be much easier to create effective security software. But in reality, there’s always going to be something new and unpredictable.
There are many vulnerability prioritization solutions that label their information “In the Wild,” but unfortunately, most of these attributes (in addition to CVSS Base Scores, Vendor bulletins, etc.) are based on regurgitated information from other sources, and are already stale before they are even received by a security team.
Just because something was once observed “In the Wild” doesn’t mean that it’s happening right at this moment. A hard-to-exploit race condition that requires a lot of time and effort might be “In the Wild,” but that doesn’t require the same urgency to fix as something an actor is actively exploiting today.
However, if attackers are currently up to no good using software with bugs that you know you possess, then you have a big problem – one that is urgent enough to risk a temporary lack of business continuity to solve.
A Question of Urgency
Combating internet-wide opportunistic exploitation is a complex problem, with new vulnerabilities being weaponized at an alarming rate. In addition to the staggering increase in volume, attackers are getting better at exploiting zero-day vulnerabilities via APTs and criminals or botnets at much higher frequency, on a massive scale. The amount of time between disclosure of a new vulnerability and the start of active exploitation has been drastically reduced, leaving defenders with little time to react and respond. On the internet, the difference between one person observing something and everyone else seeing it is often quantified in just minutes. When a new vulnerability is discovered and announced, cyber criminals race to see who can find vulnerable servers first. Now, we are seeing situations in which attackers are actually starting to exploit before the software manufacturers are even aware that there is an issue.
For example, the Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362) was publicly disclosed on May 31, 2023 by Progress Software. However, it had already been exploited in the wild for several weeks before disclosure. GreyNoise saw early activity on this tag within just a few hours, and it continued for the remainder of 2023.
The level of automation associated with AI makes it easier than before to find vulnerabilities in software. The consequences of not keeping pace with the newest trends has never been bigger, and they are continuing to grow. If you don’t have a cohesive vulnerability prioritization strategy in place, it’s only a matter of time before your network is compromised.
Software Vendors Crying Wolf
In a world where cybersecurity teams are constantly barraged with critical alerts from multiple software vendors, it can be very difficult to determine what constitutes an actual emergency. Vulnerability management vendors need to understand the time limitations their customers are facing and be more judicious about what they label as a critical vulnerability. They also need to find a way to incorporate knowledge about attacker behavior into their risk calculations, rather than assuming that risk is something static and immutable. Knowledge about current activity is often difficult to come by, but risk changes all the time, and our understanding needs to change, as well.
One way to investigate what’s happening “In the Wild” – whether it’s people scanning for software, enumerating that software, checking for the presence of software, or actually exploiting software – is to use a proxy. This helps to determine if anyone has the capacity to exploit this vulnerability and is attempting to do so.
Generally speaking, a lot of work goes into weaponizing a software vulnerability. It’s deeply challenging and requires advanced technical skill. We tend to sometimes forget that attackers are deeply motivated by profit, just like businesses are. If attackers think something is a dead end, they won’t want to invest their time. So, investigating what attackers are up to via proxy is a good way to understand how much you need to care about a specific vulnerability.
In the second quarter of 2023, GreyNoise researchers observed a substantial change in the behavior of some regular internet scanning idioms. Inventory scans—where both benign and malicious actors perform regular checks for a given technology or specific vulnerability—significantly reduced in frequency and scale. The vast majority of these types of scans now come from benign sources. This, along with the speed at which organizations are compromised after the announcement of a new vulnerability, strongly suggests more capable attacker groups have their own form of “attack surface monitoring,” and use it to avoid tripping existing defenses.
These targeted attacks threaten to circumvent existing defense capabilities and expose organizations to a new wave of disruptive breaches. In order to adequately protect their networks, defenders must evolve in response.
Ultimately, there is no such thing and a set-and-forget single source of truth for cybersecurity data. However, there are definitely some great resources out there to help you prioritize and cut through the noise:
- The Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) Catalog is an authoritative source of vulnerabilities that have been exploited in the wild as a resource for vulnerability management prioritization.
- The Exploit Prediction Scoring System (EPSS) is a data-driven predictive vulnerability management framework that helps security teams anticipate and mitigate threats.
- The Common Vulnerability Scoring System (CVSS) measures the inherent severity of vulnerabilities based on their characteristics and potential impacts.
- Infosec search platforms are valuable for security researchers and analysts, as they can help find exposed devices, track threats, prepare for spear phishing simulations and more.
Utilizing these resources and gaining a better understanding of how to dynamically assess risk factors will enable you to take a more holistic approach to vulnerability management.
About the Author
Corey Bodzin is a security expert and a proven leader with over 25 years of experience building outstanding teams and products. As Chief Product Officer at GreyNoise Intelligence, he spearheads product strategy and development, from vision to execution. Prior to GreyNoise, Bodzin served as Chief Product Officer for Eclypsium, a company that provides supply chain security for enterprise infrastructure. Previously, he served as Vice President of Product Operations and Product Management at Tenable Network Security, and held senior product and technology positions at innovative security companies such as Automox, deepwatch, ExtraHop, RSA (the security division of EMC), nCircle and Qualys. He began his career managing IT for large financial services and telecommunications firms such as Charles Schwab, Wells Fargo and Lucent Technologies.
Corey can be reached online at https://www.linkedin.com/in/coreybodzin/ and at https://www.greynoise.io/
