Qualys has released its 2023 TruRisk Research Report. The report traverses the global number of vulnerabilities detected by Qualys in 2022 — upwards of 2.3 billion. The findings of the report match the opportunistic behavior of threat actors who continue to be agile in modifying techniques to achieve successful exploits.
As digital transformation across businesses and governments is increasingly leveraged to accelerate productivity, new software tools to underpin these initiatives and programs are being developed quicker than ever. As technology continues to advance at a rapid pace, the number of software vulnerabilities surges, introducing significant levels of risk to organisations’ environments.
Qualys’ passion and vision for helping companies reduce their cyber risk has led the Qualys Threat Research Unit (TRU) to take a deep dive into the 13+ trillion events tracked by the renowned Qualys Cloud Platform. TRU mined anonymised detection statistics to uncover insights into the vulnerabilities found on devices, the security of web applications, misconfiguration of on-premises devices, and cloud security posture. Analysis of this extensive knowledgebase paired with TRU’s unique visibility into threat actor activity – pre and post exploitation — yielded to five “Risk Facts.”
Risk Fact #1: Speed is the key to out-maneuvering adversaries
On average, weaponised vulnerabilities are patched within 30.6 days while only being patched an average of 57.7% of the time. These same vulnerabilities are weaponised by attackers in 19.5 days on average. This means that attackers have 11.1 days of exploitation opportunities before organisations are able to patch.
Risk Fact #2: Automation is the difference between success and failure
According to the study, patches that could be automatically deployed were implemented 45% more frequently and 36% faster than manually deployed patches. Vulnerabilities where an automated patch could be applied have a mean time to remediation of 25.5 days while manually patched vulnerabilities took 39.8 days to be resolved. The patch rate for the automated set was 72.5% compared to 49.8% for the manual set.
Risk Fact #3: Initial Access Brokers (IABs) attack what organisations ignore
A growing trend in the threat actor landscape is a category called Initial Access Brokers (IABs) — sometimes called “affiliates.” This report shows that while organisations are quicker at patching Windows and Chrome, threat actors — especially IABs — are forced to leverage vulnerabilities outside the “big two.” IAB vulnerabilities have a mean time to remediation of 45.5 days, compared to 17.4 days for Windows and Chrome. The patch rates are also lower, patched at 68.3% compared to 82.9% for Windows and Chrome.
Risk Fact #4: Misconfigurations still prevalent in web applications
This study included anonymised detections in 2022 from the Qualys Web Application Scanner, which globally scanned 370,000 web applications and correlated data against the OWASP Top 10. The scans revealed more than 25 million vulnerabilities with 33% of them falling under the OWASP Category A05: Misconfiguration. These misconfigurations provided malicious actors with a gateway to spread malware in about 24,000 web applications.
Risk Fact #5: Infrastructure misconfigurations open the door to ransomware
TRU examined all controls failing more than 50% of their scans and the associated MITRE ATT&CK techniques linked to those specific controls. The top three techniques associated with failing controls for cloud misconfigurations were T1210: Exploitation of Remote Services, 1485: Data Destruction, and 1530: Data from Cloud Storage Object. This indicates misconfigurations in the cloud are exposing organisations to exploitation, encryption, and exfiltration. These three techniques describe exactly how ransomware operates today. These misconfigurations failed half of their scans with a pass rate of 49.4%. Failing misconfigurations are associated with enabling threat actors to move laterally within an organisation.
“Adversaries make it their business to understand the vulnerabilities and weaknesses within their victims’ environments, which can shift the balance of power in their favor,” said Travis Smith, vice president of Threat Research Unit (TRU) at Qualys. “This report arms CISOs and security teams with unprecedented, data-backed insights for a holistic approach to understanding attack paths and threat actor behaviors to minimise risk.”