Skip links

Highlighting What should be Patched First at the Endpoint



By Douglas Jose Pereira dos Santos, Lead Advanced Threat Intelligence, Fortinet’s FortiGuard Labs

FortiGuard Labs has released its Global Threat Landscape Report for the first half of 2022. This valuable report offers insights on the world’s cyberthreats for the first six months of the year by examining the compiled data gathered from Fortinet’s global array of sensors.

After analysis of billions of threat events around the world, FortiGuard Labs found some familiar exploits, names, and attacks again holding prominent positions in the threat landscape.

Some of What We Learned

The growth of ransomware variants nearly doubled in first half of 2022. We tallied 10,666 ransomware variants, compared to just 5,400 in the previous six months. Also, the first half of 2022 came with a surge of malware designed to delete data called “wipers.”  Though the use of wipers exploded with the start of the Russia-Ukrainian War, this malware wasn’t confined to Eastern Europe. It was used in attacks worldwide, proving again that cybercriminals respect no borders.

Another trend that Fortinet discovered in our deep data dives is that operational technology (OT) products are increasingly being targeted and demonstrate higher risk due to OT networks converging with IT networks. This shift from air-gapped OT environments to interconnected ones has many benefits but also leads to more risks.

Never Seen Before Data

While this Global Threat Landscape Report is filled with information, charts, and graphs, one area of interest to security leaders is Figure 3 titled “Comparing CVEs by IPS activity and endpoint detections.” (See below.) CVE stands for “Common Vulnerabilities and Exposures” and it is a list of publicly disclosed computer security flaws.

The data presented on this graph could be extraordinarily helpful to IT security teams. It gives cyber defenders so much to work with and helps them identify where to focus their efforts when thinking about the endpoint. Prioritizing patching is always challenging. This data map provides the contextual information to guide CISOs and their IT security teams on how best to prioritizing the cleaning and protecting of their digital environments.

Figure 3 – Comparing CVEs by IPS activity and endpoint detections

Insights Into Prioritization

By combining and comparing the endpoint detection data and IPS activity, we have provided organizations with a highlighted road map of vulnerabilities that likely in the sites of cybercriminals. These vulnerabilities could well be attacked next and should be patched before other less-likely vulnerabilities are.

Conversely, if you have a vulnerability that doesn’t even have an exploit—so it’s not being actively exploited—patching that vulnerability could be lower on your priority list. This chart shines a bright guiding light on your organizations patch schedule.

This chart shows actually what is being exploited against open vulnerabilities focused on the endpoint. It’s not a crystal ball that can predict where cybercriminals will target next, but the chart can provide visibility like having Team Cybercrime’s “batting lineup of what we might see in the upcoming months.”

What to Do Next?

Armed with a deeper understanding of the goals and tactics used by adversaries through actionable threat intelligence, cyber defenders can better align defenses to adapt and react to quickly changing attack techniques proactively. A few key areas to drill in on given the data above:

Advanced endpoint technology can help mitigate and effectively remediate infected devices at an early stage of an attack.
Services such as a digital risk protection service (DRPS) can be used to do external surface threat assessments, find and remediate security issues, and help gain contextual insights on current and imminent threats.
To minimize the impact of wiper attacks, network detection and response (NDR) with self-learning artificial intelligence (AI) is helpful to better detect intrusions.
Cybersecurity awareness and training are also important as the threat landscape changes to keep employees and security teams up-to-date. 
Perhaps the most important step to take still comes down to patching. It is still important to prioritize based on the risks an organizations faces. In addition, virtual patching should be considered an integral component of every organization’s patch management strategy.

The Endpoint Is Not What It Used to Be

Attacking endpoints is top of mind for cybercriminals because they found in the last three years—with the pandemic and work-from-home and work-from-anywhere—that this is a great way to infiltrate corporate networks. Even though people are coming back into office buildings and workplaces, endpoint security needs to remain top of mind. The perimeter really isn’t what it used to be, and so it makes it really challenging to secure it

It’s “the last frontier” to be defended. Therefore, any data that can clarify exactly what security teams need to do is helpful. As we say in the report, “While we can never truly predict what [or where] criminals will hit next…this gives us a good indicator of where criminals are starting to sniff around…Endpoint technology can help mitigate and effectively remediate infected units at an early stage of an attack. Endpoint vulnerabilities can be used for early access to the organization infrastructure with the goal to move to a more profitable location laterally. This is the reason that coordination of endpoint, network, and cloud threat intelligence is so effective in preventing and responding to attacks across multiple stages…”

In short, what’s important is not so much the number of total vulnerabilities, but rather, it’s prioritizing and knowing which ones are in your risk scenario and the ones that will impact your organization the most—guiding you which ones to prioritize for patching.

Sponsored by Fortinet

Adblock test (Why?)