Measuring Momentum in the Attacker-Defender Dynamic

Vulnerability management could accurately be described as a cat-and-mouse game. It’s a high-stakes contest between attackers looking to exploit discovered vulnerabilities, and the defenders tasked with keeping organizations from being targeted. 

And while this culminates in a never-ending back and forth, it’s the specific vulnerability battles we are most interested in to better understand the nuanced interplay between attacker and defender. We want to know: Who has the upper hand and when? And what can we do with this information to better arm the defenders and keep them at an advantage? 

The sixth volume of the Prioritization to Prediction series answers these questions by investigating the lifecycle of vulnerabilities. Teaming up once more with our research partners at Cyentia Institute, we tracked 473 vulnerabilities that were known to be exploited in the wild. We observed each one across millions of assets from initial discovery, through publication and exploitation, and finally ending with remediation. This research reveals insight into when and where attackers and defenders seize (and sometimes trade) momentum during the lifetime of a vulnerability. It also looks at the effectiveness of coordinated vulnerability disclosure and exploit development, and what we (the defenders) can continue to do with this information to improve our remediation and cybersecurity efforts. 

The four variables to measuring momentum

While this increasingly complex problem carries on, researching the timelines of a vulnerability will help us to start determining who (attacker or defender) has the momentum and when. We call this “momentum” instead of advantage because advantage is too broad of a concept for what we’re focused on here. We want to know who is moving first and who is acting with velocity. And we want to know how all this relates to other groups. Listen to the discussion between Wade Baker and Ed Bellis.

During our more than 12 months of research coverage, we measured momentum using four variables: 

1. Find rate: how quickly an organization uncovers a vulnerability that exists in their environment
2. Rate of remediation: how quickly an organization remediates a vulnerability after it’s discovered
3. Exploitation timeline: the time it takes for an exploitation to spread across all sources that observed them
4. Prevalence: the number of organizations that observed exploitations over a period of time

For a visual of this idea, the graph represents the overall timeline from the moment a vulnerability scanner first detects a vulnerability from when a patch for that vulnerability becomes available. You’ll see that within a month, more than 80% of vulnerabilities are detected.

Who has the momentum and when?

With this information, we can define a typical timeline of events. Our research indicates there are three key hand-offs of momentum during the lifespan of a vulnerability. 

Before the patch is available, attackers have the momentum. Defenders are clearly handicapped until that patch is available. And the longer they wait for a patch, the more momentum attackers will gain.

One to two weeks after the patch becomes available, defenders gain the momentum. That momentum lasts roughly six to seven months, meaning that for that time, defenders are actually remediating systems at a faster rate than attackers are attempting to exploit them.

After six to seven months, the attackers once again overtake the defenders and gain back the momentum. The “plateau of remediation” seen in different survival curves—depicting how some organizations still haven’t addressed this vuln—is what gives control back to the attackers.

Across the board, there’s a long tail of exploitation (plus a long tail of no remediating). Previous Prioritization to Prediction report findings have indicated that an organization never quite gets to 100% remediation, which creates an almost steady state of exploitation. 

Ultimately, defender momentum is not positive for a majority of a vulnerability lifespan. The best counter to this reality is to implement risk-based prioritization. 

What defenders can do with this information 

For the major players in the lifespan of a vulnerability, this research stresses the importance of increased speed, coordination, and familiarity with the key milestones of the vulnerability lifecycle. In our report, we detail some helpful measures the good guys can take. For instance, to further minimize exposure: 

• Researchers could explore allowing even more time researchers between patch and exploit release.
• Vendors can continue supporting coordinated disclosure of vulnerabilities and as partners in between patreat this effort. (And whatever vendors can do to help move defenders along the remediation curve, they should do it. See Prioritization to Prediction, Vol. 5 for good and bad examples of this.) 
• Finally, defenders can keep working to shrink the find-fix gap, to lessen attacker momentum as much as possible. Understanding the lifecycle of a vulnerability will be paramount for defenders to identify and seize the moments where they can ride and potentially increase their momentum.  

At the end of the day, what will help defenders today is incorporating extensive real-time exploit and vulnerability intelligence into their risk-based vulnerability management program.

For more facts, figures and findings on the vulnerability lifecycle and how it impacts the success and longevity of both attackers and defenders, check out Prioritization to Prediction, Volume 6: The Attacker-Defender Divide. And keep an eye out for additional blogs, including some authored by our colleagues at Cyentia Institute, that will dive into other aspects of the report.