ON-DEMAND TRAINING:  
Build your risk-based vulnerability program
Contact Us
Talk to an Expert
Request a demo

Measuring Momentum in the Attacker-Defender Dynamic

Feb 2, 2021
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Vulnerability management could accurately be described as a cat-and-mouse game. It’s a high-stakes contest between attackers looking to exploit discovered vulnerabilities, and the defenders tasked with keeping organizations from being targeted. 

And while this culminates in a never-ending back and forth, it’s the specific vulnerability battles we are most interested in to better understand the nuanced interplay between attacker and defender. We want to know: Who has the upper hand and when? And what can we do with this information to better arm the defenders and keep them at an advantage? 

The sixth volume of the Prioritization to Prediction series answers these questions by investigating the lifecycle of vulnerabilities. Teaming up once more with our research partners at Cyentia Institute, we tracked 473 vulnerabilities that were known to be exploited in the wild. We observed each one across millions of assets from initial discovery, through publication and exploitation, and finally ending with remediation. This research reveals insight into when and where attackers and defenders seize (and sometimes trade) momentum during the lifetime of a vulnerability. It also looks at the effectiveness of coordinated vulnerability disclosure and exploit development, and what we (the defenders) can continue to do with this information to improve our remediation and cybersecurity efforts. 

The four variables to measuring momentum

While this increasingly complex problem carries on, researching the timelines of a vulnerability will help us to start determining who (attacker or defender) has the momentum and when. We call this “momentum” instead of advantage because advantage is too broad of a concept for what we’re focused on here. We want to know who is moving first and who is acting with velocity. And we want to know how all this relates to other groups. Listen to the discussion between Wade Baker and Ed Bellis.

During our more than 12 months of research coverage, we measured momentum using four variables: 

  1. Find rate: how quickly an organization uncovers a vulnerability that exists in their environment
  2. Rate of remediation: how quickly an organization remediates a vulnerability after it’s discovered
  3. Exploitation timeline: the time it takes for an exploitation to spread across all sources that observed them
  4. Prevalence: the number of organizations that observed exploitations over a period of time

For a visual of this idea, the graph represents the overall timeline from the moment a vulnerability scanner first detects a vulnerability from when a patch for that vulnerability becomes available. You’ll see that within a month, more than 80% of vulnerabilities are detected.

The graph represents the overall timeline from the moment a vulnerability scanner first detects a vulnerability from when a patch for that vulnerability becomes available. You’ll see that within a month, more than 80% of vulnerabilities are detected.

Who has the momentum and when?

With this information, we can define a typical timeline of events. Our research indicates there are three key hand-offs of momentum during the lifespan of a vulnerability. 

Before the patch is available, attackers have the momentum. Defenders are clearly handicapped until that patch is available. And the longer they wait for a patch, the more momentum attackers will gain.

One to two weeks after the patch becomes available, defenders gain the momentum. That momentum lasts roughly six to seven months, meaning that for that time, defenders are actually remediating systems at a faster rate than attackers are attempting to exploit them.

After six to seven months, the attackers once again overtake the defenders and gain back the momentum. The “plateau of remediation” seen in different survival curves—depicting how some organizations still haven’t addressed this vuln—is what gives control back to the attackers.

Across the board, there’s a long tail of exploitation (plus a long tail of no remediating). Previous Prioritization to Prediction report findings have indicated that an organization never quite gets to 100% remediation, which creates an almost steady state of exploitation. 

Ultimately, defender momentum is not positive for a majority of a vulnerability lifespan. The best counter to this reality is to implement risk-based prioritization

What defenders can do with this information 

For the major players in the lifespan of a vulnerability, this research stresses the importance of increased speed, coordination, and familiarity with the key milestones of the vulnerability lifecycle. In our report, we detail some helpful measures the good guys can take. For instance, to further minimize exposure: 

  • Researchers could explore allowing even more time researchers between patch and exploit release.
  • Vendors can continue supporting coordinated disclosure of vulnerabilities and as partners in between patreat this effort. (And whatever vendors can do to help move defenders along the remediation curve, they should do it. See Prioritization to Prediction, Vol. 5 for good and bad examples of this.) 
  • Finally, defenders can keep working to shrink the find-fix gap, to lessen attacker momentum as much as possible. Understanding the lifecycle of a vulnerability will be paramount for defenders to identify and seize the moments where they can ride and potentially increase their momentum.  

At the end of the day, what will help defenders today is incorporating extensive real-time exploit and vulnerability intelligence into their risk-based vulnerability management program.

For more facts, figures and findings on the vulnerability lifecycle and how it impacts the success and longevity of both attackers and defenders, check out Prioritization to Prediction, Volume 6: The Attacker-Defender Divide. And keep an eye out for additional blogs, including some authored by our colleagues at Cyentia Institute, that will dive into other aspects of the report. 

Share with Your Network

The Attacker-Defender Divide

Download this latest research explores the lifecycle of 473 vulnerabilities with evidence of exploitation in the wild and what really happens after a vulnerability is discovered

Download >

Read the Latest Content

Vulnerability Management

11 Tips for Choosing a Vulnerability Management Solution

“These tips go to 11.” – Nigel Tufnel It can be daunting to choose between vulnerability management (VM) solutions when all vendors describe their offerings in very similar ways. So making the best choice for you means identifying what your organization needs, and ensuring the solutions you’re evaluating meet those needs. It’s safe to say…

READ MORE
Industry

A Wave of Change for Vulnerability Risk Management

If you’re looking for evidence that the future of vulnerability management will be risk-based, look no further than The Forrester Wave™: Vulnerability Risk Management, Q4 2019. Forrester’s new report, which the analyst firm released today, names Kenna Security as a Strong Performer.   In the report, we earned the evaluation’s top possible scores in Risk-Based…

READ MORE
Podcast

Analyzing Vulnerability Remediation Strategies with Cyentia Institute

The first in a multi-part dive into the Prioritization to Prediction (P2P) research series by Kenna Security and The Cyentia Institute – guests Ed Bellis and Wade Baker discuss P2P Volume 1 which quantifies the performance of vulnerability prioritization and remediation strategies for the very first time. If you have any feedback or want to be…

READ MORE
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.