Software updates reduce the opportunity for exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations. We propose a methodology to quantitatively investigate the effectiveness of software updates strategies against attacks of Advanced Persistent Threats (APTs). We consider strategies where the vendor updates are the only limiting factors to cases in which enterprises delay updates from 1 to 7 months based on SANS data. Our manually curated dataset of APT attacks covers 86 APTs and 350 campaigns from 2008 to 2020. It includes information about attack vectors, exploited vulnerabilities (e.g. 0-days vs public vulnerabilities), and affected software and versions. Contrary to common belief, most APT campaigns employed publicly known vulnerabilities. If an enterprise could theoretically update as soon as an update is released, it would face lower odds of being compromised than those waiting one (4.9x) or three (9.1x) months. However, if attacked, it could still be compromised from 14% to 33% of the times. As in practice enterprises must do regression testing before applying an update, our major finding is that one could perform 12% of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised compared to a company that updates for all versions.
翻译:软件更新会减少开发机会。 但是,由于更新还可以带来突破性的变化,企业面临平衡软件安全需求与支持操作需求之间的平衡问题。我们提出对软件更新战略的有效性进行定量调查的方法,以应对高级持久性有机污染物(APTs)的袭击。我们考虑的是供应商更新是企业根据SANS数据推迟更新1至7个月的唯一限制因素的战略。我们人工整理的APT袭击数据集涵盖2008至2020年86起APTs和350次运动。它包括攻击矢量、被利用的脆弱性(例如0天对公众的脆弱性)以及受影响的软件和版本的信息。与通常的信念相反,大多数APT运动使用了众所周知的脆弱性。如果企业在发布更新后从理论上能够立即更新,那么与等待1个月(4.9x)或3个月(9.1x)的数据相比,其妥协的可能性要小一些。然而,如果受到攻击,则仍然可以从2008至2020年的14%到33%的时程。实际上,企业必须在应用更新前进行回归测试。我们的主要发现是,在应用更新之前,一个与普遍信仰相反的是,大多数APT运动都使用了众所周知的弱点。如果企业能够将所有已知的弱点都限制,那么,那么,那么,那么,那么,只有12 %的弱点的更新会比所有可能改变的版本。