Patching forms the foundational defenses of every app user. Whether knowingly or not, you are defended from cybercriminals by a joint workforce of hardworking bug finders and fixers.
However, patching is slow. Methodically pinpointing access points is time-consuming; even more glacial can be the individuals and companies that procrastinate on installing updates. Attackers are increasingly reliant on this gap. As the costs and severity of attacks rise, app users must now defend themselves. In the arms race between cyberattackers and patchers, the Web Application Firewall (WAF) may be one solution to the waiting game.
Disclosure is a Double-Edged Sword
Once a major application vulnerability is discovered, its finders are granted the upper hand; like any conflict, the first mover gains a substantial advantage. If it’s a legitimate researcher, they can reach out to the offending app’s developers, and the information need not be publicly released until a patch is produced and shipped.
However, it’s rarely that simple. Patching takes time; draws critical resources away from current development projects; and precedes a huge burst of negative PR for the developer. All of these factors can influence less-than-scrupulous developers to simply ignore a new vulnerability. While many researchers will initially reach out in complete privacy, full disclosure can be a necessary nuclear option. Under full disclosure, a newly-discovered vulnerability is exposed to the public. The attack path – and even the exploit code itself – is dropped into public knowledge. This approach places intense pressure upon developers who fail to take the security of their clients seriously.
Responsible disclosure attempts to find some middle ground between these two polar opposite approaches. With responsible disclosure, the initial report is made privately, and the full details are then published once a patch has been made available. Whether public or private, developers may still choose to inform customers of major vulnerabilities via bulletin boards and social media outlets. Complex vulnerabilities often demand a running chain of communication throughout the patching process. The line between whistleblowing a weakness – while motivating end-users to update ASAP – is exceedingly thin.
Circling these frantic communication and repair processes are threat actors, wishing to utilize this information for their own financial and political gain.
The Patching Gap
The moments between a vulnerability’s publication, and the implementation of patched versions on client devices, are frenzied periods of criminal activity. A recent incident response report found that attackers are often scanning for vulnerabilities within 15 minutes of a bug’s announcement. Some attackers are so quick on the draw that their scans can be almost instantaneous with the vulnerability’s publication.
The speed at which criminals learn about these new flaws places incredible pressure on affected systems – after all, an unpatched app is a sitting duck. Scanning for evidence of these bugs demands very low skill, and these criminal intel-gatherers will often sell their findings to more capable cybercriminals.
The efforts of the weakness-seeking scouts, and the ensuing attacks, has already defined attack trends in 2022. Instead of relying purely on niche zero-day attacks, attackers prioritize older, broadly-applicable attack paths. That’s why the report found that the ProxyShell exploit chain – discovered in 2021 – still accounts for 55% of breaches in Q1 of 2022.
ProxyShell is a nasty combination of three different vulnerabilities within the Microsoft Exchange Server. By combining each step, attackers can completely bypass the rules that grant or deny access to sensitive information. From there, they can elevate privileges, and essentially authenticate themselves – opening the door for remote code execution. The fact that this major backdoor was found on a Microsoft system meant that the attack surface was one of the largest threats faced in 2021.
Proxyshell was discussed in depth at the 2021 Black Hat USA conference; this led to the widespread usage of it within criminal circles. Though patches were eventually released after two months of hard work, Proxyshell’s patch gap continues to be a major threat. Some systems, such as End of Life (EoL) servers, simply cannot be patched. The same report found that nearly 32% of exposed organizations are running EoL versions of Apache Web Server, vulnerable to the equally-massive Log4j attack.
Keeping Your Gaps Patched: Three Options
Virtual patching is the temporary fix that can protect your organization – even in the event of a severe vulnerability. The three most promising forms of virtual patching processes are the WAF, Web Application and API Protection (WAAP), and Runtime Application Self Protection (RASP). Each of these defend specific layers of an affected app.
The WAF deploys in front of a web app, essentially shielding the web app from the broader internet. Clients must pass through this WAF before reaching the server itself. By installing a number of rules through which the firewall operates, you can define the actions of a safe user, and prevent malicious code from exfiltrating unauthorized data.
Thanks to the black- and white-list approach of WAFs, many have found the real-life protection offered by these lag a little behind the sheer speed and complexity of modern exploits. This is where the WAAP offers an evolved form of virtual patching. Whilst agile and DevOps practices create web apps and APIs that are in a continuous state of flux, a WAAP focuses purely on the public side of a web app. Instead of following a set of rules, a next-gen WAAP can prevent even zero-day attacks by contextually analyzing each request.
Finally, as the WAF and WAAP defend the outer perimeters of a vulnerable application, the RASP wraps around it, continuously monitoring its behaviors and internal state. The highly-focused monitoring of RASP offers real-time vulnerability and exploit identification. Not only does this lend you a focused window into the inner workings of a vulnerable app, but it also facilitates the automated shutdown of attack attempts.
Waiting on an official patch no longer demands gaping holes in your security: with an appropriate suite of tools, even serious attacks – and the ensuing mess of litigation, lawsuits and destroyed customer trust – can be safely avoided.