TIPS #29: The Patching Paradox

Editor’s note: This TIPS post is part one of a special two-blog miniseries on tech debt, patching, compensating controls, and risk management.

Issue: Tech debt undermines enterprise patch management and security posture.

Patch management, the process of updating software and systems to address specific security vulnerabilities, is a foundational cybersecurity posture requirement. Most enterprise security programs focus on patching systems and software that fall into the middle ground: that is, those with full vendor support and automated patches that make patch management efficient and operationally feasible.

Outside of the middle ground, patch management becomes more difficult and is frequently undermined by technical debt (tech debt), the accumulated cost of neglected system maintenance, outdated software, unmanaged vulnerabilities, and non-modernized infrastructure.

Tech debt occurs across two extremes: long-term and short-term debt. Unlike the highly supported and automated middle ground, patching or managing vulnerabilities in these contexts requires significant manual effort with long delays- creating a patching gap that threat actors consistently exploit:

Long-term tech debt is derived from legacy platforms utilized for operations infrastructure, where vendors are out of business or no longer support the technology. This is common in Operational Technology (OT) and Internet of Things (IoT) technology. Long-term tech debt tends to overlap with forever-day vulnerabilities which can’t be patched due to defunct vendors, operational priorities, or infeasible hardware or firmware replacement requirements. These vulnerabilities must be managed via compensating controls which mitigate risk.

Short-term tech debt from rapidly evolving cloud, edge, and AI technologies which, given intense timelines for upgrades, often remain unpatched through development and deployment lifecycles. This tends to co-occur with single-day vulnerabilities for which a patch is publicly available- patches are often released within hours or days of the vulnerability being discovered, but organizations may not patch for several weeks or months due to operational considerations and limitations. When companies do patch single-days, manual oversight is required to validate the patch. Like with long-term tech debt, compensating controls are also critical in this area.

Impact: Unpatched or unmanaged vulnerabilities leave gaps in security posture which threat actors exploit to compromise systems, deploy ransomware, and more.

Despite the hype around zero-day vulnerabilities for which no patch exists, threat actors tend to focus their persistent activity on single-days and forever-days. They know that organizations with short and long-term tech debt leave vulnerabilities unpatched and unmanaged for weeks or months due to operational considerations around business disruption, resource constraints, and prioritization of vulnerabilities. This leaves a window of opportunity for attackers.

The middle ground and automated patching face challenges, too- namely the validation gap. Most companies track and evaluate patch management based on whether the patch is delivered, not whether it’s properly applied or validated. Few have manual processes in place to validate the configuration of deployed patches. In practice, this means that many automated patches are not operationalized as intended.

Threat actors exploit all of these gaps in myriad ways, from Living off the Land in compromised systems to stealing data and deploying ransomware. Two highly publicized incidents- WannaCry and MOVEit- illustrate the potential impacts to companies and their customers:

WannaCry ransomware (2017)

The global WannaCry ransomware attack exploited a forever-day vulnerability impacting organizations running unsupported Windows versions, showing the potential consequences of long-term technical debt.

In May of 2017, WannaCry ransomware was stolen and leaked by hacker group The Shadow Brokers, spreading rapidly through computer networks by leveraging the EternalBlue exploit which targeted a flaw in older unsupported versions of the Windows operating system including Windows XP and Windows 7. WannaCry attacks encrypted victims’ files, deleted shadow copies to prevent recovery, and demanded ransom payments in Bitcoin. The incident caused significant disruptions for major organizations worldwide including governmental agencies and the UK’s National Health Service (NHS).

MOVEit breach (2023)

The MOVEit data breach illustrates how quickly threat actors can capitalize on a single-day vulnerability when short-term tech debt requires manual patching.

On May 27, 2023, the Clop ransomware gang began exploiting a zero-day vulnerability in MOVEit, a file transfer software, to steal sensitive customer data. On May 31, MOVEit vendor Progress Software released a patch requiring manual intervention, after which the flaw became a single-day vulnerability. The Clop gang moved with remarkable speed in the following days and weeks to exploit the lag between the patch’s release and its application in organizations. They successfully breached numerous organizations that had not yet applied the update. This gap created the window of opportunity for a massive data breach that impacted organizations including U.S. government services contractor Maximus and French government unemployment agency Pôle emploi, ultimately affecting over 60 million people.

Action: Prioritize visibility over tech debt and vulnerabilities, close the patching validation gap, and implement compensating controls.

1. Gain visibility over tech debt and vulnerabilities

It’s critical to achieve full visibility across short-term, middle ground, and long-term tech debt.

The first step is a comprehensive discovery and mapping exercise to identify all systems burdened by long-term and short-term tech debt in particular, which are likely to be targeted by TA’s leveraging single and forever days. Categorize all assets and vulnerabilities with a particular focus on higher risk assets prone to single and forever-days. These are most likely to fall outside of your program’s current ‘middle ground’ and automated patching.

Cloud

Uptycs offers vulnerability management capabilities to help you continuously discover, manage, and prioritize new vulnerabilities across complex, hybrid cloud environments where short-term tech debt and single-days often thrive.

Network

Lumu’s Discover solution gives you a continuous 360° view of your network and external attack surface to identify compromises exploiting single-day and forever-day vulnerabilities and patch exposed or misconfigured infrastructure.

Workloads

RAD Security’s CTEM (Continuous Threat Exposure Management) capabilities help you identify exposures, address vulnerabilities, validate findings, and reduce risk across workloads which are key sources of short-term tech debt.

2. Close the patch validation gap

When patching is available via automation or manual methods, it’s essential to validate patch implementation and not just delivery. Test patch configurations to ensure protection from vulnerabilities.

Bishop Fox’s offensive security and pen testing services help you identify and remediate vulnerabilities and implement secure patch configurations across your entire attack surface, including cloud, IoT, network, and application assets.

3. Implement Compensating Controls

For many systems with legacy or short-term tech debt, patches are either unavailable or infeasible to manage due to resource constraints. In these cases, organizations need to rely on compensating controls: alternative security measures designed to manage risk from the underlying tech debt and vulnerabilities.

Which compensating controls are required? What makes an effective compensating control versus a compliance checkbox that doesn’t protect the organization?

In part two of this series, we will address these and other key risk management questions to show you how to move from baseline compliance to active validation. Stay tuned for our next TIPS blog!