N-day exploitation: Rapid7 Labs validated its findings about a more febrile threat environment by producing both n-day and zero-day exploits using AI-assisted research, substantially reducing development time.In practice, n-day bugs, or the development of exploits against patched software, are a bigger problem than headline-grabbing zero-day vulnerabilities, adds Leeann Nicolo, incident response lead at Coalition, a technology firm that specializes in cyber insurance and cybersecurity tools.”Our incident response team hasn’t seen a lot of zero-day vulnerabilities exploited lately. Instead, threat actors are hitting known issues that already have patches,” Nicolo says.Other industry experts confirmed that Rapid7’s findings reflect what they too are seeing on the ground.”The patch window has effectively collapsed,” says Chris Wysopal, co-founder and chief security evangelist at application security firm Veracode. “That is not a gradual trend; it’s a structural break.”One driver for the increased pace of exploitation is that every patch now acts like a roadmap for attackers, Wysopal says.”Once a fix ships, attackers can differentiate the patch, isolate the vulnerable code path, and use automation and AI to generate working exploit paths far faster than enterprises can test and deploy the fix,” says Wysopal. “In other words, disclosure increasingly starts the race, and defenders are already behind when the starting gun fires.”In addition, AppSec debt widens the exposure window even when a patch exists.”Enterprises are still carrying too much legacy code, too many internet-facing dependencies, and too many fragile change processes to remediate at machine speed,” Wysopal says. “If the organization needs days or weeks to inventory exposure, assess blast radius, test, get approvals, and deploy, then it is operating on a calendar while attackers are operating on a clock.”Another big issue is the industrialization of vulnerability exploitation.AI compresses exploit development and lowers the skill barrier, while the cybercrime market removes friction by creating a well-oiled production line that incorporates researchers, brokers, access sellers, botnet operators, and ransomware affiliates.”[This] assembly-line model means more vulnerabilities move from disclosure to usable attack paths almost immediately,” according to Wysopal.
Secure-by-design imperative: The real response to these challenges ought to be in reducing the amount of exploitable software reaching production in the first place rather than encouraging CISOs to “patch faster.”Secure-by-design engineering, aggressive pre-release testing by top-tier bug hunters, architectural mitigations that shrink whole bug classes, and the ability to rebuild or isolate exposed systems quickly are all necessary but perhaps insufficient.The old assumption that defenders get a grace period after disclosure is no longer credible, according to Wysopal.”We are watching the collapse of the traditional patch window in real-time,” Wysopal emphasizes. “Secure by design is the only sustainable response, because once disclosure happens, the attacker’s clock is already ticking.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4156005/patch-windows-collapse-as-time-to-exploit-accelerates.html
