Researchers find APT campaigns share known vulnerabilities

A study of several years of Advanced Persistent Threat (APT) campaigns suggests enterprise IT security admins should worry most about patching their systems for known vulnerabilities, rather than chasing a fix for every zero-day that emerges.

Researchers from the University of Trento in Italy worked on assessing what software strategy might best defend against APT – in particular, whether every patch should be applied as soon as it becomes available.

The good news for enterprise IT management is that a focus on known vulnerabilities is nearly as safe as trying to get every zero-day patched as soon as possible.

Publishing their work on the pre-print server arXiv, academics Giorgio Di Tizio, Michele Armellini, and Fabio Massacci note that “in practice, enterprises must do regression testing before applying an update” – and that means immediate patches are rarely possible.

The researchers quantified the impact of 86 APTs and 350 attack campaigns from 2008 to 2020, and found the majority of campaigns try to exploit known vulnerabilities.

Of the 86 APTs they examined, only eight – known respectively as Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus and Rancor – exploited CVEs not used by anybody else. 

Other actors tend to share vulnerabilities: 17 APT groups shared four or more vulnerabilities, the researchers found, and overall 35 percent of APTs shared at least one CVE.

That focus on known vulnerabilities means “one could perform 12 percent of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised, compared to a company that updates for all versions”, the paper stated.

They found that enterprises following an immediate patch strategy “could still be compromised from 14 percent to 33 percent of the time”.