Home Cloud Computing The parable of the long-tail vulnerability

The parable of the long-tail vulnerability

The parable of the long-tail vulnerability


Trendy-day vulnerability administration tends to comply with an easy process. From a excessive degree, this may be summed up within the following steps:

  1. Determine the vulnerabilities in your atmosphere
  2. Prioritize which vulnerabilities to handle
  3. Remediate the vulnerabilities

When high-profile vulnerabilities are disclosed, they are typically prioritized as a consequence of considerations that your group can be hammered with exploit makes an attempt. The final impression is that this malicious exercise is highest shortly after disclosure, then decreases as workarounds and patches are utilized. The thought is that we ultimately attain a important mass, the place sufficient techniques are patched that the exploit is not price trying.

On this state of affairs, if we have been to graph malicious exercise and time, we find yourself with what’s sometimes called a long-tail distribution. A lot of the exercise happens early on, then drops off over time to type a protracted tail. This appears one thing like the next:


An extended tail distribution of exploit makes an attempt sounds affordable in concept. The window of usefulness for an exploit is widest proper after disclosure, then closes over time till dangerous actors transfer on to different, more moderen vulnerabilities.

However is that this how exploitation makes an attempt actually play out? Do attackers abandon exploits after a sure stage, shifting on to newer and extra fruitful vulnerabilities? And if not, how do attackers strategy vulnerability exploitation?

Our strategy

To reply these questions, we’ll have a look at Snort knowledge from Cisco Safe Firewall. Many Snort guidelines defend in opposition to the exploitation of vulnerabilities, making this knowledge set to look at as we try to reply these questions.

We’ll group Snort guidelines by the CVEs talked about within the rule documentation, after which have a look at CVEs that see frequent exploit makes an attempt. Since CVEs are disclosed on completely different dates, and we’re alerts over time, the precise timeframe will fluctuate. In some circumstances, the disclosure date is sooner than the vary our knowledge set covers. Whereas we gained’t have the ability to look at the preliminary disclosure interval for these, we’ll have a look at just a few of those as nicely for indicators of a protracted tail.

Lastly, a rely of rule triggers will be deceptive—just a few organizations can see many alerts for one rule in a short while body, making the numbers look bigger than they’re throughout all orgs. As an alternative, we’ll have a look at the proportion of organizations that noticed an alert. We’ll then break this out on a month-to-month foundation.

Log4J: The 800-pound gorilla

The Log4J vulnerability has dominated our vulnerability metrics because it was disclosed in December 2021. Nonetheless, trying on the share of exploit makes an attempt every month since, there was neither a spike in use proper after disclosure, nor a protracted tail afterwards.


That first month, 27 p.c of organizations noticed alerts for Log4J. Since then, alerts have neither dropped off nor skyrocketed from one month to the subsequent. The p.c of organizations seeing alerts vary from 25-34 p.c by way of June 2023, averaging out at 28 p.c per 30 days.

Maybe Log4J is an exception to the rule. It’s a particularly frequent software program part and a very talked-about goal. A greater strategy is perhaps to take a look at a lesser-known vulnerability to see how the curve appears.

Spring4Shell: The Log4J that wasn’t

Spring4Shell was disclosed on the finish of March 2022. This was a vulnerability within the Spring Java framework that managed to resurrect an older vulnerability in JDK9, which had initially been found and patched in 2010. On the time of Spring4Shell’s disclosure there was hypothesis that this might be the subsequent Log4J, therefore the similarity in naming. Such predictions did not materialize.

We did see a good quantity of Spring4Shell exercise instantly after the disclosure, the place 23 p.c of organizations noticed alerts. After this honeymoon interval, the proportion did decline. However as an alternative of exhibiting the curve of a protracted tail, the chances have remained between 14-19 p.c a month.

Eager readers will discover the exercise within the graph above that happens previous to disclosure. These alerts are for guidelines masking the preliminary, more-than-a-decade-old Java vulnerability, CVE-2010-1622. That is attention-grabbing in two methods:

  1. The truth that these guidelines have been nonetheless triggering month-to-month on a 13-year-old vulnerability previous to Spring4Shell’s disclosure gives the primary indicators of a possible lengthy tail.
  2. It seems that Spring4Shell was so much like the earlier vulnerability that the older Snort guidelines alerted on it.

Sadly, the timeframe of our alert knowledge isn’t lengthy sufficient to say what the preliminary disclosure section for CVE-2010-1622 seemed like. So since we don’t have sufficient info right here to attract a conclusion, what about different older vulnerabilities that we all know have been in heavy rotation?

ShellShock: A basic

It’s exhausting to consider, however the ShellShock vulnerability not too long ago turned 9. By software program improvement requirements this qualifies it for senior citizen standing, making it an ideal candidate to look at. Whereas we don’t have the preliminary disclosure section, exercise stays excessive to today.

Our knowledge set begins roughly seven years after disclosure, however the share of organizations seeing alerts ranges from 12-23 p.c. On common throughout this timeframe, about one in 5 organizations see ShellShock alerts in a month.

A sample emerges

Whereas we’ve showcased 3-4 examples right here, a sample does emerge when different vulnerabilities, each previous and new. For instance, right here is CVE-2022-26134, a vulnerability found in Atlassian Confluence in June 2022.

Right here is ProxyShell, which was initially found in August 2021, adopted by two extra associated vulnerabilities in September 2022.

And right here is one other older, generally focused vulnerability in PHPUnit, initially disclosed in June 2017.

Is the lengthy tail wagging the canine?

What emerges from vulnerability alerts over time is that, whereas there’s typically an preliminary spike in utilization, they don’t seem to say no to a negligible degree. As an alternative, vulnerabilities stick round for years after their preliminary disclosure.

So why do previous vulnerabilities stay in use? One purpose is that many of those exploitation makes an attempt are automated assaults. Dangerous actors routinely leverage scripts and purposes that permit them to shortly run exploit code in opposition to a big swaths of IP addresses within the hopes of discovering susceptible machines.

That is additional evidenced by trying on the focus of alerts by group. In lots of circumstances we see sudden spikes within the whole variety of alerts seen every month. If we break these months down by group, we usually see that alerts at one or two organizations are accountable for the spikes.

For instance, check out the entire variety of Snort alerts for an arbitrary vulnerability. On this instance, December was in step with the months that preceded it. Then in January, the entire variety of alerts started to develop, peaking in February, earlier than declining again to common ranges.

The reason for the sudden spike, highlighted in gentle blue, is one group that was hammered by alerts for this vulnerability. The group noticed little-to-no alerts in December earlier than a wave hit that lasted from January by way of March. It then fully disappeared by April.

It is a frequent phenomenon seen in general counts (and why we don’t draw tendencies from this knowledge alone). This might be the results of automated scans by dangerous actors. These attackers might have discovered one such susceptible system at this group, then proceeded to hammer it with exploit makes an attempt within the months that adopted.

So is the lengthy tail a fantasy in terms of vulnerabilities? It definitely seems so—at the least in terms of the varieties of assaults that concentrate on the perimeter of a company. The general public dealing with purposes that reside right here current a big assault floor. Public proof-of-concept exploits are sometimes available and are comparatively simple to fold into attacker’s present automated exploitation frameworks. There’s little threat for an attacker concerned in automated exploit makes an attempt, leaving little incentive to take away exploits as soon as they’ve been added to an assault toolkit.

What’s left to discover is whether or not long-tail vulnerabilities exist in different assault surfaces. The very fact is that there are completely different lessons of vulnerabilities that may be leveraged in several methods. We’ll discover extra of those sides sooner or later.

It solely takes one

Discovering that one susceptible, public-facing system at a company is a needle-in-a-haystack operation for attackers, requiring common scanning to search out it. However all it takes is one new system with out the newest patches utilized to provide the attackers a chance to achieve a foothold.

The silver lining right here is {that a} firewall with an intrusion prevention system, like Cisco Safe Firewall, is designed particularly to forestall profitable assaults.  Past IPS prevention of those assaults, the not too long ago launched Cisco Safe Firewall 4200 equipment and seven.4 OS carry enterprise-class efficiency and a number of latest options together with SD-WAN, ZTNA, and the flexibility to detect apps and threats in encrypted site visitors with out decryption.

Additionally, in the event you’re on the lookout for an answer to help you with vulnerability administration, Cisco Vulnerability Administration has you coated. Cisco Vulnerability Administration equips you with the contextual perception and menace intelligence wanted to intercept the subsequent exploit and reply with precision.

We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels





Please enter your comment!
Please enter your name here