Speed is essential for outmaneuvering cyber adversaries. Therefore, quick responses become critical as cyber threats against the federal government and critical infrastructure in the United States evolve rapidly in quantity and sophistication. This trend suggests that a crucial vulnerability window is emerging due to the rapid weaponization of these threats and the comparatively slow pace of remediation. This dangerous period provides cybercriminals with ample opportunities to exploit assets.
Adding to this complexity, the Cybersecurity and Infrastructure Security Agency (CISA) has flagged several pressing concerns that will contribute to the weaponization-remediation gap problem: ransomware, Internet of Things (IoT) insecurity, supply chain vulnerabilities, AI-powered cyber threats and challenges in identity and access management. This multifaceted threat environment underscores the need for comprehensive cyber risk management strategies, tools and techniques to address the weaponization-remediation gap.
According to the 2023 Qualys TruRisk Report, the number of disclosed vulnerabilities has doubled over the past five years. Still, the speed at which these vulnerabilities are weaponized and the ongoing cyber talent shortage has left teams struggling to wade through a seemingly unscalable mountain of vulnerabilities. On average, defenders patch vulnerabilities within 30.6 days and only do so 57.7% of the time. On the other hand, attackers tend to weaponize these same vulnerabilities in an average of 19.5 days. This time lag poses a significant disadvantage for federal cybersecurity teams struggling to keep pace with the accelerated threat landscape.
This vast weaponization-remediation gap speaks to the urgency of the federal government’s transition from traditional security methods to advanced risk management and remediation strategies. This shift is critical for quickly and effectively protecting federal assets, citizen data, and the systems that maintain critical infrastructure in the United States. By adopting more sophisticated approaches, the government can better safeguard against evolving cyber threats and ensure the resilience of vital national systems.
As web-based technologies are targeted, critical infrastructure must become a primary focus for defenders. As mentioned, the 2023 Qualys TruRisk report uncovered an 11-day average gap between the weaponization and remediation of vulnerabilities. A recent study at Georgia Tech revealed that web-based technologies have emerged as desirable targets for these attackers. This fact spells alarming news for U.S. critical infrastructure as programmable logic controllers (PLCs), accessed via web browsers, can easily grant attackers full access to the systems that control motors, water pumps, telephone communication systems, and much more. This targeting of web-based software also poses a dangerous threat to federal agency networks, many of which still rely on vulnerable legacy IT systems and have not implemented various government cyber recommendations, according to a recent Government Accountability Office report.
In April, FBI Director Christopher Wray also shed light on the significant threat posed by the Chinese government to U.S. critical infrastructure. Wray highlighted the People’s Republic of China’s (PRC) aggressive tactics targeting essential sectors such as energy grids and water treatment facilities. To counteract this, Wray emphasized the importance of partnerships with the private sector and academia for intelligence sharing, joint operations, and improved cybersecurity measures like advanced risk management strategies.
If foreign or domestic cybercriminals manage to exploit web-based control systems, they could easily take control of the industrial facilities that provide essential resources to American citizens and shut down our vital lines of communication. Additionally, ransomware-as-a-service (RaaS) kits, which are growing in both intensity and frequency of use, accelerate the spread of cyberattacks. This rapid proliferation underscores the importance of timely patching. Every additional day that federal cybersecurity teams can gain for patching helps tremendously in preventing systems from becoming ground zero for a more significant cyberattack.
Closing the Weaponization-Remediation Gap With Risk-based Automation
Despite these alarming trends, the staggering gap between vulnerability weaponization and remediation is a problem for which there are actionable solutions. However, there is a pressing need within the federal government to transition away from reliance on traditional tactics and human employees to improve remediation efforts and toward more sophisticated methods, such as risk-based prioritization and automation. In short, while agencies do not have much control over how fast malicious actors weaponize their vulnerabilities, they do have significant control over the practices they implement that contribute to their patch rate and mean time to remediate (MTTR).
When extremely high volumes of vulnerabilities emerge, and nearly all are deemed “critical,” risk-based prioritization is vital. It’s unrealistic and often impossible to address them promptly, so starting with the vulnerabilities that pose the most significant risk is essential. After patching the high-risk vulnerabilities, you can proceed to the lower tiers and initiate their remediation. This way, prioritizing vulnerabilities buys federal cybersecurity teams precious time to close the weaponization-remediation gap and prevent larger-scale attacks on federal assets, citizen data, and U.S. critical infrastructure.
When identifying priorities and initiating the patching process, integrating automation is crucial for enhancing patch rates and MTTR. Automation allows agencies to streamline the tedious tasks behind patch deployment. It frees security teams to focus on more pressing issues, drastically improving the agency’s overall response time to cyber threats. Automation also helps to significantly reduce human error and misconfigurations, which can create additional inroads for foreign and domestic cybercriminals.
Prioritizing Risks to Safeguard the Future of Critical Infrastructure and National Security
Closing the gap between weaponization and remediation is critical to enhancing federal defense capabilities, protecting critical infrastructure, and strengthening national security. Malicious actors can breach federal and critical infrastructure networks with alarming speed — networks that are pivotal to the nation’s functionality and the safety of its citizens.
Undetected and unpatched vulnerabilities increasingly tilt the advantage in favor of these malicious actors. Therefore, it is vital for federal agencies to continuously refine their cybersecurity strategies to match the evolving threat landscape. Adopting sophisticated risk management and remediation techniques, such as risk-based prioritization and automated patching, represents the essential initial step in this evolution.
Saeed Abbasi is Product Manager, Vulnerability Research, with the Qualys Threat Research Unit. He is a seasoned cybersecurity expert with a rich network security, threat intelligence, and vulnerability management background. Having over a decade of experience in the cybersecurity industry, he has significantly contributed to advancing security practices and technologies. Saeed has played pivotal roles in developing advanced security solutions and researching emerging cyber threats. Currently, he focuses on enhancing vulnerability management solutions and promoting best practices in cybersecurity, collaborating with global teams to identify and mitigate security risks worldwide.
An active contributor to the cybersecurity community, Saeed has authored numerous publications and commentaries on network security protocols, threat mitigation strategies, and the evolving landscape of cybersecurity threats. His insights have been featured in various industry journals, magazines and online platforms, establishing him as a respected thought leader. He holds a master’s in computer science and continues participating in conferences, webinars, and panel discussions to share his knowledge and advocate for more robust cybersecurity measures globally.
Leave a Reply
You must be logged in to post a comment.