When your product becomes a feature

Having spent a few years using, maintaining, and building security products of every conceivable shape and size, it’s become apparent how uniquely risky it is to invest in building cloud[1] security products.

There are good reasons to build a cloud security product:

• Every aspect of cloud adoption is growing at a meaningful clip and shows no signs of slowing. “Cloud customers” as an addressable market is huge.
• Cloud products are numerous, can change at any time, and are thus easy to adopt but hard to master.
• Cloud security concerns are very real, and cloud customers are willing to spend money on cloud security products to reduce risk.

But there are very real risks from a vendor (particularly startup) standpoint:

• Because cloud security concerns are very real and cloud customers are having to spend additional money on point cloud security products to reduce risk, they are rightfully pressuring cloud vendors to improve the overall security posture of their products.
• A cloud security product cannot, in general, take any preventive or corrective action that the cloud product itself does not support.
• The cloud product vendor can, by definition, see everything that both the end customer and the cloud security product are doing (either directly or via inference).

The net of the above is that, when any cloud security problem becomes enough of a business risk to the cloud product vendor, the cloud product vendor can simply make that problem go away.

The same is true for entire classes of attacks, which a standalone product or team can focus on and solve by playing whack-a-mole, but that the vendor can oftentimes address by making the class of attack go away. Good examples of this include things like secure defaults for cloud-based storage (make the “oops I put it on the Internet” problem go away) and default multi factor authentication (make the “I got phished” problem go away).

Vulnerability half-life and the cloud

The half-life of security vulnerabilities affecting cloud-based products is nowhere near what we’re accustomed to based on decades of complex, multipurpose, customer-managed software. When building for the latter, there will always be enough attack surface and enough configuration and/or version drift to justify relatively expensive security solutions. This means that vendors building security products can expect to be paid back on their investment, and for a meaningful amount of time.

Cloud security problems only live as long as the cloud product vendor wants them to live. And as a result of (healthy) customer expectations—e.g., better security defaults—we can expect both software and configuration vulnerabilities in cloud products to be addressed with increasing efficiency and effectiveness.

Upstreaming of controls

The most effective security controls become features of the platforms they were designed to protect. Years ago, host-based firewall and application control were significant product niches. Over time, they became flagship features of larger third-party security product suites. Today, we can’t imagine an end-user operating system that doesn’t include both of these controls.

Cloud security products are no different. But unlike consumer or end user devices, where solutions may exist but are optional and/or won’t be adopted overnight, solutions to cloud security problems are oftentimes not optional and are literally “adopted” overnight.

The net of this is that many cloud security products run the very real risk of becoming obsolete, sometimes overnight and with little warning. Early entrants into the cloud posture management space felt this, as Amazon and Microsoft moved aggressively into a mix of stronger default posture, log and alert aggregation, and more.

It’s not all doom and gloom

The beauty of cloud products, including cloud security products, is that it’s far easier to build, maintain, and support than on-premise software. So, the cost to prototype, deploy, and support cloud security products may be lower than other types of security products (particularly endpoint- or device-based products, which can be notoriously high friction).

I also said that many cloud security products run the very real risk of becoming obsolete. There are plenty of cloud security needs that are much more durable than wrappers around eventually-native technical controls. In most cases, these will be cloud-optimized products that address evergreen problems, many of them operational. A few examples include:

• Log aggregation and analytics
• Threat detection, investigation, and response
• Incident management

Still, security startups must be thoughtful about the level of investment they’re willing to make and how much of a moat they can establish, understanding that cloud security problems in particular are almost always addressable upstream, and will eventually be addressed upstream.

[1] Cloud is defined for the purpose of this article as the combination of infrastructure- (IaaS), platform- (PaaS), and software-as-a-service (SaaS).

Top initial access techniques from 2019-2022, mapped to ATT&CK

Based on initial access data from dozens of cybersecurity industry reports over the past four years, here’s a visualization of the top five initial access techniques, and how they’ve trended over the years:

More on some of the source data and the top initial access techniques from 2022 can be here.

The data

Rankings by year, used to generate the visualization above.

Not all attack surface is created equal: Why protecting security controls is critical

Any exposed attack surface can be used by an adversary to gain or maintain access to your environment. Security controls are a uniquely high-risk part of your attack surface, because compromising a security control often provides an adversary with privileged and/or uniquely positioned access to the environment. And evidence shows that adversaries are capitalizing on exposed, vulnerable attack surface.

Compromising a security control gives the adversary the ability to perform one or more of the following:

• Manage devices
• Manage identities, including access control and management
• Alter external network access control policies, including: granting remote access to networks, allowing lateral movement between networks, or allowing network egress
• Modify, suppress, or remote logs, alerts, and other evidence of their activities
• Monitor investigative or response activities
• Access sensitive data (particularly problematic if the compromised control issues key material, or performs TLS interception a.k.a. man-in-the-middle)

By contrast, a compromised end user device or endpoint, e.g., a workstation or server, may provide some of the same abilities, but often in a much more limited capacity.

CISA Known Exploited Vulnerabilities (KEV) affecting security controls

Since its inception, I’ve been bullish on the value of the CISA Known Exploited Vulnerabilities (KEV) catalog, along with their periodic analysis of the top exploited vulnerabilities based on the same. The KEV catalog contains a concrete set of trailing indicators that tell you which vulnerabilities should be prioritized for patching or other forms of remediation.

For organizations with a mature, operational vulnerability management program, KEV is a valuable input. For the majority of organizations that do not have a vulnerability management program, it’s an excellent place to start. And if we’re being realistic, it’s a good alternative to doing nothing or addressing vulnerabilities ad hoc.

Enriching the Known Exploited Vulnerabilities data set

CISA makes the KEV data set available via CSV or JSON. I’ve been using the CSV version, which I’ve enriched in a number of ways, including identifying different types of products affected by these vulnerabilities:

• Security - Products designed explicitly to secure devices, networks, or otherwise. This includes endpoint and network protection.
• Edge infrastructure - Products used to connect networks, including protecting the network edge by use of access control lists or mechanisms. This includes most routers, firewalls, email gateways, and other devices that accept inbound traffic from the Internet for inspection or routing.
• Identity and Access Management - Products that provide identity, authentication, authorization, and other access management functions.

The set of products that fall into any of the above categories are treated collectively as security controls.

I also found it helpful to integrate the top exploited vulnerability lists into the same data set, which makes it possible to see some of the breakdowns below, as well as trends.

Known and top exploited vulnerabilities in security controls

Your security controls are a critical cross-section of your attack surface. While we’re busy using our security controls to monitor devices, identities, and other assets under our protection, adversaries are busy exploiting these controls, gaining tremendous leverage over (often many) victims.

As of October 2023, approximately 17% of KEV entries affect a security control.

More concerning than a known exploit in any security control is the appearance of security controls in CISA’s list of top exploited vulnerabilities. 33% of the top 12 exploited vulnerabilities in 2022 affected security controls. If we look at all 42 of the top exploited vulnerabilities in 2022, ~29% (still roughly 1/3) of the expanded set affected security controls.

The sad story of CVE-2018-13379 and CVE-2022-40684 (Fortinet FortiOS)

The top exploited vulnerability in 2022 was CVE-2018-13379, a path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. As the CVE ID suggests, this was assigned in 2018 but not published until June of 2019. Finding instantces to target was as easy as a Google search for intext:"Please Login" inurl:"/remote/login".

In 2019, a pair of exploits for CVE-2018-13379 appeared in Exploit-DB. One of these exploits was a Metasploit module, making exploitation of these systems push-button easy.

Four years after the CVE was assigned and three years after release of an exploit, CVE-2018-13379 was the most exploited vulnerability of the year, known to be leveraged by a variety of successful ransomware groups.

NOTE: This appears to have been used in conjunction with CVE-2022-40684, and it’s unclear why the former topped the last and the latter received an honorable mention.

What will happen in 2023?

It’s impossible to say what 2023’s top exploited vulnerabilities will be. But ongoing and widespread exploitation of products from Fortinet and Cisco, coupled with their place atop the KEV leaderboard as it relates to security controls, are likely to have a significant impact on top exploited vulnerabilities.

Takeaways

This is cursory analysis, but the quality of the underlying data set coupled with what we know about adversary behavior—in particular, that adversaries will always seek out high impact vulnerabilities for exploitation—tells us a lot about the importance of:

• Keeping security controls up-to-date, first and foremost. It’s best to take away the attack surface quickly and proactively.
• Being doubly sure that known exploited vulnerabilities across your attack surface are patched.
• Continuing to put pressure on software vendors to invest in product security, both proactively but also from an incident response and support standpoint.
• Acknowledging that our security controls are high value, high risk, often highly exposed, and treating them as such when it comes to monitoring and threat detection

Your security controls are (a huge) part of your attack surface

Security software is just software, subject to all of the same problems as any other type of software. And like so much of the software we find in the enterprise, security software has some predictable characteristics:

• Not well understood - Compare how well you understand the platform and behavior of your favorite enterprise security suite to something like Windows, or even lesser-understood platforms like macOS and Linux.
• Lacking observability - And even if observability is possible, see previous statement.
• Poorly managed - So many security products are installed and largely forgotten, save for configuration updates. Out of date versions abound.
• Poorly designed and implemented - Again, security software is just software. And many companies building security products aren’t security companies—they’re software companies, and they invest in product security to the same degree that other software companies do (“just enough”). A special shout out to “enterprise suites”, bloated, complex, frankenstein-esque systems comprising dozens or hundreds of open source and proprietary components that even their creator cannot possibly understand, let alone secure.

Then there’s the kicker:

• Highly privileged, and packed with powerful features - Re-read the list above, and then think about this.

With great power . . .

The phrase “highly privileged, and packed with powerful features” is to some degree a necessary evil, though improved threat modeling and design would go a long way towards reducing the risk to customers.

Endpoint security product features like live response (really, sanctioned rootkits) are like Swiss Army knives for defenders and adversaries alike. Implementing product defaults that alert system owners of its use, strong multi-factor authentication for session initialization, and robust observability are the least that we should expect from a product subsystem that can silently gut an enterprise.

Identity is arguably the one security domain and set of controls that every organization should triple-down on, master, and monitor closely. If you’re managing identity security exceptionally well, you’ve eliminated more attack surface than we appreciate. And for this reason, identity and access management products are prime targets for adversaries and red teams alike. The same is obviously true of more traditional directory services, like Active Directory.

And this is to say nothing of completely bonkers products like TLS intercept devices. These are a terrible, horrible, no good idea for a variety of reasons. The simplest reason is that anything of extraordinary value will eventually end up in the wrong hands. And in the wrong hands, security products that undermine foundational security and privacy controls (e.g., encryption) will absolutely gut your enterprise.

. . . comes great opportunity

For adversaries, security products will always be enticing and high value targets. A zero day in a security product might not have the same reach as one targeting Windows or macOS, but adversaries can and do get significant mileage out of exploitation or abuse of security tooling.

So, not only are these security products part of your attack surface, they carry some extraordinary risk. The likelihood of exploitation may be lower than that of most widespread platforms and software, but when it happens, the impact can be catastrophic.

I do believe that computing platforms are getting more secure overall. The trend towards app store-style platforms lends to more restrictive default configurations, making it far more costly to introduce malicious software. And other successful technical controls continue to move upstream and are included by default in most end user and production computing platforms. But because security products are uniquely valuable, and because we’re taking away attack surface in these other areas, we’ll continue to see adversaries do an end run around traditional targets to go after identity providers and other security products instead.

Vulnerabilities.

One way that the shortcomings I list at the start—and there’s shared responsibility for these amongst vendors and users alike—come home to roost is vulnerabilities. Paying attention to software vulnerabilities in security products is particularly useful, as it may be the most objective means of understanding how often adversaries are weaponizing security products and using them to harm us.

Here are some of the receipts from last year alone, courtesy of CISA’s list of 2022 Top Routinely Exploited Vulnerabilities:

• CVE-2018-13379 - Fortinet FortiOS SSL VPN Path Traversal Vulnerability CVE-2021-20016 - SonicWall SSLVPN SMA100 SQL Injection Vulnerability
• CVE-2021-20021 - SonicWall Email Security Improper Privilege Management Vulnerability
• CVE-2021-20038 - SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
• CVE-2022-1388 - F5 BIG-IP Missing Authentication Vulnerability
• CVE-2022-40684 - Fortinet Multiple Products Authentication Bypass Vulnerability
• CVE-2022-42475 - Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability

I only examined the broader list (which surpassed the 1000 exploit mark as of September 2023), long enough to make my point. But there are plenty more:

• CVE-2020-5902 - F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability
• CVE-2022-41328 - Fortinet FortiOS Path Traversal Vulnerability
• CVE-2023-2868 - Barracuda Networks ESG Appliance Improper Input Validation Vulnerability
• CVE-2023-20269 - Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability
• CVE-2023-27532 - Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
• CVE-2023-27997 - Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability

What do we do about it?

For starters, vendors must acknowledge that customers pay money for security products to reduce risk, but that their solutions often introduce new, significant risks. Threat model, design, build, and configure (by default!) accordingly.

On the enterprise side, CISA’s work to lower the vulnerability management noise floor is providing organizations with the thing that vendor solutions largely have not: The list of things you’d better patch right now. So, even if you don’t have or can’t afford a vulnerability management solution:

1. Sign up for CISA advisories
2. Patch top exploited vulnerabilities first
3. Patch known exploited vulnerabilities in all of your free time

Lastly, don’t just rely on your security products to monitor the rest of your attack surface. Treat your security products as a critical cross-section of your attack surface, and monitor it as closely as you monitor anything else.

Discussion on LinkedIn