Cyber adversaries scan the internet about once an hour to find vulnerabilities on enterprise networks, according to research from Palo Alto Networks. An uptick correlates to when the COVID-19 pandemic began and workers started working remotely, which expanded the potential attack surface that companies have to protect.
Attackers quickly move to take advantage once new vulnerabilities are announced, according to Palo Alto. During scans conducted between January and March, attackers have launched scans within 15 minutes of new Common Vulnerabilities and Exposures (CVEs) disclosure.
When Microsoft disclosed the Exchange zero days on March 2, adversaries began scanning for vulnerabilities within five minutes, Palo Alto said. To conduct the research, Palo Alto's Cortex Xpanse research team monitored scans of 50 million IP addresses that were linked to 50 global enterprises to understand how quickly adversaries can locate vulnerable computer systems.
The mean time to inventory (MTTI) is much faster for threat actors than for enterprise security officials looking to protect their own systems, Palo Alto found. Global enterprises typically require about 12 hours to locate vulnerabilities within their own computer systems.
"What used to take a few weeks after the publication of how to exploit a piece of software, now we saw just within minutes that attackers were looking across the global internet for something that they could use to try and gain illicit access to a network for criminal attacks like ransomware or nation state attacks going for sensitive information," Tim Junio, senior vice president, Cortex at Palo Alto Networks said during a keynote address last week at the RSA conference.
At the same time, defenders still took days or weeks for large organizations to find where all of their exposed servers were located, he said.
Almost one-third of all vulnerabilities were linked to Remote Desktop Protocol (RDP), which has surged in use since the beginning of the COVID-19 pandemic as companies moved remote workers to the cloud, according to Palo Alto.
RDP vulnerabilities can become a problem, because they offer direct access to servers, which make it a ripe target for ransomware attacks. RDP was observed being used by attackers during the Colonial Pipeline ransomware attack, according to warnings from federal agencies.
"Security organizations need to do the same as attackers in monitoring the global internet for their assets, to be able to quickly update their inventories," Junio said, "such that if anyone throughout the entire organization put something on the internet that attackers could discover the organization's IT and security teams know about it as well."
If there is a security risk then or in the future they can move very quickly to gain control over that asset or patch its software, which would prevent attackers going after it, he said.
Palo Alto has seen an increase in the attack surface, as more people are using corporate equipment over the public internet due to COVID-19.
One difficulty for enterprises is that scans typically search for known vulnerabilities using a database of CVEs. Companies typically use penetration testing or red teams to search for items they don't know about.