"Partial Patching Still Provides Strong Protection Against APTs"

According to an analysis conducted by researchers from the University of Trento, Italy, organizations that always upgrade to the most recent versions of all of their software have nearly the same risk of being compromised in cyber-espionage campaigns as those that just apply specific patches after a vulnerability is reported. A quantitative analysis of data from 350 Advanced Persistent Threat (APT) campaigns carried out by the researchers between 2008 and 2020 reveals that organizations with a purely reactive software update strategy had roughly the same risk exposure to advanced cyberattacks as those that kept up to date on everything. This is despite the fact that the subjects applied only 12 percent of the updates that firms that always updated instantly deployed. The findings show that the same is true for organizations that may apply updates to fix vulnerabilities based on information they have gotten in advance, such as by paying for zero-day information. When it comes to breach risk, even these entities do not have a considerable advantage over those that patch only on a reactive basis. Although this conflicts with traditional wisdom, the study results represent two realities: 1) APTs tend to be reactive, and 2) time-to-patch metrics are important. The researchers discovered that APTs targeted publicly reported vulnerabilities more frequently than zero-days in an analysis of 350 campaigns dating back to 2008 (containing information on vulnerabilities exploited, attack vectors, and affected software products). They also shared or targeted the same known vulnerabilities in their campaigns. Between 2008 and 2020, the researchers discovered 86 different APT organizations that exploited 118 unique vulnerabilities in their campaigns. Only Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor leveraged exclusive vulnerabilities in their campaigns. This means IT teams can prioritize flaws known to be APT favorites to eliminate the majority of the risk of compromise. This article continues to discuss key findings from the study regarding patching strategies, their risk exposure, and the issue of patch prioritization. 

Dark Reading reports "Partial Patching Still Provides Strong Protection Against APTs"