Beyond the Code: Unearthing the Subtle Business Ramifications of Six Months in Vulnerabilities

At Recorded Future, we’re determined to iteratively answer the “So What? Now What?” (SW/NW) questions, which some intelligence professionals colloquially characterize as “actionability.” Insikt Group often engages in a “non-obvious second-order implications” (NOSOI) exercise to derive quality SWNW answers from geopolitical and cyber intelligence for business executives. NOSOI results vary (GPT-4 is good at “second-order” but less adept at “non-obvious”), and of course, “non-obvious” is a subjective label. Still, it’s a reasonable articulation of our goal, and we know it when we see it. 

Toward an expanded SWNW for business, David Carver and I recently discussed his team’s excellent 2023 H1 vulnerabilities trends report. We focused explicitly on potential NOSOI. First, a few takeaways from the report for the security practitioners:

• Malicious winners included LockBit, ALPHV, Royal, ESXiArgs, and Pegasus

• Vulnerable drivers (“bring your own vulnerable driver” - BYOVD) are a growing attack vector (+180% QoQ between H2-22 and H1-23)

• Third-party relationships (at every level) remain common malicious entry points

• Infostealers are popular and resilient (more on this topic soon)

• Actors are experiencing widespread success exploiting old (e.g., CVE-2022-41082 ProxyNotShell RCE) and new vulnerabilities (e.g., CVE-2023-0669 Fortra’s GoAnywhere MFT)

Regarding this report’s NOSOI, we focused the business risk impact conversation on cost, specifically with one vulnerability example: CVE-2023-2868 zero-day vulnerability in Barracuda Networks’s Email Security Gateway (ESG). 

From the report: 

CVE-2023-2868, a zero-day vulnerability in Barracuda Networks’s Email Security Gateway (ESG) appliance, very likely qualifies as the most costly vulnerability in terms of cost to product vendors for H1. Researchers assess that the vulnerability was exploited by a China-nexus group known as UNC4841. According to several online resources, Barracuda likely generates between $300 and $500 million in annual revenue. Per a Reddit thread, Barracuda was willing to replace relevant Barracuda hardware above the 300 models of its Email Security Gateway (ESG) at no cost, but clients would need to pay to replace any version below that model… — a fallout that could cost Barracuda up to 50% of the company’s annual revenue 

Replacing hardware as a remediation option is at the far end of the severity spectrum. Barracuda was the unfortunate victim of UNC4841’s efforts in this example, but no vendor is immune to focused and well-resourced efforts to find new vulnerabilities. The broader question for executives is whether this data presents a compelling picture for technology diversification.

Going back 30+ years, at one time, good “Defense in Depth” security meant multiple redundant vendors (e.g., firewalls) to minimize the impact of any one vulnerability. Today, businesses put a premium on a bias for action, and security groups are tasked with riding shotgun (hopefully) as chief digital officers roll out digitalization strategies to improve competitiveness, win market share, and increase profitability. Technological complexity and cyberattack surfaces naturally grow together as data and computing migrate beyond traditional perimeters. 

Should security and information technology (IT) more carefully consider redundant vendors balanced against the cost of exploited vulnerabilities? Obviously, “cost” includes multiple resources - money, time, and humans.

We can hear the IT departments howling from here - “These impractical security people! How could we possibly support multiple vendors for a single function?!”. But! This vulnerability report makes a compelling case for considering the merits of a different approach. And by a different approach, we are not arguing for a hard pendulum swing against budget reduction or solution unification. Rather, redundancy and consolidation are two ends of an axis wherein different businesses, with different appetites or exposures to risk, should be thoughtful in pursuing the most appropriate position.

Even the most prominent technology vendors aren’t immune to cyberattacks, which create risk impact ripples across vendor clients and the global economy. Microsoft recently revoked a digital signing key after attackers obtained and used the key to launch broader attacks against third-party targets. Are enterprises reducing operational risk by, in this case, using multiple cloud platforms (Microsoft, Amazon, Oracle, Google, etc.)? What’s the trade-off between security, speed, and cost (a twist on the Iron Triangle)? 

It’s a nuanced conversation, and the equities require careful deliberation, but it’s a relevant topic for executives. The time from vulnerability to exploit has never been shorter. Among major software vendors, zero-day vulnerabilities account for over half of newly exploited vulnerabilities for the past several years. Thus, while vendor diversification has long been an accepted cost in business strategy for categories like connectivity, it’s time to widen the aperture.