You can’t control when the next critical vulnerability drops. You can control how much of your environment is exposed when it does. The problem is that most teams have more internet-facing exposure than they realise. Intruder’s Head of Security digs into why this happens and how teams can manage it deliberately.
Time-to-exploit is shrinking
The larger and less controlled your attack surface is, the more opportunities exist for exploitation. And the window to act on them is shrinking fast. For the most serious vulnerabilities, disclosure to exploitation can be as short as 24 to 48 hours. Zero Day Clock projects that time-to-exploit will be just minutes by 2028.
That’s not a lot of time when you consider what has to happen before a patch is deployed: running scans, waiting for results, raising tickets, agreeing priorities, implementing, and verifying the fix. If disclosure lands out of hours, it takes even longer.
In many cases, vulnerable systems don’t need to be internet-facing in the first place. With visibility of the attack surface, teams can reduce unnecessary exposure upfront and avoid the scramble altogether when a new vulnerability drops.
When a zero-day drops on a Saturday
ToolShell was an unauthenticated remote code execution vulnerability in Microsoft SharePoint. If an attacker could reach it, they could run code on your server – and because SharePoint is Active Directory-connected, they’d be starting in a highly sensitive part of your environment.
This was a zero-day, meaning attackers were exploiting it before a patch was available. Microsoft disclosed on a Saturday and confirmed that Chinese state-sponsored groups had been exploiting it for up to two weeks before that. By the time most teams knew about it, opportunistic attackers were scanning for exposed instances and exploiting at scale.
Intruder’s research found thousands of publicly accessible SharePoint instances at the time of disclosure – despite the fact that SharePoint doesn’t need to be internet-facing. Every one of those exposures was unnecessary – and every unpatched server was an open door.
Why exposures get missed
So why do exposures so often get missed by security teams?
In a typical external scan, informational findings sit beneath hundreds of criticals, highs, mediums, and lows. But that information can include detections that represent real exposure risk, such as:
- An exposed SharePoint server
- A database exposed to the internet, such as MySQL or Postgres
- Other protocols, which should usually be reserved for the internal network, such as RDP and SNMP
Here’s a real example of what that looks like:
In vulnerability scanning terms, classifying these as informationals sometimes makes sense. If the scanner sits on the same private subnet as the targets, an exposed service might genuinely be low risk. But when that same service is exposed to the internet, it carries real risk even without a known…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
