All ContentQuantifying the Attacker's First-Mover Advantage
Quantifying the Attacker's First-Mover Advantage
I. EXECUTIVE SUMMARY
This report measures the difference in days between when an exploit for a vulnerability becomes publicly available
(Time to Exploit Availability) and when a vulnerability is first assessed (Time to Assess).
A negative delta indicates that the attacker has an opportunity to exploit a vulnerability before the defender is even
aware of the risk.
The sample set used for this analysis is based on the 50 most prevalent vulnerabilities from nearly 200,000 unique
vulnerability assessment scans.
Findings:
7-day
76%
24%
75%
Attackers have a median sevenday window of opportunity to
exploit a vulnerability before a
defender is even aware they are
vulnerable.
A further point of concern is that 24
percent of analyzed vulnerabilities
were being actively exploited by
malware, ransomware or exploit
kits in the wild.
of analyzed vulnerabilities had
a negative delta – meaning the
attacker has the first-mover
advantage.
34%
For 34 percent of the analyzed
vulnerabilities, an exploit was
available on the same day that the
vulnerability was disclosed.
While improving the Time to Assess by 75 percent would result in a positive
delta for 66 percent of the analyzed vulnerabilities, the rapid Time to
Exploit Availability and its weaponization mean that defenders often begin
on a back footing and are challenged to gain the lead in the first move.
Recommendations:
• Use continuous vulnerability assessments to effectively improve the Time to Assess – but this by itself cannot
fully mitigate the resulting exposure gap.
• Vulnerabilities and exploits are discovered and published incessantly, and attacks and threats evolve at a rapid
pace and can strike at any time. The objective of an effective vulnerability management program must be to
quickly adapt and react to these changing circumstances. A start-stop or cyclical model falls short in achieving
this objective, requiring instead a vulnerability management approach based on a continuous integration and
delivery (CI/CD) model.
• Align operational processes to support rapid response and ad hoc remediation and mitigation requests outside
of regular maintenance and patch windows.
• Focus remediation and prioritization efforts on vulnerabilities with publicly available exploits and those
actively being targeted by malware, exploit kits and ransomware. This necessitates up-to-date situational
awareness and threat context.
Quantifying the Attacker’s First-Mover Advantage
3
II. INTRODUCTION
This research report examines the difference in time between when a public exploit for a vulnerability is published
and when users actively assess it. These two events represent the first move the attacker and defender make.
The premise of this paper is that this delta is an indicative metric in determining Cyber Exposure. The sample set
is based on the analysis of real-world vulnerability assessment data from nearly 200,000 unique vulnerability
assessment scans. We selected the 50 most prevalent critical and high-severity vulnerabilities from this data set for
this report.
A basic understanding of how vulnerabilities are researched, assessed and exploited is assumed.
III. QUANTIFYING THE ATTACKER’S FIRST-MOVER ADVANTAGE
Security professionals are engaged in a continuous arms race with threat actors. In relation to vulnerabilities, this
arms race is between attackers’ access to exploits and defenders’ ability to assess, remediate and mitigate them. The
attackers gain and maintain the advantage if they can stay at least one step ahead of the defender, resulting in a
window of exposure. The race is never-ending and begins again with every new vulnerability discovered. The finish line
keeps shifting, with the attacker setting the pace.
Figure 1 outlines attackers’ and defenders’ first moves after a vulnerability is disclosed.
Figure 1. Attackers and Defenders First Moves Post-Vulnerability Disclosure
Quantifying the Attacker’s First-Mover Advantage
4
Please complete the form to gain access to this content
