Threat Actors Exploit Zero Days Within 5 Days, Says Mandiant

In analyzing 138 actively exploited vulnerabilities in 2023, Google Mandiant reported Oct. 15 that 70% of them were zero-days, indicating that threat actors are getting much better at identifying vulnerabilities in software.

It’s a worrying trend in and of itself, but what caused even more concern among security analysts was that Google Mandiant also found that the time-to-exploit (TTE) — the time it takes threat actors to exploit a flaw — was down to a mere five days in 2023 compared with 63 days in 2018-19 and 32 days in 2021-22.

“The shrinking timeline for security teams to respond to vulnerabilities presents a significant challenge,” said Patrick Tiquet, vice president, security and architecture, at Keeper Security. “Threat actors are increasingly targeting zero-day vulnerabilities, using more sophisticated tactics. What once took a month to patch now requires action within just five days. This shift underscores the importance of implementing robust proactive security measures, and also having well-prepared incident response and priority patching plans ready to activate.”

Tiquet added that as the industry develops more complex software at breakneck speed, the number of vulnerabilities continues to rise. Ironically, Tiquet said this trend toward zero-day exploits partly results from advancements in traditional defenses: organizations have become more effective at blocking phishing and credential theft, prompting cybercriminals to adapt by targeting new weaknesses with surgical precision.

Faced with these challenges, it’s become important for all companies to dedicate a team for zero-day response, signal, and collaboration, said Von Tran, senior manager, security operations at Bugcrowd. Tran said all companies that have their products within many supply chains and within consumer hands need to have this dedicated team and actively talk to one other.

“A dedicated team will have escalation hotlines to all the engineering stakeholders to prioritize and push a fix within a five-day window rather than 30 days,” Tran said. “Zero days are destructive because the research has already taken months, if not years, to weaponize, meaning attackers will be months to years ahead of you. Rapid response is everything.”

Sarah Jones, cyber threat intelligence research analyst at Critical Start, said in light of this compressed TTE timeframe, organizations must first and foremost prioritize rapid patch management. This requires seamless coordination between IT, security, and development teams to swiftly deploy updates. Simultaneously, Jones said the shortened exploitation window underscores the importance of proactive threat hunting. By leveraging advanced tools and skilled analysts, security teams can identify and mitigate potential attacks before they materialize.

“While focusing on technological solutions, organizations must not overlook the human element,” said Jones. “Ongoing security awareness training remains a cornerstone of defense against human-based attacks such as phishing. Furthermore, in our interconnected business ecosystem, the security chain is only as strong as its weakest link. So, ensuring that third-party vendors maintain robust security measures is essential to protect against supply chain attacks.”

READ MORE HERE