Zero Days and Time-to-Exploit: The Cybersecurity Horror Show of 2023!

Welcome, dear readers, to an eye-watering revelation from the world of cybersecurity. If you thought it was bad before, hold onto your keyboards, because a staggering 70% of exploited vulnerabilities in 2023 were zero days. That’s right! Your favorite hacker’s favorite day is now literally any day of the week. Can you imagine? The bad guys are squatting like they’re on a patchy Wi-Fi connection, exploiting flaws before vendors even know they exist!

And get this: the average Time-to-Exploit (TTE)—that’s the time it takes for a dodgy character to exploit a vulnerability—has plummeted from a lazy 32 days to an urgent five days. That’s less time than it takes to dry clean a pair of trousers! Seriously, if you’re in IT, it might be time to swap your coffee breaks for some nail-biting security drills. Not that I’m saying you should actually give up coffee; we both know that’s an unrealistic expectation!

Your Daily Dose of Data

In what can only be described as a remarkable feat of irresponsible fun, analysts have noted a dramatic shift in the n-day and zero-day vulnerability ratio. Back in 2021 and 2022, we were living in a relatively calm period with a 38/62 split. Fast forward to 2023, and we’ve reached a jaw-dropping 30:70. It’s almost like watching a reality show where the contestants get progressively more ridiculous as time goes on—who wouldn’t tune in?

Let’s take a moment to put that in perspective. In 2018 and 2019, the average TTE was, ahem, a cozy 63 days. So while you were standing in line for your morning bagel, hackers were taking advantage of flaws while the rest of us were merely trying to decide how many cream cheese options were acceptable.

What Are The Experts Thinking?

Now, professionals in the field aren’t exactly laughing about this. Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, raises his eyebrows in concern, saying, “What once took a month to patch now requires action within just five days.” It’s as if he’s reading a new horror novel where every twist is a vulnerability ready to be exploited!

Von Tran from Bugcrowd takes it a step further, suggesting that organizations need, wait for it… a dedicated zero-day response team! Yes, because having someone just sitting around with a big red button labeled ‘PATCH NOW’ is clearly what we all need to feel safe. It’s like putting a firefighter on standby in the middle of a fire festival. Unless he’s holding a bucket of water for every flaming mishap!

Increased Collaboration, Less Time

Sarah Jones, a Cyber Threat Intelligence Research Analyst, speaks volumes about the need for rapid patch management. “It’s crucial for companies to have seamless coordination and leverage advanced tools to mitigate potential attacks.” Sounds flashy, doesn’t it? Like organizing a surprise party while also dodging fire-breathing jugglers. Just an average Tuesday in cybersecurity nowadays!

A Reality Check for Defenders

As Mandiant has pointed out, from 2020 to 2023, exploits (both zero-days and n-days) have been the VIP guests at the Incident Response (IR) cocktail party. And what does that mean for defenders? You guessed it—enhanced detection and response capabilities! Only now, it’s less like setting the bar and more like running a triathlon, all while under time pressure.

There you go, folks! Vulnerabilities are on the rise, but time isn’t on the defenders’ side. It’s like a game of whack-a-mole, but the moles are in a hurry, and your mallet is, well, probably still stuck in your last project at the office.

Final Thoughts

So here’s the takeaway: whether you’re hoarding old technology like it’s a 1980s vinyl record collection or giggling at the thought of hackers as digital gremlins, you need to be prepared. Cybersecurity is no longer a ‘let’s deal with this on Friday’ kind of job. It’s a ‘pasta is boiling and there’s a fire in the kitchen’ kind of job now!

In the words of the greats—tighten your seatbelt, change your password, and remember: when it comes to cybersecurity, if you think you’ve got it under control… you probably don’t!