2020 was a tumultuous year for vulnerability risk management. Defenders had to contend with a growing volume of high-priority security threats, many of them in internet-facing technologies deployed to enable and secure a suddenly remote workforce. New communications from the U.S. National Security Agency made threat intelligence on state-sponsored attacks more accessible to the public, drawing increased attention from media, executive, and non-security stakeholder audiences. And, December brought revelations about a supply chain compromise with wide-ranging implications for thousands of organizations worldwide.
In other words: If you felt like your hair was on fire trying to understand and address the constant stream of potential and active threats making security news headlines in 2020, you weren’t alone.
When a new potential threat emerges, information security professionals often need to translate vague descriptions and untested research artifacts into actionable intelligence for their own particular risk models. In 2020, Rapid7 researchers triaged and analyzed thousands of vulnerabilities and threats to understand root causes and share insight on exploitability, among other characteristics. We regularly publish that analysis in AttackerKB so the community can use it to inform risk management strategies and perform research of their own. Today, we’re introducing Rapid7’s Vulnerability Intelligence Report, a new annual research report that identifies trends from a year of vulnerability analysis and puts learnings in the context of an evolving security landscape.
Our 2020 Vulnerability Intelligence Report examines 50 vulnerabilities from 2020 to highlight exploitation patterns, explore attacker use cases, and offer a practical framework for understanding new security threats as they arise. Every CVE in our report dataset includes a defined threat status (including whether actively exploited vulnerabilities were exploited widely or in a more limited, targeted fashion), vulnerability class, and attacker utility. Report findings and data include:
- 14 vulnerabilities that became widespread threats and posed substantial risks to organizations of all sizes in 2020
- Nine vulnerabilities that functioned as network pivots and provided opportunities for external attackers to gain internal network access by exploiting VPNs, firewalls, or other internet-facing technologies
- A look at exploitability trends across vulnerability classes
- An evaluation of prominent patch bypasses or incomplete patches, the majority of which circumvent fixes for known-exploited or high-value parent vulnerabilities
- A spotlight section on vulnerability suites affecting operational technology (OT) and Internet of Things (IoT) technologies co-authored by Rapid7’s partners at SCADAfence
Read the full report here to explore widespread, targeted, and impending threats from 2020.