The field of exploited vulnerabilities is tilting ever more from n-days to zero-days, according to Mandiant’s latest annual report. 2023 saw the security firm log 138 total incidents of compromise for its report, of which 70% were zero-days. That is up substantially from 61% and 62% in the two prior years.
An equally important item in the report is the continued precipitous drop of average time-to-exploit (TTE), which is now down to just five days from 63 only a few short years ago.
Zero-days more evenly distributed among large and small organizations
One other change in trends worth noting is that zero-days continue to more often come from the products of smaller companies. In the past, over half of these exploited vulnerabilities would come from a small handful of the biggest names in tech: Microsoft, Apple, Google, Adobe and so on. Those tech firms are down to about 40% of the zero-day count, from just under 50% the prior year. It is now much more common for smaller firms to each represent one zero-day on the annual list.
Mandiant projects that zero-days will both continue to be the most exploited vulnerabilities and will take an even larger proportional share in the near term. But that is not necessarily because of actual growth. The security firm believes that numbers may simply be more accurately reflecting ongoing reality due to better detection and quicker response.
In terms of all exploited vulnerabilities, TTE has continued to become worrying close to immediate. Pre-pandemic it was at a little over two months, and it is now a little under a week. Improvements in detection time may also be contributing to these numbers, but Mandiant takes pains to note that its data shows attackers are definitely acting faster in response to improvements in patching time.
N-days remain among commonly exploited vulnerabilities, but criminals increasingly discriminate
N-days, or those that are used by attackers after a patch has been released, still make up about 30% of exploited vulnerabilities. These most commonly occur within one month of a patch being issued, but criminals do not necessarily pounce on every disclosure.
Attackers are generally quick to n-days when they want to exploit them. 12% of exploited vulnerabilities in this area took place in the first day, 29% within the first week and 56% within the first month. Just two of the n-days in this report went unexploited for more than six months. Criminal level of interest appears to depend on some key factors, however. Primarily what level of access the n-day can be expected to grant, but also how difficult it is to pull off. Media coverage does not seem to drive up the speed or frequency with which n-days are exploited.
One final point to consider is that all the numbers in this annual Mandiant study should be considered very conservative. Many successfully exploited vulnerabilities remain undisclosed, at least to the public, or are not reported with specific dates attached to them.