Details Matter: Why Threat Headlines Shouldn’t Direct Your Strategy

How you allocate your time means everything.

By

Originally published in the December 2023 issue of Cyber Defense Magazine.

As Ferris Bueller once said, “Life moves pretty fast.” Most people, especially cybersecurity professionals, know the feeling. Minutes — sometimes seconds — matter in dealing with cybersecurity incidents. But how do you slow down time? What makes it so difficult to stay current or to prioritize what is on today’s agenda for a security operations center? It’s all in the minor details.

Parents can often recognize this instinctively. If your son or daughter wakes up one morning and you ask them, “How did you get home last night?” And they respond with, “I hitched a ride with a complete stranger,” a protective parent may gasp with surprise and concern. However, if the response has more details such as, “I took an Uber at 3 a.m. from my friend’s house, because I wanted to get home safely,” the same protective parent could react differently and prioritize the conversation accordingly.

On October 3, Daniel Stenberg posted on X about a new “High” vulnerability in the curl ecosystem that would be publicly disclosed on October 11.  Due to the popularity of both curl and Daniel’s social media influence, the cybersecurity world exploded with anticipation of a highly impactful and severe security issue; however, the post provided very few details about the actual issue.

The Windup

Daniel’s initial post on X sparked many questions, some of which people were not afraid to ask on X.

Phrases such as “likely to go full meltdown” and “worst security problem found in curl in a long time,” coupled with a resistance to provide any additional details, sent media outlets and security experts writing articles about how this vulnerability would be the next big security concern for the computing world. (It’s also important to note the context around the term “High” in regards to the National Vulnerability Database (NVD). From a standard scoring perspective, a “High” vulnerability has a CVSS score of 7.0-8.9.)

This is important, since there is a precedent that “meltdown”-level vulnerabilities are typically 9.0 or above — hence the “Critical” rating.  This means there is a potential conflict in the minor details, but in our culture, often the mismatch will be ignored for a more severe outcome.

The Details

On October 11, as promised, the details of the vulnerability were made public and the world was set on fire, but in a different manner than one may have expected.

It’s important to take a moment to acknowledge the main lesson learned from the release is the absolute professionalism and care Daniel Stenberg took in addressing this issue. If every vendor and open-source project followed his example, we would, without question, have a more secure technology world. A vulnerability was discovered and reported by a security researcher on a highly impactful platform, and it was patched in a timely manner with full transparency on the issues and how it was addressed. All before, to the best of the community’s knowledge, any active exploitation had occurred. More simply put — the process worked flawlessly.

What did the release say?

In nutshell, the published details revealed a memory corruption vulnerability in a large number of installed versions of both curl and libcurl. That exploitation required a special set of conditions to be true. Instead of the main conversation being about the technical details of the vulnerability, a conversation about the hype that surrounded the vulnerability took center stage.  Why? While it was clearly stated in the initial messaging the issue was a “High” severity bug, the extreme language provided a false sense of a critical issue.

At the time of this writing, NVD hadn’t published a CVSS score indicating an official “High” vs. “Critical” rating.  Some researchers have taken the details and predicted a score which has varied from a 7.5 to an 8.8 rating, both of which are high ratings. Therefore, the details surrounding the exploitation requirement of the vulnerability indeed confirmed a “High” level vulnerability and not a critical vulnerability. However, these details were originally left to the imagination of the reader.

The Impact of Change

If the vulnerability is patched and the disclosure information is accurate, does it matter? The problem with overhype is it often causes a reaction or change in prioritization. Cybersecurity is already overwhelmed with events and starving for resources to address them. This dictates that prioritization of actions is the most important task for any organization: What issues are the highest risk right now and how do I address them? While sometimes the cost of change is minimal, at other times it’s a cost that can’t be afforded.

It is imperative that security researchers continue to responsibly disclose vulnerabilities to closed and open-source projects. Transparency of these vulnerabilities, along with patches (as well done by curl project), is the only way for defenders to have the necessary information required to defend our ever-growing technology stack. It is also our responsibility to keep a factual, data-driven, non-emotional response to these events; to focus on the details; and to work together to responsibly use the resources we have at our disposal.

So, the next time “life comes at you pretty fast,” it pays dividends to “stop and look around once in a while.” It helps in making sure your team focuses your resources and efforts on the most critical and urgent issues that pose the greatest threat to your organization by paying attention to the minor details.

Douglas McKee
Executive Director, Threat Research | SonicWall
Douglas McKee is the Executive Director of Threat Research at SonicWall, where he and his team focus on identifying, analyzing and mitigating critical vulnerabilities through daily product content. He is also the lead author and instructor for SANS SEC568: Combating Supply Chain Attacks with Product Security Testing. Doug is a regular speaker at industry conferences such as DEF CON, Blackhat, Hardware.IO and RSA, and in his career has provided software exploitation training to many audiences, including law enforcement. His research is regularly featured in publications with broad readership, including Politico, Bleeping Computer, Security Boulevard, Venture Beat, CSO, Politico Morning eHealth, Tech Republic and Axios.