If it’s Not Exploitable, it’s Not a Vulnerability

Don’t you think it’s absurd that we participate in this endless race to manage and patch vulnerabilities, even though new ones appear all the time?

Natali Tshuva

April 16, 2021

Don’t you think it’s absurd that we participate in this endless race to manage and patch vulnerabilities, even though new ones appear all the time? It's like swimming upstream—no matter how hard you paddle, the current is overwhelming and unlikely to settle down soon.

We repeatedly spend all this time and money, essentially with no finish line in sight, all while unknown threats remain hovering over our heads. Your R&D department shouldn't need to spend +2,000 hours per week implementing patches and handling vulnerabilities. Surely, there must be a better, more sustainable solution out there.

At Sternum, we believe there is another way.

The existence of a vulnerability is ever-present and inevitable. This rings true for any kind of software. A flawless state is something the industry should always aspire to, but can rarely be reached.

Let’s take memory-based vulnerabilities as an example. They are widespread and represent a high-end threat to IoT devices, responsible for 70% of Microsoft’s patch Tuesdays. Thousands of such memory-based vulnerabilities are reported each month, yet this number only reflects reported instances. The unknown remains unknown, posing a threat to devices, networks, and enterprises alike.

Instead of manually patching up all these memory-based vulnerabilities, what if we simply prevented the exploitations of them?  Think about it: No exploitation, no damage.

The existence of a vulnerability itself is not enough for a threat actor to cause damage, he first has to exploit a specific vulnerability to initiate his attack. But all it takes is one to initiate an attack. Therefore, moving the focus from perpetually investing resources into manually and arduously patching vulnerabilities, to automatically identifying and preventing the exploitation attempt itself through proactive security controls could provide a much-needed remedy.

There lies a common denominator in all of this. For every single type of memory-based vulnerability, a certain step must be performed which is distinctly recognizable and identical across all attacks. Focusing on identifying and preventing that step could eliminate an entire class of existing and future memory-based vulnerabilities from potential exploitation. If it’s not exploitable, it’s not a vulnerability.

At Sternum, we call these identical and necessary steps the Exploitation Fingerprint™. Just like a sophisticated detective, our technology tracks, identifies, and locates this Exploitation Fingerprint™ in real-time to flag the presence of an attacker, and prevent the attack itself.

We map different elements that make up the Exploitation Fingerprint™ and the corresponding malicious operations that need to be prevented. Going back to the memory-vulnerability exploitation, we can actually see it in action.

Luckily for defenders, in order to exploit a memory-based vulnerability, the attack must corrupt the memory in some way: writing outside of bounds, or corrupting existing data in the memory for instance. Without corrupting the memory, attackers cannot use the vulnerability to cause any damage. This is an example of a certain element of the Exploitation Fingerprint™ and a necessary step the attacker simply cannot avoid.  Hence, the corruption of the memory is a distinct, necessary, and compulsory step to every memory vulnerability exploitation which takes place.

Sternum’s EIV (Embedded Integration Verification) product takes advantage of this bottle-neck* [where an attacker doesn’t have full control over the software and must corrupt the memory in order to achieve it] to monitor and verify each operation in the memory, inspect and validate its integrity in real-time. When EIV determines that a memory operation will result in the Exploitation Fingerprint™ in memory, it prevents it from happening, in essence preventing any corruption of the memory, paralysing any potential exploitation. This makes the existence of the vulnerability meaningless. Again - if it’s not exploitable, it’s not a vulnerability.

EIV operates the same way for many different classes of vulnerability. The result is achieving a sustainable, long-term, cybersecurity peace of mind.

Proven in-field

EIV has reached a 96.5% total prevention rate of memory-based vulnerabilities in industry benchmarking metrics. This includes a 100% prevention rate of memory overflow vulnerabilities, a 100% prevention rate when testing in research labs and in-field by our customers as well as full prevention of all latest memory-based, fileless attacks and/or critical CVEs that were disclosed as part of the Ripple20 and Amnesia:33 publications.

Combined with Sternum’s ADS (Analytics & Detection System), our customers have true cybersecurity and visibility peace-of-mind.

Patch at Your Own Pace, Regain Control

For our customers, patching and updating happens (if at all) at their own choice, along with an already pre-scheduled update. They are no longer hostage to critical vulnerabilities, forcing them to speed up and update in order to avoid disaster. They are no longer listed vulnerable to disclosed vulnerabilities, needing to defend themselves. They no longer invest many R&D resources to initiate a mitigation, since they are already immune.

They are in control over the cybersecurity of their devices. This is an important thing to emphasize. Our customers are in control. Not their third-party potentially vulnerable components, not the vulnerability management pressure, and certainly not attackers.

They sleep well at night, knowing Sternum safeguards their assets, while saving money and proving ROI.

It's time to end the vulnerability wild goose chase. Stop mitigating, start preventing.