I’ve been observing a troubling trend in the cybersecurity world. From what I’ve seen first-hand, many companies are seriously understaffed when it comes to fixing vulnerabilities.
It’s not just a skills gap โ there’s a real manpower shortage that I think is creating a perfect storm for APT groups.
- Here’s what I’m seeing on the ground: Vulnerabilities are piling up because teams can’t push fixes through automated scripts from tools like Intune or PatchMyPC etc. I’ve observed these unpatched vulnerabilities showing up in scans from Tenable Nessus or Qualys, creating a growing list of security holes that align perfectly with the initial access techniques in the MITRE ATT&CK framework.
- I’ve noticed companies aren’t ignoring security altogether: They’re implementing EDR solutions, Zscalar, Mimecast, and following NIST best practices like 2FA and authenticator apps. From my conversations with CISO and top level stakeholders, I’ve gathered they often think this is enough protection. Technically on ground i see it is a layer of defence. But โ those unpatched vulnerabilities are still sitting there, waiting to be exploited by APT groups who are experts at living off the land.
- What’s really concerning is how some companies are handling this problem: I’ve heard from by cyber friends from many companies, instead of fixing the vulnerabilities, they’re simply deleting them from scanners to meet SLAs or lower the workload.
This is especially dangerous because many of these vulnerabilities are rated critical or high and are often easily exploitable. This practice aligns with the MITRE ATT&CK technique T1562 (Impair Defenses), which I’ve observed being used by APT groups to maintain persistence.
- The root cause? Understaffed teams: From what I’ve gathered, IT folks are swamped with incidents and user tickets, leaving little time for patching. I’ve looked into it, and the fix procedures are often available online and can be learned by any IT professional, but there’s just not enough manpower to get it done.
This situation is creating a real goldmine for hackers, particularly APT groups. In fact as you all might already know I am a good boy ๐งข but sometimes iย choose to see how bad boys do things ๐๐คญ , Just a while ago even I have created a proof-of-concept script using AI that changes its digital signature every 5 seconds.
Surprisingly, when I tested it, CrowdStrike didn’t flag it even as a low threat. This tool can be used to bundle malware, evading both static and behaviour-based detection โ a technique I’ve observed being used in the wild by APT groups.
From my analysis, this type of tool aligns with several MITRE ATT&CK techniques:
– T1027 (Obfuscated Files or Information)
– T1036 (Masquerading)
– T1556 (Modify Authentication Process)
I’ve noticed that APT groups are particularly adept at exploiting these gaps in vulnerability management to establish initial access (TA0001 in the MITRE ATT&CK framework) and maintain persistence (TA0003).
The takeaway here is clear: From everything I’ve observed, companies need to take a hard look at how they’re actually handling vulnerabilities. Implementing new security controls is great, but if you’ve got unpatched software or drivers, those controls can be bypassed. It’s time to prioritize staffing for vulnerability management and take a more proactive approach to patching. Otherwise, we’re just leaving the door wide open for APT groups to move through the entire kill chain undetected.
In my professional opinion, addressing this staffing issue isn’t just about security โ it’s about survival in an increasingly hostile digital landscape. The APT groups I’ve been tracking are getting more sophisticated by the day, and understaffed security teams are fighting failing to fix vulnerability in time and an uphill battle they’re currently not equipped to win.