Why are you not updating? The effectiveness of Software Updates against Advanced Persistent Threats Campaigns

Software updates are a critical line of defense to prevent exploitation. Still, enterprises often keep outdated software for several months. When dealing with targeted attacks performed by Advanced Persistent Threats (APTs), this behavior does not seem appropriate. However, we tend to focus on specific APT campaigns and we miss the general picture.
In this talk, we provide a broader view of the APT landscape with an analysis of more than 350 campaigns by 86 different APTs collected from open-source resources. Contrary to common belief, APTs are work-averse and prefer to exploit known vulnerabilities. We will share an analysis of different approaches to software updates, from enterprises that update as soon as a new release is out to enterprises that wait for the presence of a CVE. We observed that, given the need to perform regression testing before applying an update, enterprises that update only when a known vulnerability is patched present the same risk of being compromised as enterprises that always update to each new version but perform significantly fewer updates.

The key takeaways of this talk are the following:
-We provide a broader view of the APTs, their attack vector preferences, and the use of 0-days vs publicly known vulnerabilities.
-We show the effectiveness and cost of different software update strategies in preventing APT campaigns.