Wednesday, May 3, 2017

What you don't know can't hurt you.

Ranking Risk in Vulnerability Management

Prioritization gaps are a hard thing to explain, or maybe a very easy thing to explain but only in a way that it is hard to put a metric on. But let's start by telling the story of every enterprise vulnerability management organization everywhere, which has enough resources available to test and patch five vulnerabilities, and there are fifty advisories all marked critical on the systems they run. So, as in the graphic above, you see people developing ranking systems which look at vulnerabilities and say "Hey, is this important enough that I have to spend time really working on it". In some cases there IS no patch and you're creating a custom mitigation, but either way, the testing process is expensive. 

Look at the factors they use and then think of the ways you can defeat those as an attacker, because any gap between what the attacker prioritizes and what the defender prioritizes is really its own vulnerability. And if I can PREDICT or CONTROL the factors a defender uses (say, by controlling public information), then I, as the attacker, can always win.

For example, if I attack QUICKLY then the vulnerability remediation prioritization tree is always off, because I will be done attacking before you have a chance to notice that something is under "active attack".

This should go without saying...
Likewise, some exploits I can specialize in, which makes them "easy" for me, even if publicly they are known to be "hard" -  Windows kernel heap overflows, for example. I can invest in understanding a particular attack surface, which means I can apply say, font parsing bugs, to lateral movement problems, which you may not realize are a possibility. 

And of course, I can invest in understanding the patch system Microsoft has, and knowing which bugs they won't patch or which bugs they have messed up the patches for. 

The point here is that as an attacker I invest in understanding and attacking the global vulnerability management process, and the specific vulnerability management processes in use by my targets, as a process.

1 comment:

  1. Anyone depending heavily on the vulnerability management process as a defensive control isn't going to make it far anyway. You can do a perfect job and you still don't know what you don't know. The moment companies start defending from the perspective that there are critical, Internet-facing, remotely executable vulns they don't know about is the moment they start building strategies that might stand a chance against attacks.