Three Threats

I thought three examples of threats, with corresponding vulnerabilities, etc., might help convince those who doubt the proper use of these terms. Let's start with a mythical example: Achilles. I'll use Achilles' point of view.

  • Risk: Death of Achilles.

  • Asset: Achilles' life.

  • Vulnerability: Achilles' heel. (Achilles was invulnerable, save the portion of his heel where his mother held while dipping him in the River Styx. This is the most popular version of the myth.)

  • Threat: Paris, who shot Achilles in the heel with an arrow.

  • Exploit: The arrow show by Paris.


Let's now look at an example from one of the best movies of all time: The Karate Kid. I'll use Daniel's point of view.

  • Risk: Loss of tournament, thereby letting Johnny Lawrence win.

  • Asset: Daniel LaRusso's fighting ability.

  • Vulnerability: Leg injured in previous fight.

  • Threat: Johnny Lawrence.

  • Exploit: Strike to the injured leg.


Man, that was funny. Here is the third example, from Star Wars. (Don't make me quote the episode -- this is geeky enough already.) I'll use the Empire's point of view.

  • Risk: Loss of the Death Star and Imperial prestige.

  • Asset: The Death Star.

  • Vulnerability: "An analysis of the plans provided by Princess Leia has demonstrated a weakness in the battle station... It's a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station."

  • Threat: X-Wings, e.g: "[T]he Empire doesn't consider a small one-man fighter to be any threat, or they'd have a tighter defense." (Bravo Lucas!)

  • Exploit: "The shaft is ray-shielded, so you'll have to use proton torpedoes."


Getting the hang of it? Try representing the Star Wars example from the Rebellion's point of view. It's fun, really.

Comments

Anonymous said…
I'm going to dispute this a little bit. Your definition of 'vulnerability' is correct, and you're right that 'threat' should not be used where 'vulnerability' is intended, but I find your definition of 'threat' wanting. In common use of the word, it is not a person or group of people.

The government report you quoted in your last blog entry had it right: a threat is a circumstance or event. They used the term 'threat agent' to denote the person who might attempt to implement the threat.

If a threat is an entity, then 'Threat Modeling', a widely used term in network and application security, doesn't really make any sense.

Actually, based on your examples, you are calling a 'risk' what is conventionally called a 'threat'. Risk, which is really only a concern to CISSP-types (in my experience), is quantitative: usually the product of some formula having to do with damage potential and likelihood of threat realization.
11:00 PM
Anonymous said…
I must agree with Mango.

Put it this way - in the Karate Kid example, Johnny Lawrence could also deprive Daniel-san of his fighting ability by kicking him in the head, the right ankle (injured leg is left) or the family jewels. Three threats, one threat agent.

The injured leg is a more exploitable vulnerability, which makes it a more pressing risk to address (by hanging it in the air via the well known "Fighting Italian Crane" manoeuvre).
11:38 PM
Richard Bejtlich said…
Last two posts -- as long as you don't say that Daniel's injured leg, head, or FJs are "threats," then I can accept your reasoning. I choose not to separate "threat" and "threat agent," since that is not done in intelligence circles. Even the language in the definitions above (which is not unique to this report) is awkward, due to separation of threat and threat agent. How can a "circumstance or event" "exploit" something?
8:02 AM
Anonymous said…
I agree with you about vulnerability, so this is really a side point to your main argument.

Perhaps you just explained the disconnect: threat is used differently in different communities.

In computer security, a threat is a circumstance or event. A threat is that an attacker might own my box. A vulnerability is a buffer overrun in a network-exposed service. We don't say the threat exploits something. We say the [attacker|threat agent|malicious hacker] exploits the [vulnerability|flaw] to [realize|implement] the threat.
9:59 AM
John Ward said…
If I am tasked with eliminateing threats, in the case of The Karate Kid, I don't think Daniel would be very appreciative if I eliminated his head, his ankle, or his nuts. Now if I eliminated the risk of him getting kicked in any of those places by eliminating the threat (Johnny), he might actually get some bass in his voice.

While the Computer Security example Mango suggests makes sense, I would be careful as defining a threat as a "circumstance or event" because that gets very close to a type of vulnerability. For example, race conditions are circumstances in which events occur out of sequence, which is a type of vulnerability, not a threat. The system runs the risk of exploitation via the vulnerability. All it would require is a person or persons with the capability or intent to do so, hence the threat.

I would say that a attacker/threat agent is an instance of a threat, in the same relationship as a superclass (threat) is to an instantiated sub-class.

Just my 2 cents...
11:22 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more