Monday, May 29, 2006

Three Threats

I thought three examples of threats, with corresponding vulnerabilities, etc., might help convince those who doubt the proper use of these terms. Let's start with a mythical example: Achilles. I'll use Achilles' point of view.

  • Risk: Death of Achilles.

  • Asset: Achilles' life.

  • Vulnerability: Achilles' heel. (Achilles was invulnerable, save the portion of his heel where his mother held while dipping him in the River Styx. This is the most popular version of the myth.)

  • Threat: Paris, who shot Achilles in the heel with an arrow.

  • Exploit: The arrow show by Paris.

Let's now look at an example from one of the best movies of all time: The Karate Kid. I'll use Daniel's point of view.

  • Risk: Loss of tournament, thereby letting Johnny Lawrence win.

  • Asset: Daniel LaRusso's fighting ability.

  • Vulnerability: Leg injured in previous fight.

  • Threat: Johnny Lawrence.

  • Exploit: Strike to the injured leg.

Man, that was funny. Here is the third example, from Star Wars. (Don't make me quote the episode -- this is geeky enough already.) I'll use the Empire's point of view.

  • Risk: Loss of the Death Star and Imperial prestige.

  • Asset: The Death Star.

  • Vulnerability: "An analysis of the plans provided by Princess Leia has demonstrated a weakness in the battle station... It's a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station."

  • Threat: X-Wings, e.g: "[T]he Empire doesn't consider a small one-man fighter to be any threat, or they'd have a tighter defense." (Bravo Lucas!)

  • Exploit: "The shaft is ray-shielded, so you'll have to use proton torpedoes."

Getting the hang of it? Try representing the Star Wars example from the Rebellion's point of view. It's fun, really.


David Belle-Isle said...

Thank you so much for these great examples!

Mango said...

I'm going to dispute this a little bit. Your definition of 'vulnerability' is correct, and you're right that 'threat' should not be used where 'vulnerability' is intended, but I find your definition of 'threat' wanting. In common use of the word, it is not a person or group of people.

The government report you quoted in your last blog entry had it right: a threat is a circumstance or event. They used the term 'threat agent' to denote the person who might attempt to implement the threat.

If a threat is an entity, then 'Threat Modeling', a widely used term in network and application security, doesn't really make any sense.

Actually, based on your examples, you are calling a 'risk' what is conventionally called a 'threat'. Risk, which is really only a concern to CISSP-types (in my experience), is quantitative: usually the product of some formula having to do with damage potential and likelihood of threat realization.

Anonymous said...

I must agree with Mango.

Put it this way - in the Karate Kid example, Johnny Lawrence could also deprive Daniel-san of his fighting ability by kicking him in the head, the right ankle (injured leg is left) or the family jewels. Three threats, one threat agent.

The injured leg is a more exploitable vulnerability, which makes it a more pressing risk to address (by hanging it in the air via the well known "Fighting Italian Crane" manoeuvre).

Richard Bejtlich said...

Last two posts -- as long as you don't say that Daniel's injured leg, head, or FJs are "threats," then I can accept your reasoning. I choose not to separate "threat" and "threat agent," since that is not done in intelligence circles. Even the language in the definitions above (which is not unique to this report) is awkward, due to separation of threat and threat agent. How can a "circumstance or event" "exploit" something?

Mango said...

I agree with you about vulnerability, so this is really a side point to your main argument.

Perhaps you just explained the disconnect: threat is used differently in different communities.

In computer security, a threat is a circumstance or event. A threat is that an attacker might own my box. A vulnerability is a buffer overrun in a network-exposed service. We don't say the threat exploits something. We say the [attacker|threat agent|malicious hacker] exploits the [vulnerability|flaw] to [realize|implement] the threat.

John Ward said...

If I am tasked with eliminateing threats, in the case of The Karate Kid, I don't think Daniel would be very appreciative if I eliminated his head, his ankle, or his nuts. Now if I eliminated the risk of him getting kicked in any of those places by eliminating the threat (Johnny), he might actually get some bass in his voice.

While the Computer Security example Mango suggests makes sense, I would be careful as defining a threat as a "circumstance or event" because that gets very close to a type of vulnerability. For example, race conditions are circumstances in which events occur out of sequence, which is a type of vulnerability, not a threat. The system runs the risk of exploitation via the vulnerability. All it would require is a person or persons with the capability or intent to do so, hence the threat.

I would say that a attacker/threat agent is an instance of a threat, in the same relationship as a superclass (threat) is to an instantiated sub-class.

Just my 2 cents...