Vulnerabilities and Exploits Are Mindless

Jofny's comment on my post Unify Against Threats asked the following:

So, Richard, I'm curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats?

If there are people like that, they really need to be fired.

This comment was on my mind when I read the story FBI: US Business and Government are Targets of Cyber Theft in the latest SANS NewsBites:

Assistant Director in charge of the US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around the world. Henry did not name the countries, but suggested that there are about two dozen that have developed cyber attack capabilities with the intent of using those capabilities against the US. The countries are reportedly interested in stealing data from targets in the US. Henry said businesses and government agencies should focus on shoring up their systems' security instead of on the origins of the attacks.

The editors' comments are the following:

(Pescatore): It really doesn't matter where the attacks come from, businesses have been getting hit by sophisticated, financially motivated, targeted attacks for several years now.
(Ullrich): A very wise remark. It doesn't matter who attacks you. The methods used to attack you and the methods used to defend yourself are the same. We spend too much time worrying about geographic origins. In cyberspace, nation states are a legacy concept.

This is the mindset that worries me, even though the FBI AD agrees. It ignores this fact: Vulnerabilities and exploits are mindless. On the other hand, intelligent adversaries are not. Therefore, if you are doing more than defending yourself against opportunistic, puerile attackers, it pays to know your enemy by learning about security threats (as shown on the book cover to the right).

Once your security program has matured to the point where not any old caveman can compromise you, it pays to put yourself in the adversary's place. Who might want to exploit your organization's data? What data would be targeted? How could you defend it? How could you detect failure? When complaining to the government and/or law enforcement, to whom can you attribute the attack? Knowing the enemy helps prioritize what to defend and how to do it.

About the AD telling businesses not to worry about threat sources: he's just quoting official FBI policy. I wrote about this in More Threat Reduction, Not Just Vulnerability Reduction:

Recently I attended a briefing were a computer crimes agent from the FBI made the following point:

Your job is vulnerability reduction. Our job is threat reduction.

In other words, it is beyond the legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats.

Let's briefly address the "In cyberspace, nation states are a legacy concept." comment. We've been hearing this argument for fifteen years or more. Last time I checked, nation states were alive and well and shaping the way cyberspace works. Just this morning I read the following Economist article Information technology: Clouds and judgment; Computing is about to face a trade-off between sovereignty and efficiency:

The danger is less that the cloud will be a Wild West than that it will be peopled by too many sheriffs scrapping over the rules. Some enforcers are already stirring up trouble, threatening employees of online companies in one jurisdiction to get their employers based in another to fork over incriminating data for instance. Several governments have passed new laws forcing online firms to retain more data. At some point, cloud providers may find themselves compelled to build data centres in every country where they do business.

Finally, independent actors do not operate intelligence services who target our enterprises; nation states do. I've written about Counterintelligence and the Cyber Threat before. Part of the problem may stem from a distinction Ira Winkler made at RSA 2006, which I noted in my post RSA Conference 2006 Wrap-Up, Part 3:

I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform security functions and those who perform counter-intelligence. The two are not the same. Security focuses on vulnerabilities, while counter-intelligence focus on threats.

Maybe I spend more time on the counterintelligence problem than others, but I can't see how vulnerability-centric security is a good idea -- except for those who sell "countermeasures."


Naveen said…
Use Cases, I thought is a pretty standard way to approach problems these days.
It helps immensely to understand the users of the system while solving problems.
Is it done differently in the vulnerability-world?
Anonymous said…
I think its a mix. Threats, vulns, countermeasures and asset centricity all play a role. Our job as security pros is to figure out where we get the most cost effective solutions for our customer - the business.

You are right to look at these as separate concerns, each concern yields totally different workstreams, projects and value.

In the past I have argued that Infosec is too focused on Threats and not enough on vulns. People like threats because it is exciting and vulns are boring, but now we see that to just give one example, almost every F500 publishes their entire back end over MQ Series with no access control at all.

I would also add that asset focus is important. If you think about, assets are the one single advantage you have over most adversaries. They are likely to know far more about threats, vulns and countermeasures than a corporate info sec person does. The one thing that enterprise is likely to know more about is assets. So I like starting with assets before I preordain the next level of centricity.
Anonymous said…
Richard, I think it might help to simplify the argument a bit.

If you're a left-handed soup sandwich, then the focus should be on vulnerabilities because the likelihood that you'll be compromised by an advanced attack is low.

If your vulnerability management, i.e. KNOWN vulnerability management, is mature then it's better to focus on the actors capable of launching unknown attacks. At that point it becomes worth it to ask, "Who wants to hurt me? Who can benefit from stealing my data?" Etc.

But having this conversation when you lack the basics is like scooping water out of a boat that's at the bottom of the ocean.

So, yes, there is something to be said for "fix the vulnerability and stop worrying about where a potential exploit might come from", but this mentality ignores the fact that the most dangerous threats are likely attacking vulnerabilities that you aren't yet aware of. As such it's more effective to think about what they might be after, and about defense-in-depth, than to focus on patching known issues.
Anonymous said…
You hit the nail on the head.


Criminals are increasingly deploying aggressive anti-forensics technology to ensure that prosecution is impossible, according to experts.
Criminals are increasingly deploying aggressive anti-forensics technology to ensure that prosecution is impossible, according to experts.

Christopher Novak, Principal, Verizon Business, said: “We're increasingly seeing hackers not only attempt to avoid detection, but actually attack forensic investigators.
For example, there are several toolkits out there that actively defeat forensics tools by crashing the system when recognised tools are booted. Anti-forensics techniques are a clear and present danger.”

Overall, anti-forensics techniques such as wiping of data have become a factor in 88 per cent of cases handled by Verizon Business. Additionally, the techniques are becoming more successful, according to Novak, demonstrated by the fact that 63 per cent of businesses are typically taking months rather than days to discover data leaks.

“Investigations are taking longer, due to techniques ranging from simple wiping of data to corrupting altering or obfuscating log files. We're also seeing increasing interest in and use of encryption and steganography to hide attack tools and secure stolen data from other hackers”, said Novak in his presentation 'Cyber CSI: How Criminals Manipulate Anti-Forensics to Foil the Crime Scene'.

However, Novak was keen to point out that the last year has seen a shift from externalised threats to internal issues due to increased security and awareness. “We often find now that it's a businesses partners or third parties that are the source of problems”, he said.
z said…
I read the previous post a little differently. Seems like focusing on threats rather than vulnerabilities also relates to implementing general countermeasures (rather than specific). It seems to me that technology and it's implementations are in constant flux, but basic security principles don't change so much. Businesspeople have to evaluate many different risks and have many different priorities. I read your previous post as a problem relating technology details - or specific vulnerabilities - to the wider concerns of the business. So instead of relating technical concerns, you should frame issues in more general terms that decision-makers can understand. Meaning they can relate to the threat of a natural disaster rather than, say, the details of MS08-067 on their network. Hope I didn't misunderstand there, I just got a few different things out of your posts.

I think you've written before that people like to focus on specific technologies, or specific vulnerabilities. Maybe because they can be easily measured and controlled, or tailored to an "elevator speeech", or maybe security is still a maturing field. Maybe it has more to do with selling a service or product, or delivering an easily-communicated result. My "takeaway" has been that such thinking takes away from a good security posture. I'm also getting the idea that security is the concern of the whole business, and touches all areas.

- Francois
Marco said…
I completely agree with this approach to manage the security, but don´t you think that standards like PCI-DSS just focus on the opposite? They are almost based on Vulnerability scans and procedures for continuous monitoring (based on known signatures, exploits, etc). What is you thought about this subject?

Thanks in advance!
H. Carvey said…

A couple of things...

Once your security program has matured to the point...

IMHO, this is key. As a consultant, many of the organizations I deal with are in crisis-mode when we first meet, for the very reason that their security program hasn't matured, or as is often they case, they simply don't have one to speak of.

Djb referenced Chris Novak's comment (above), with respect to, "...demonstrated by the fact that 63 per cent of businesses are typically taking months rather than days to discover data leaks."

How does this happen? A solid infosec program, including a CSIRP and response team, does not generate revenue nor add to the bottom line in a demonstrable manner, and therefore is not a priority. That program needs to start with a solid assessment of where data rests, it's state at rest as well as in transit, and a reduction of the overall attack surface.
Unknown said…
I'm wondering if a graph would be useful to illustrate this topic.
vertical scale: maturity of security stance
horizontal scale: interest in threats

As an organization's security maturity increases, they can become more interested in threats over chasing the vulnerabilities.

vertical scale: position in organization
horizontal scale: interest in threats

As one's position in an organization moves up the ladder, they likely become more interested in the strategic concerns, such as threats.

Of course, I wouldn't consider this very universal. I'm sure there are very high leaders in an organization who simply never will worry specifically about cybersecurity threats. And if it doesn't happen up top, then I bet it doesn't have much power lower in the org. Admins and middle managers may take threats into account when designing systems and processes, but other than taking a defensive approach, wouldn't be able to do much else in regards to threats; certainly nothing offensive.

I think you have great points, but I think as others mentioned above, it is a blend of thinking about vulns and threats that results in a solid security stance.

Lastly, I think reacting to and tracking vulns gives more feedback than focusing on threats. If I have a list of vulns to address, I can mark them off as done or tracked. But if I protect my organization from threat type A, will I ever know that I was successful? It seems like a much more intangible measure. Kinda like a police department comparing # of criminal arrests to # of prevented crimes. This might be why, ultimately, law enforcement is very reactive; it doesn't try to prevent [all] crime so much as deter it and catch those who do it.

Popular posts from this blog

MITRE ATT&CK Tactics Are Not Tactics

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4