Vulnerabilities and Start with WHY

For example, Apple is a great company not because iPhone or iPad is superb — trust me, most of the features that these devices had were invented years ago — but because their WHY is to challenge status quo. “Think Different” is a slogan that shows Apple’s mission. And this explicit expression of their missions in every medium was what made Apple popular, because people could trust them.

Then this statement comes to my mind — know your enemy and yourself, and you will never be defeated (知彼知己百戰不殆). That is one of the most popular strategies throughout war history. I would also say that knowing your enemy and yourself includes a concept of knowing the enemy’s WHY and mine. Even at war, justification of each parties matters much. If there is no justification, the war is lost. Justification of a war bonds soldiers in it. It is the same concept as Start With WHY. The right reasons for actions unite people and create a community.

Then, let’s apply this concept to Cybersecurity.

Threat intelligence tells us that different attackers are motivated by different reasons — money, fame, activism, etc. However, as a former penetration tester, I can say that these are more secondary reasons of attackers. It is like, “Now that I have a million dollars, I will buy a Lamborghini.” The “Lamborghini” of attackers is money, fame, activism and so on. But the million dollars that the attacker has — the true WHY — is not one of them.

You probably heard about the word “Root” or “Domain Admins”. These words represent the highest privileges in a Linux network or Active Directory, respectively. One action that any attacker takes when it comes to attacking a network is dumping password hashes. Why? Because hashes are the currency in the attacker’s world. They represent privileges. The higher the privilege goes, the more things that an attacker can do. This, privileges, is an attacker’s WHY. Attackers want higher privileges in all situations.

When it comes to vulnerability exploitation, the same principle of attacker’s WHY explains the reason behind it. From the attacker’s mindset, vulnerability exploitation is not cost effective. Most of the time, vulnerability exploitation is like a thief breaking a window. It leaves evidence. The most cost effective operation is password hash extraction. It is like stealing a key to the front door. That usually does not leave evidence.

Therefore, an attacker exploits vulnerability if and only if there is a privilege gain. (One exception is DDoS). It is like a decision tree, economics of cyber attacks or expected value of vulnerability exploitation. So if we can somehow calculate an attacker’s privilege gain by exploiting a vulnerability, we can rate/prioritize the vulnerability.

I am surprised that the vulnerability management often does not include this concept. Most organizations suffer from having too many vulnerabilities to deal with. Millions of vulnerabilities in every scan. Then that list has to be somehow prioritized. A lot of people tried to use techniques like machine learning to be able to do that.

I am a big fan of AI and ML but I do know their limitations. These machine learning algorithms are good at identifying correlations but not cause-effect relationships. Most of the time, with the current technology we have, causality is represented in loss functions. If an agent did this, there was a high chance of a higher score. That is done by a loss function in the backend. However, cause-effect analysis requires much more complex calculations in statistics. In other words, people rely on expert knowledge to understand cause-effect relationship because it is virtually impossible to calculate causality.

Therefore, if we manage vulnerabilities that attackers care about, we need to use the attacker’s WHY to understand cause-effect. And this WHY can be understood by asking penetration testers (see my first article for more details). This is a reason why cyber security has to be evaluated holistically. Without one, there is no way to analyze another right. And trust me. Attacker’s care only about 1% or less vulnerabilities than the vuln scans find. The reason why they don’t care is that it does not have high expected value.

We all want to reduce cost in vulnerability management. Scans are expensive, vulnerability prioritization is expensive, and everything else is expensive. One of the effective ways to do so is to use what we know about the environment and come up with the best way to manage it. Know the environment — know the privilege layout — that is knowing the enemy and yourself.

Here are some questions that you should think about:

These are the questions you cannot fully answer without an enterprise grade, complex solution in which all of these data points are integrated and enriched. This solution should be able to 1) map assets to an organization’s critical business functions by leveraging event data, 2) show the complex privilege layout in a many to many relationship and 3) factor time into this analysis. The benefit of having a solution, however, can make your organization’s threat surface completely baselined. Then you should be able to know which vulnerability existing in which machine can impact which privileged user, resulting in potential impact of certain business processes.

That prioritization is what we need in vulnerability management. By understanding an attacker’s why, the attacker’s preference in certain vulnerability can inform our vulnerability remediation. And then, this can be even further refined by having threat intelligence. This powerful analysis can revolutionize the blue team operations by reducing the priority vulnerabilities to what attackers care about.

Related posts:

He preys on the homeless. He kills dozens of homeless people across the city but bites them before he kills them. Then, he ties a red ribbon on their wrist as his modus operandi. He calls journalists…

This is the story of my involvement in a task to identify which languages are present in a given text in an Android application. A while ago I started learning about language detection. I was…

Back in ye olden days of 2016, virtual reality (VR) seemed ready for a mainstream breakthrough. Encouraged by tech giants such as Facebook (which had acquired Oculus in 2014) and Valve (which…