Vulnerability Management Needs an Upgrade — Hackers Have the Answer

David Wolpoff (moose)
5 min readJan 7, 2021

--

Duck or rabbit illusion? “Kaninchen und Ente” (“Rabbit and Duck”) from the 23 October 1892 issue of Fliegende Blätter

The cloud has changed everything. Companies may have a similar number of devices to what they had before, but defending them has become a different mental game altogether. It used to be that no matter what happened, you’d always be able to unplug your fiber from the wall and your whole system would be disconnected from the internet, but not any longer now that it’s in the cloud. Variable location has added complexity and made boundaries less clear. The transition to remote operations has made the need to isolate faulty assets that much more pressing, as anything could be connected to the internet and therefore could be a way into the entire company. The bottom line is: you don’t get to know what makes up your business anymore. You can only be resilient in the face of unknowns, and if you can’t do that, you can’t survive.

This is why “Find-and-fix” is out the window in the era of the cloud. In fact it’s been out for a very long time, but we are only addressing it now. Defenders need to transition from traditional change management to continuous integration and development. They need to treat systemic problems instead of just solving individual problems when they come up. The cloud is confusing and things are changing really fast, faster than humans can keep pace with. Traditional tactics can’t keep up, so teams need to rethink what problems are prioritized and find ways to automate wherever possible.

More assets in the cloud means more vulnerabilities in the cloud. In 2019, more than 22,000 new vulnerabilities were discovered. Of those, a third were given CVSS ratings of high or greater. Using “severity” as the way to prioritize your vulnerability management program isn’t useful anymore — there is just too much noise to be productive. Sure, more “severe” vulnerabilities may be more likely to be exploited, but “severity” is just one of many attributes a hacker uses to figure out if they’ll spend the time exploiting something. (For more on the attributes hackers use to determine what to weaponize, check out this blog).

The new era of security will require teams to transition away from individual vulnerability management altogether in favor of systemic attack surface management. As a defender, you need to consider the likelihood of an asset being weaponized or you won’t be able to build an effective vulnerability management program. The only way to do that is to adopt the attacker’s perspective. With this perspective, teams can more effectively manage the vulnerabilities on the attack surface by deprioritizing “high-severity” vulnerabilities that are of little adversarial value and prioritizing those that are likely to be weaponized. Hackers are looking for the path of least resistance, making them fairly predictable when you have a good amount of information about your attack surface from their perspective.

By taking on the attacker’s perspective, the defender will also end up approaching security more systematically vs. just the symptoms. You’ll find systemic problems that need to be addressed, and by fixing those you’ll reduce your risk and become more resilient. As an example, you might find attackers are more likely to take advantage of poor segmentation and move laterally, giving you reason to set up more DMZs to protect your most important assets vs. patching a bunch of vulns that are of no worth to an attacker.

Attackers calculate their path of attack using much more than just how easy it would be to exploit a vulnerability. They take into account how easily they can find out what’s behind that buggy asset as well as the likelihood of how valuable it will be when they do find out. Attackers assess whether or not they’ll be able to reuse the exploit, or pass it on, as well as how effective the exploit will actually be. They need to know how much time it’s going to take them and how likely they are to get caught. If you know hackers are doing these calculations, you as the defender can tip the scales in your favor by predicting which bugs they might look at first.

Chances are, if your job is to defend a company, you have thousands of assets which are hopelessly interlinked. You cannot hope to create an effective perimeter if you are focusing on only one at a time, regardless of severity. Your play is to think about your attack surface in terms of categories of assets and make systemic changes to your process rather than individual ones to your assets. In essence, this means that if you find an asset which could be compromised, you must analyze what failure in process created the problem and address that systemic issue rather than the individual bug. One of your greatest tactics in this battle will be the ability to reasonably predict where an attacker is going to look and heading them off at the pass.

What’s more, ownership of assets has become hopelessly murky in the cloud era. They can be labeled with one owner and actually exist on another company’s network. They can even be contractually shifted around from company to company. This introduces so much complexity, that no human can truly ever know which assets are touching the internet, which are purely accessible from inside their organization, or even whether they control the asset at all. Every time you add complexity, you add bugs: vulnerabilities and misconfigurations. You can never track them all down and fix them before they get on the radar of an attacker — it simply isn’t possible. But what you can do is rank your priorities by true likelihood of attack, and address systemic problems from the top down rather than one asset at a time.

The architect who built the Death Star managed to close up all the holes in its defenses except for one. But one was all the attackers needed. Had the empire had an Attack Surface Management system in place in Star Wars, it would have likely saved them a lot of trouble, as the vulnerability in question would have scored high in all categories of the risk temptation model. Defenders need to be looking at their attack surface from an attacker’s perspective. Attackers are considering way more factors than simply severity, and so defending against severity only will get you nowhere most of the time. Only when you zoom out and think comprehensively about your whole attack surface can you compensate for the new layers of complexity the cloud transformation era has introduced.

--

--

David Wolpoff (moose)

temporarily unemployed. previously co-founder @randori. once upon a time a red-teamer.