Horizon3.ai - Automated Pen Testing as a Service

Vulnerable ≠ Exploitable

The Typical Approach - Points to Ponder

Pen testers, vulnerability scanners, and installed agents alert on potential vulnerabilities and breaches. You receive a list, or a notification, and you respond. Ever wonder how much of your time and effort is being wasted fixing things that don’t actually matter?

You may be surprised to hear that a large majority of all vulnerabilities are unexploitable. According to data compiled by Kenna, in 2020, only 2.7% of the vulnerabilities found appeared to be exploitable and only 0.4% of those vulnerabilities were actually observed to be exploited at all.1

The 2020 Data Breach Investigations Report (DBIR) published by Verizon states, “Vulnerabilities occupy a huge amount of mind-share in information security... There are lots of vulnerabilities discovered, and lots of vulnerabilities found by organizations scanning and patching, but a relatively small percentage of them are used in breaches... Although exploiting vulnerabilities is in second place in breach Hacking varieties, it has not played a major role within incidents found in the DBIR over the last five years. In fact, it reached its peak at just over 5% as a Hacking variety in 2017. In our security information and event management (SIEM) dataset, most organizations had 2.5% or less of alerts involving exploitation of a vulnerability."2

The traditional approaches of using agent-based vulnerability scanners and simplistic port-scans produce far too much noise, divert attention from the truly exploitable issues that represent provable risk to your business, and ignore how attackers really think and act. It’s not that the issues these tools identify don’t exist; it simply comes down to prioritizing the issues that require your attention over those which present negligible risk.

“There’s just too much noise to contend with. Security analysts, for example, may see a thousand incidents in a given day, but only have the time and resources to investigate a fraction of them. This is why hackers were able to exfiltrate over 40 million credit-card numbers from Target, despite the fact that a peripheral network device had detected the malware. It’s also the reason why Neiman Marcus was hacked after its system generated over 60-days’ worth of malware alerts. And this is why Sony was hacked after its IT team knew the company had been under attack for two years.”3

The prioritization of these low-risk or no-risk vulnerabilities alongside, or even above, the truly exploitable and impactful vulnerabilities can actually cause an organization’s security posture to suffer. It takes significant time and coordination to find the asset owners, bring them up to speed on the issue, prepare downtime for the asset, remediate the issue, and then confirm that remediation. Meanwhile, more critical vulnerabilities are waiting in line for their turn to be remediated. If you can’t properly prioritize, you will never secure your network.

So how do you know if it is critical to fix what you find?

Criticality is a Function of Exploitability and Impact

The hardest part of cyber security is deciding what not to do because of limited time and resources. Spending valuable and scarce time and effort on remediating weaknesses that are not exploitable or do not represent a substantial business impact is itself a risk. At the very least, you should be able to trust that the findings from your security tools and services will appropriately guide your remediation and staffing decisions.


Vulnerable ≠ Exploitable.jpg


Criticality begins with the exploitability of a weakness. There are many reasons why a reported critical finding from vulnerability scanners and some pentesters may not be exploitable or would be very difficult to exploit, hence do not truly impose much or any risk.

  1. No exploit exists – There is no existing exploit available for the vulnerability.
  2. High complexity – Several complex and/or impractical conditions must be met for the vulnerability to be exploited by an attacker.
  3. Component not in use – The suspected software doesn’t necessarily run in a vulnerable configuration.
  4. Outdated ≠ exploitable – In the absence of a specific vulnerability, software being merely outdated/obsolete does not pose a critical risk.
  5. Not accessible – The vulnerability exists in a part the software that isn’t accessible from the attacker’s perspective.
  6. Network context – The context of where the vulnerable asset is in the network makes the risk informational rather than critical.

Customer Profile

The customer had outsourced their IT to a managed security service provider (MSSP). The MSSP was conducting annual pentests and vulnerability scans and using these results for remediation of the customer’s network environment. When Horizon3.ai was engaged by the customer, the MSSP had just conducted their annual pentest. Horizon3.ai used Node Zero to assess the organization’s network, with the following comparative results:

Side by Side.png

The hardest part of cybersecurity is deciding what NOT to do because of limited time and resources.


Fixing 79% of the critical issues highlighted in the MSSP’s report would have been an inefficient use of time and effort. These so-called “critical issues” did not have exploits, were blindly assumed due to poor enumeration, or the conditions for exploitability were extremely unlikely. Overall, the comparison between the MSSP’s report and the NodeZero report shows that NodeZero provides broader coverage, proves exploitability, connects the relevant impact of weaknesses, and provides the defensive team with the data they need to fix what matters.

A Future of Continuous Security Assessment

Over the last decade, more and more CVEs/vulnerabilities are being found and reported, making it very hard to keep pace...it’s snowballing and creating fatigue. With an annual manual pentest, you have giant craters in your security posture that develop between cycles as critical vulnerabilities come out; systems change with new software, patches and hardware; and personnel turns over.

Target End State - Proactice Security.png

There is a need for a proactive security posture that includes continuous assessment, so you can catch up, keep up and even stay ahead.

Catch Up:

  • Accept that attackers know more about your environment than you do.
  • Vulnerable ≠ exploitable – criticality is a function of exploitability and potential business impact.
  • Assess your enterprise, determine criticality of findings and fix the problems that matter.

Keep Up:

  • Verify and improve your security controls - tools, processes, policies and training.
  • Continuously find + fix + verify what’s exploitable.
  • Adopt a Purple Team Culture, where Red teams and Blue teams work together to improve security posture.

Stay Ahead of the Adversary:

  • Look at your environment through the eyes of the attacker.
  • Proactively identify and fix threat vectors before the bad guys can exploit them.
  • Continuously assess your security posture, verify remediation and report results.

References
1 https://www.kennaresearch.com/a-decade-of-insights/
2 https://enterprise.verizon.com/resources/reports/dbir
3 https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker