Adversary-Based Risk Analysis
Most risk analysis is done by assessing potential impact and ease of an attack. This kind of risk analysis that’s done in the absence of an adversary is naive and leads to bad priorities. In this post, I’ll describe how to accurately analyze the risk of vulnerabilities, weaknesses, and potential attacks while keeping real adversaries in mind, resulting in more sound and defensible priorities.
Scalability and Repeatability
Adversaries are more likely to use techniques that are easily scalable and repeatable. Adversaries are more likely discover vulnerabilities using publicly available tools. Adversaries are more likely to exploit vulnerabilities in ubiquitous targets. Adversaries are more likely to use generic malware and C2 channels. Adversaries are more likely to do these things, because they are scalable and repeatable.
Of the typical common tactics we talk about in security, some of them are easily scalable and repeatable and others are too costly. The costly ones rarely happen in the wild, yet we still typically put the same resources around preventing and detecting them in our security programs.
Consider the following example of two common vulnerabilities. The first one is an authenticated SQL injection vulnerability in a custom web application. The second one is a memory corruption vulnerability in a ubiquitous document editor.
Sophisticated adversaries have the capabilities to discover and exploit both of these types of vulnerabilities, but the scalability of these vulnerabilities make the first one extremely undesirable. The first vulnerability, although cheaper to discover and exploit, can only be used once and has a short shelf-life. The second vulnerability, which can even be discovered by third-party, can be used multiple times, and has a much longer shelf-life.
Once you factor in the economics of a vulnerability or technique, the impact rarely makes a difference in its risk. In most cases, issues should be scored on likelihood alone.
Risk is not impact times likelihood, but rather a more complex equation of how valuable a vulnerability or technique is to an adversary. Here are some questions you can ask to get a better idea of how likely an adversary is to develop and use a capability.
- Is the target ubiquitous? (the more potential targets a vulnerability or technique has, the more valuable it is)
- Is the vulnerability or technique repeatable? (the more reusable a vulnerability or technique is, the more valuable it is)
- Does the vulnerability or technique allow for arbitrary capabilities? (the more operational uses a vulnerability or technique has, the more valuable it is)
- Is a usable exploit publicly available? (there’s no cost to the adversary to pick up an exploit and point)
Using this new process of evaluating of risk, you can prioritize controls and patches in your security program accurately.
This article is part 3 in my series on building security programs with adversary intelligence. Part 1 is Adversary Axioms and part 2 is Adversary-Based Threat Modeling.