Unearthing the ‘Attackability’ of Vulnerabilities that Attract Hackers
Vulnerability management is largely about patch management: finding, triaging and patching the most critical vulnerabilities in your environment. Each aspect of this process presents its own problems.
In 2020, more than 17,000 vulnerabilities were reported to NIST, and more than 4,000 of these were high priority. Knowing which of these affect you, where they are located in your environment, and which should be tackled first is a challenge.
Randori, a startup that develops an automated red team attack platform, has announced Target Temptation designed to link assets and vulnerabilities. This demonstrates where attackers are likely to strike, and pinpoints the vulnerabilities that should be given the highest priority.
“Target Temptation is designed to expose the ‘attackability’ of the assets. A company’s attack surface can be large – often thousands of targets. It’s hard for businesses to understand and prioritize where they really need to focus, ,” says Randori’s founder and CEO, Brian Hazzard. “[It is] designed to expose the attackers’ perspective of the attack surface, so that the defenders can get a sense of where the attacker is most likely to strike.”
David (Moose) Wolpoff, co-founder and CTO at Randori, explains further in a blog post: “The only way to do that is to adopt the attacker’s perspective. With this perspective, teams can more effectively manage the vulnerabilities on the attack surface by deprioritizing ‘high-severity’ vulnerabilities that are of little adversarial value and prioritizing those that are likely to be weaponized. Hackers are looking for the path of least resistance, making them fairly predictable when you have a good amount of information about your attack surface from their perspective.”
In short, Target Temptation looks at vulnerabilities from the attackers’ viewpoint rather than simply the severity of the vulnerability. Many vulnerabilities may be rated highly critical, but do not necessarily present a serious threat because they do not offer the attacker a route to the assets in a particular environment. Target Temptation links the severity of a possible outcome with the existence of actionable vulnerabilities to highlight what should be handled first.
Wolpoff explains how it works. The first part is to rate the potential target. “The model has two primary pieces,” he said: “there’s the properties of the software itself, and then there’s the situation, or context of the target. So, the former, the software itself, is going to include software vulnerabilities or known issues as one piece, but will also consider other factors such as the function of the software. For example, VPNs have a critical function, crossing security boundaries –and become of higher interest.
“These and other factors allow us to build a contiguent score for the software – that is, the likelihood of attacker interest.” This allows Target Temptation to understand potential targets even before a relevant vulnerability is found – and to raise a flag to the defenders.
Where this approach to vulnerability management differs from many others is in highlighting only relevant vulnerabilities rather than simply listing all vulnerabilities. “We know empirically,” continued Wolpoff, “that the vast majority of vulnerabilities don’t ultimately get exploited. And this is one of the issues with the vulnerability management space that makes it hard for folks to prioritize.”
Target Temptation weeds out those vulnerabilities that don’t matter. For example, it can differentiate between vulnerabilities used by a specific open source library and those vulnerabilities in a part of the library that is not used (see: Library Dependencies and the Open Source Supply Chain Nightmare). It will highlight those vulnerabilities that can provide a path to valued assets and ignore the rest.
Rather than just looking at vulnerabilities as an issue in themselves, Target Temptation seeks to highlight what will attract the attackers and why. “Our customers can use our product to overlay their knowledge of what matters to the business,” continued Wolpoff, “so, they can provide impact data; and they combine those two pieces in order to prioritize vulnerability management. Where high priority assets have a set of issues, we can point out mechanisms to remediate the issues. Where there may not be an existing issue but there is an asset that presents high risk, we can provide our customers with more categorical guidance about how to provide defensive strategies around those types of assets.”
Target Temptation is available now as part of the Randori Attack Platform, and is free of charge to existing customers.
“Complexity is the attacker’s friend and the defender’s foe,” summarizes Hazzard. “For every 1000 exposed assets, there is often one truly interesting to an attacker. “Traditional attack surface management (ASM) and vulnerability management solutions surface thousands of issues, adding complexity to an already massive problem. CISOs don’t need more noise, they need clarity. With Target Temptation, Randori is providing defenders with the attacker’s perspective, giving the evidence needed to clearly understand their real-world risk.”