Threats, vulnerabilities, exploits and their relationship to risk | F5 Laboratories (2023)

If you read a lot about cyberattacks or data breaches, you've certainly come across the terms.vulnerabilities,threats, youexplode. Unfortunately, these terms are often left undefined, misused, or worse, interchanged. This is a problem, because misunderstanding these terms (and some other important ones) can lead organizations to make incorrect security assumptions, focus on incorrect or irrelevant security issues, deploysecurity controls, taking unnecessary actions (or failing to take necessary actions) and leaving them unprotected or with a false sense of security.

It is important for security professionals to understand these terms explicitly and their relationship to risk. After all, the goal of information security is not just to “protect things” indiscriminately. The high-level objective is to help the organization make informed decisions aboutRisk managementto information, yes, but also to the business, its operations and assets. It makes no sense to protect "things" if, in the end, the organization cannot sustain its operations because it failed to successfully manage risk.

What's the risk?

In the context of cybersecurity, risk is often expressed as an "equation": Threats x Vulnerabilities = Risk, as if vulnerabilities were something you couldmultiplyby threats to achieve the risk. This is a misleading and incomplete representation, as we will see shortly. To explain risk, we will define its basic components and draw some analogies with the well-known children's tale ofThe three Little Pigs.1

Wait! Don't decide to give up just because you think a children's story is too juvenile to explain the complexities of information security. In the world of Infosec, where perfect analogies are hard to come by,The three Little Pigsprovides some very useful. Remember that the hungry big bad wolf threatens to eat the three little pigs by pulling down their houses, the first built of straw, the third built of bricks. (We'll ignore the second pig with his house built out of sticks, since he's pretty much in the same boat as the first pig.)

Definition of risk components

A discussion of vulnerabilities, threats, and exploits raises many questions, one of which is the following:What is being threatened?So let's start by defining assets.

Asset

An asset is anything of value to an organization. This includes not just systems, software and data, but also people, infrastructure, facilities, equipment, intellectual property, technologies and much more. At Infosec, the focus is on information systems and the data that is traded, shared and stored. In the children's story, the houses are the property of the pigs (and possibly the pigs themselves are property, as the wolf threatens to eat them).

Inventorying and assessing the value of each asset is a critical first step in risk management. This can be a monumental undertaking for many organizations, especially large ones. But it's critical to accurately assess risk (how do you know what's at risk if you don't know what you have?) and then determine what type and level of protection each asset provides.

Vulnerability

A vulnerability is any weakness (known or unknown) in a system, process, or other entity that could cause its security to be compromised by a threat. In the children's story, the first pig's straw house is inherently vulnerable to the wolf's powerful breath, while the third pig's brick house is not.

In information security, vulnerabilities can exist almost anywhere, from hardware devices and infrastructure to operating systems, firmware, applications, modules, drivers andapplication programming interfaces. Tens of thousands of software bugs are discovered every year. Details about this are posted on sites like cve.mitre.org and nvd.nist.gov (and hopefully on affected vendor sites), along with scores that attempt to assess its severity.2^,3

Responsible vendors typically release patches in a timely manner to address specific known vulnerabilities. However, this does not guarantee that organizations using these vulnerable products will apply the patch. In fact, some of the most high-profile attacks and data breaches have taken place in organizations thatdid not fix vulnerabilities that were known for years. (he is zerorefers to a newly discovered vulnerability for which there is no patch yet).

Threat

A threat is any action (event, occurrence, circumstance) that could interrupt, damage, destroy, or adversely affect an information system (and therefore an organization's business and operations). Seen through the lens ofCIA triad, a threat is anything that could compromise the confidentiality, integrity, or availability of systems or data. Except in cases of natural disasters such as floods or hurricanes, threats are perpetrated bythreat agentsothreat actorsranging from inexperienced so-called script kiddies to notorious hacker groups like Anonymous and Cozy Bear (aka APT29). Threats can be intentional or accidental and come from internal or external sources. At theThe three Little Pigs, the wolf is the obvious threat agent; the threat is the stated intention to tear down the pigs' homes and eat them.

blow

Used as a verb,coupmeans exploiting a vulnerability. Used as a noun, an exploit refers to a tool, usually in source code or binary form. This code makes it easier for attackers to take advantage of a specific vulnerability, often giving them unauthorized access to something (a network, a system, an application, etc.). Himuseful load, chosen by the threat actor and delivered via the exploit, performs the chosen attack, such as malware download, privilege escalation, or data exfiltration.

In the children's story, the analogies aren't perfect, but the wolf's mighty breath is the closest thing to an exploration tool, and the payload is home destruction. Afterwards, he hoped to eat the pig, his "secondary" attack. (Note that many cyberattacks are multilayered attacks.)

Exploit code for many vulnerabilities is publicly available (on the open internet at sites like exploit-db.com, as well as on the dark web) for attackers to buy, share, or use. (Organized strike groups and nation-state actors write their own exploit code and keep it to themselves.) It is important to note that there is not exploit code for every known vulnerabilities. Attackers often take the time to develop vulnerabilities in widely used products and those with the greatest potential to result in a successful attack. Therefore, although the termexploit codeit is not included in the Threats x Vulnerabilities = Risk "equation", it is an integral part of what makes a threat possible.

Risk

For now, let's refine our incomplete definition above and say that risk constitutes a specific vulnerability.paired with(not multiplied by) a specific threat. In the story, the pig's vulnerable straw house together with the wolf's threat to tear it down constitute a risk. Likewise, the threat ofsql injectionmatched to a specific vulnerability found, for example, in a specific SonicWall product (and version) and detailed in CVE-2021-20016,4constitutes a risk. But to fully assess the level of risk, bothprobabilityyimpactshould also be considered (more on these two terms in the next section).

Before we continue, there are two important points to understand:

• If a vulnerability has no corresponding threat (no exploit code exists),without risk. Likewise, if a threat does not have a corresponding vulnerability, there is no risk. This is the case with the third pig, whose brick house is invulnerable to the threat of the wolf. If an organization fixes the vulnerability described in CVE-2021-20016 on all of its affected systems, the risk no longer exists because that specific vulnerability has been removed.
• The second point, apparently contradictory, is thatthe potential for risk always existsbecause (1) exploit code for known vulnerabilities can be developed at any time, and (2) new previously unknown vulnerabilities will eventually be discovered, leading to potential new threats. How did we learn in the endThe three Little Pigs, the wolf discovers the chimney in the third pig's brick house and decides to go down to get the pigs. AHA! A new vulnerability associated with a new threat constitutes a (new) risk. Attackers are always looking for new vulnerabilities to exploit.

accurate risk assessment

Without going into an in-depth discussion of risk assessment,5Let's define the two essential elements of risk calculations that are often overlooked.

Probability

Probability is the chance or likelihood that a specific threat will exploit a specific vulnerability. Factors that influence probability include things like a threat actor's motivation and capabilities, the ease with which a vulnerability can be exploited, the attractiveness of a vulnerable target,security controlsin place that could prevent a successful attack, and much more. If exploit code exists for a specific vulnerability, the attacker is skilled and highly motivated, and the vulnerable target system has few security controls, the likelihood of an attack is potentially high. When the opposite of either is true, the probability decreases.

For the first pig, the attack probability was high because the wolf was hungry (motivated), had the opportunity, and had a reasonable tool of exploration (its powerful breath). However, if the wolf had known in advance about the pot of boiling water in the third pig's chimney, the "safety check" that ended up killing the wolf and saving the pigs, the probability that it would fall down the chimney would likely be zero. . The same goes for skilled and motivated attackers who, faced with overwhelming security controls, may choose to move on to easier targets.

Yes Yes Yes. There are endless variations in motivation, skill, ease of exploitation, security controls, and other factors that affect probability.

Impact

Impact describes the damage that could be done to the organization and its assets if a specific threat were to exploit a specific vulnerability. Of course, it's impossible to accurately measure the impact without first determining the value of the assets, as mentioned above. Obviously, some assets are more valuable to the business than others. Compare, for example, the impact of a company losing availability of an e-commerce site that generates 90% of its revenue to the impact of losing an infrequently used web application that generates minimal revenue. The first loss could put a shaky company out of business, while the second loss could be insignificant. It is no different in our children's history where the shock was high for the first pig, homeless after the wolf attack. If his straw house was just a makeshift rain shelter that he rarely used, the impact would have been negligible.

Putting the Risk Puzzle Pieces Together

Assuming that there is a match between vulnerability and threat, it is essential to considerbothprobability and impact to determine the level of risk. A simple, qualitative (versus quantitative)6A risk matrix like the one shown in Figure 1 illustrates the relationship between the two. (Note that there are many variations of this matrix, some much more granular and detailed.)

Using our example above, yes, the loss of a company's main e-commerce siteit couldhave a significant impact on revenue, but what is theprobabilityfor this to happen? If it is low, the risk level is medium. Likewise, if an attack on a web application that is rarely used and generates little revenue is highly likely, the risk level is also medium. Therefore, statements such as: “If this machine is hacked, all our data will be owned!” or "The length of our passwords is too short and that's risky!" they are incomplete and only marginally useful because neither address probability as well as impact.7

Conclusion

So where do these definitions and explanations leave us? Hopefully with a better high-level understanding of risk and a more accurate understanding of its components and their relationships to one another. Given the number of new threats, vulnerabilities and exploits exposed daily, understanding these terms is essential to avoid misunderstandings, miscommunications and misguided approaches. Security professionals need to be able to ask and answer the right questions, such as: Are our systems and applications vulnerable? If so, which ones and what are the specific vulnerabilities? Threats? What is the value of these systems and the data they contain? How should we prioritize protecting these systems? What would be the impact of a major data breach or attack? What is the probability of a successful attack? Do we have effective security controls? If not, which ones do we need? What policies and procedures should we implement or update? And so on and so on.

You get the idea. The point is that information security is a complex discipline (with many sub-disciplines) and the risk of failing in it can be very high. That's why it's so important for security professionals to understand these concepts so they can accurately assess risk.

For more information on security fundamentals, readWhat is the CIA triad?,What are security controls?, youWhat is the Least Privilege Principle?, all from the F5 Labs Learning Center.