Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Threat Modeling: What You Need to Know About Prioritizing Attacks and Vulnerabilities

Threat modeling gives vulnerability management teams a good understanding of how attacks work, enabling them to focus prioritization efforts around the bugs most likely to affect their environment.

The importance of threat modeling in assessing security postures is a given nowadays. The vulnerability view, while it does play a central role, is only one part of an assessment. It’s not enough to pinpoint which vulnerabilities or attack vectors are the most relevant at a given time. Taking into account the characteristics of individual attacks and the strategies of attackers enables defenders to prioritize. Instead of defending against all vulnerabilities (which can number in the hundreds and thousands), defenders can prioritize their efforts to focus on a select number that the attacker needs to breach the system. 

In this blog post, I will share a few notes on how attacks are carried out, links to vulnerabilities, and how the right threat model can save the day.

Threat modeling: vulnerabilities vs. attacks

Threat modeling is the formal process of identifying and ranking the threats most likely to affect your environment. Typically, there are two views to threat modeling:

  1. the vulnerability view, in which system vulnerabilities, either taken individually or combined, define the technical exposure to attacks; and
  2. the attacker and threat landscape view, in which the modeling takes into account the threat landscape, in the form of attack instances, and attacker strategies. 

These models are typically represented through attack graphs, game theory or decision analysis. Regardless of the modeling approach, our interest here is to define the threat-modeling steps most likely to make a difference when it comes to protecting your system.

Targeting all known vulnerabilities that an attacker may exploit is usually pointless. Out of tens of thousands of vulnerabilities, only a fraction is actively exploited in the wild. In addition, it has been shown that vulnerability exploitation can be described by a heavy tail distribution, which basically means a very small fraction of vulnerabilities is responsible for orders of magnitude more attacks than the remaining majority. 

A good example here would be exploit kits, which drive millions of attacks, yet use only a dozen vulnerabilities each at a maximum. Data from Tenable and ReversingLabs, from January 1 through May 5, shows only 2 percent of all known and detected vulnerabilities were seen in ReversingLabs's threat detection feed (file-based malware). Additionally, the top 10 percent of CVEs (out of 638) from that feed is responsible for 50 percent of exploit detections. 

Additional data from Recorded Future, including a broader range of cyber attacks — such as fileless or Web attacks — shows a further 172 CVEs being exploited in the same period, which brings the total to 2.5 percent of all known and detected vulnerabilities in Tenable data. This shows that it’s unrealistic to assume attackers can choose any available vulnerability or path to compromise. 

What You Need to Know About Prioritizing Attacks and Vulnerabilities

There is no 'one-size-fits-all' attack strategy, nor defender strategy for that matter. Outside of the 'Attacks-as-a-Service' model, using pre-existing mechanisms — such as the above-mentioned exploit kits — or an existing infrastructure controlled by cybercriminals to launch distributed denial of service (DDoS) attacks, for instance, the attack generation process is usually dynamic and made-to-measure. In fact, attackers might need to re-engineer their attack strategy if nothing in their toolbox works on a target environment, which might translate to a lot more effort in terms of reconnaissance, enumeration or even exploit modification and engineering. 

It’s equally unrealistic to assume attackers are all-knowing about their targets and can choose whichever attack strategy they believe is best.

A typical attack scenario might, for instance, involve a watering hole attack, a phishing attack or password spraying to establish the initial foothold. Once inside, additional effort is required to identify the network and system configuration visible from there and understand which attacks are needed to move to the next target. 

Even though no two attacks are exactly alike, there are similar tactics, techniques and  procedures (TTPs) that attackers use. These should be well understood on the defender side. The MITRE ATT&CK framework offers a good high-level reference. 

Leveraging real-world and timely threat intelligence and attacks knowledge is essential to define (and narrow down) the search space to highly likely and high impact threats for a given environment.

Steps for Threat Modeling

The main question, from the defender perspective, remains “how to decide which vulnerabilities to fix first?” Starting with a given technical exposure, i.e. exploitable vulnerabilities and weaknesses on a system, the basic process would be to identify attack scenarios and characteristics, based on known attack strategies and threat intelligence reports. This would narrow down the initial set to a much smaller number of vulnerabilities that are more likely to lead to realistic attacks on that environment. 

Threat modeling would then require the following basic steps: 

  • Identify system vulnerabilities and weaknesses.
  • Identify attack paths against your assets, based on these vulnerabilities and weaknesses, taking into account existing countermeasures and safeguards.
  • Identify realistic attacks that can leverage existing vulnerabilities and weaknesses on those paths, using both generic and timely knowledge about threats and threat actors. 
  • Prioritize risks based on impact and asset/ application criticality.

Prioritizing Attacks and Vulnerabilities Four Key Steps

Under this modeling, the defender is able to reason about the attackers’ ability, not only to find an initial entry point, but also to do further reconnaissance, enable persistence, escalate privileges, move laterally and so on, which could be aligned with the MITRE ATT&CK framework. 

Ideally, a threat model is enhanced by emulating TTPs used by adversaries and carried out by red teams. This can also be done by mapping those TTPs along the attack surface without necessarily carrying out real-world campaigns. The main advantage to real-world campaigns, however, is taking into account the human factor (employees’ skill gaps) and how the company and blue teams react (mainly reflected by metrics such as Time to Detect and Time to Mitigate). 

The appearance of a new vulnerability might not carry any weight on the overall model, in terms of scenarios and risks. If it does, however, the available description and severity, combined with threat intelligence activity, will estimate attack likelihood and impact factors to update the model. It is then imperative for security teams, responsible for assessing security postures, to have a good understanding of how attacks work, keep an open eye on the latest reports and make sure they understand how adversaries are operating and changing their attacks.

Most vulnerability management practitioners understand the importance of risk-centric vulnerability prioritization and remediation. The main focus currently is on imminent (and most of the time, commoditized) attacks, which, in fact, should be the first priority. A more efficient threat model, based on the steps above, will take defenders further by including relevant advanced attacks and continuously assessing the threat landscape for more effective overall risk reduction.

Learn more:

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.