Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Threat Modeling: What You Need to Know About Prioritizing Attacks and Vulnerabilities

Threat modeling gives vulnerability management teams a good understanding of how attacks work, enabling them to focus prioritization efforts around the bugs most likely to affect their environment.

The importance of threat modeling in assessing security postures is a given nowadays. The vulnerability view, while it does play a central role, is only one part of an assessment. It’s not enough to pinpoint which vulnerabilities or attack vectors are the most relevant at a given time. Taking into account the characteristics of individual attacks and the strategies of attackers enables defenders to prioritize. Instead of defending against all vulnerabilities (which can number in the hundreds and thousands), defenders can prioritize their efforts to focus on a select number that the attacker needs to breach the system. 

In this blog post, I will share a few notes on how attacks are carried out, links to vulnerabilities, and how the right threat model can save the day.

Threat modeling: vulnerabilities vs. attacks

Threat modeling is the formal process of identifying and ranking the threats most likely to affect your environment. Typically, there are two views to threat modeling:

  1. the vulnerability view, in which system vulnerabilities, either taken individually or combined, define the technical exposure to attacks; and
  2. the attacker and threat landscape view, in which the modeling takes into account the threat landscape, in the form of attack instances, and attacker strategies. 

These models are typically represented through attack graphs, game theory or decision analysis. Regardless of the modeling approach, our interest here is to define the threat-modeling steps most likely to make a difference when it comes to protecting your system.

Targeting all known vulnerabilities that an attacker may exploit is usually pointless. Out of tens of thousands of vulnerabilities, only a fraction is actively exploited in the wild. In addition, it has been shown that vulnerability exploitation can be described by a heavy tail distribution, which basically means a very small fraction of vulnerabilities is responsible for orders of magnitude more attacks than the remaining majority. 

A good example here would be exploit kits, which drive millions of attacks, yet use only a dozen vulnerabilities each at a maximum. Data from Tenable and ReversingLabs, from January 1 through May 5, shows only 2 percent of all known and detected vulnerabilities were seen in ReversingLabs's threat detection feed (file-based malware). Additionally, the top 10 percent of CVEs (out of 638) from that feed is responsible for 50 percent of exploit detections. 

Additional data from Recorded Future, including a broader range of cyber attacks — such as fileless or Web attacks — shows a further 172 CVEs being exploited in the same period, which brings the total to 2.5 percent of all known and detected vulnerabilities in Tenable data. This shows that it’s unrealistic to assume attackers can choose any available vulnerability or path to compromise. 

What You Need to Know About Prioritizing Attacks and Vulnerabilities

There is no 'one-size-fits-all' attack strategy, nor defender strategy for that matter. Outside of the 'Attacks-as-a-Service' model, using pre-existing mechanisms — such as the above-mentioned exploit kits — or an existing infrastructure controlled by cybercriminals to launch distributed denial of service (DDoS) attacks, for instance, the attack generation process is usually dynamic and made-to-measure. In fact, attackers might need to re-engineer their attack strategy if nothing in their toolbox works on a target environment, which might translate to a lot more effort in terms of reconnaissance, enumeration or even exploit modification and engineering. 

It’s equally unrealistic to assume attackers are all-knowing about their targets and can choose whichever attack strategy they believe is best.

A typical attack scenario might, for instance, involve a watering hole attack, a phishing attack or password spraying to establish the initial foothold. Once inside, additional effort is required to identify the network and system configuration visible from there and understand which attacks are needed to move to the next target. 

Even though no two attacks are exactly alike, there are similar tactics, techniques and  procedures (TTPs) that attackers use. These should be well understood on the defender side. The MITRE ATT&CK framework offers a good high-level reference. 

Leveraging real-world and timely threat intelligence and attacks knowledge is essential to define (and narrow down) the search space to highly likely and high impact threats for a given environment.

Steps for Threat Modeling

The main question, from the defender perspective, remains “how to decide which vulnerabilities to fix first?” Starting with a given technical exposure, i.e. exploitable vulnerabilities and weaknesses on a system, the basic process would be to identify attack scenarios and characteristics, based on known attack strategies and threat intelligence reports. This would narrow down the initial set to a much smaller number of vulnerabilities that are more likely to lead to realistic attacks on that environment. 

Threat modeling would then require the following basic steps: 

  • Identify system vulnerabilities and weaknesses.
  • Identify attack paths against your assets, based on these vulnerabilities and weaknesses, taking into account existing countermeasures and safeguards.
  • Identify realistic attacks that can leverage existing vulnerabilities and weaknesses on those paths, using both generic and timely knowledge about threats and threat actors. 
  • Prioritize risks based on impact and asset/ application criticality.

Prioritizing Attacks and Vulnerabilities Four Key Steps

Under this modeling, the defender is able to reason about the attackers’ ability, not only to find an initial entry point, but also to do further reconnaissance, enable persistence, escalate privileges, move laterally and so on, which could be aligned with the MITRE ATT&CK framework. 

Ideally, a threat model is enhanced by emulating TTPs used by adversaries and carried out by red teams. This can also be done by mapping those TTPs along the attack surface without necessarily carrying out real-world campaigns. The main advantage to real-world campaigns, however, is taking into account the human factor (employees’ skill gaps) and how the company and blue teams react (mainly reflected by metrics such as Time to Detect and Time to Mitigate). 

The appearance of a new vulnerability might not carry any weight on the overall model, in terms of scenarios and risks. If it does, however, the available description and severity, combined with threat intelligence activity, will estimate attack likelihood and impact factors to update the model. It is then imperative for security teams, responsible for assessing security postures, to have a good understanding of how attacks work, keep an open eye on the latest reports and make sure they understand how adversaries are operating and changing their attacks.

Most vulnerability management practitioners understand the importance of risk-centric vulnerability prioritization and remediation. The main focus currently is on imminent (and most of the time, commoditized) attacks, which, in fact, should be the first priority. A more efficient threat model, based on the steps above, will take defenders further by including relevant advanced attacks and continuously assessing the threat landscape for more effective overall risk reduction.

Learn more:

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training