Differentiating Vulnerability Exploitation from Actual Financial Loss

There is a lot of talk about using indicators of exploitation as a measure of prioritization, which is to say, if you detect that an attacker is actively exploiting a vulnerability, you should fix it.  Makes a lot of sense, and therefore doesn’t get a lot of scrutiny.

‍

However, there is a nuance here that is overlooked: Did it lead to loss or will it lead to loss?

‍

I remember back when I was running ha.ckers.org, I used to find exploits regularly in all sorts of websites and I was regularly testing for them. I don’t have the real number, but I don’t think anyone would be at all shocked if I said that the sla.ckers.org community have found exploits in well over 1,000 websites and posted them on the full disclosure list when that was still running.

‍

1,000 sites in approximately the same number of different companies. It was virtually every company you’d ever heard of. Nearly all of the Fortune 500, and then some. Think about all those hackers, finding exploits at will, and having free reign to exploit them anytime they felt like.

‍

So, if you are looking for indicators of exploitation… I mean, could you have a stronger signal than that? A message board full of hackers sharing working exploits in the open! So, let’s now discuss the loss. I mean, if vulnerabilities on a thousand sites were actively exploited, we’re going to have catastrophic losses, right?

‍

No.

‍

There were no losses that I am aware of. The vast majority of what we were searching for were things like XSS, CSRF, Clickjacking and the like. Most, but not all, were client-side exploits. Dangerous in theory, but in practice, adversaries find them cumbersome and unscalable, requiring social engineering in most cases. Easy to build signatures around, easy to exploit, but difficult to monetize at scale. I would argue we were actually the good guys, just trying to raise awareness, despite the fact that yes, we were absolutely finding and testing exploits regularly.

‍

Today, you might look at BugCrowd or HackerOne as being similar. A lot of ethical hackers are actively trying vulnerability payloads and if they are able to find said vulnerability, they file a bug for that and get paid. Let’s say they found the issue they are looking for.  Is there loss outside of whatever the bounty might pay out?

‍

No.

‍

There are no insurance claims filed, no DFIR is initiated, no customers are notified, nothing. So while I do think there is some value in honeypot data and other methods of identifying indications of exploitation, you really have to see it from the view of the adversary. If the adversary isn’t going to monetize it, it doesn’t matter if they’re testing for it.

‍

An attacker can really be hyper focused on SSL/TLS certificates and trying to figure out if they are using slightly older ciphersuites. But in reality, attackers cannot use MITM attacks at scale, in all but some very esoteric nation state circumstances and even then, there are better attacks available to them. While numerous attackers may be aggressively scanning for weak SSL/TLS ciphersuites, or weak key lengths, it isn’t a good indicator of risk. The honeypot is beaconing like crazy, but it doesn’t lead to any loss in the end.

‍

To say it clearly: indicators of exploitation are not perfect predictors of risk/loss, and some studies and papers have indicated that they and the product of their outputs are quite weak.

‍

That said, and to be fair, there is a type of exploitation that doesn’t care at all about monetization. Think advanced persistent threats (APT) like nation states, or hacktivists, or terrorists, who do not care about stealing data, but may want to learn things, modify data to give false information, deface, or lay in wait until they want to use the attack. A good example of this would be things like SCADA systems for power or water, and the Solarwinds supply chain attack. They may not have any money to steal in the traditional sense, or even if they do, the attackers wouldn’t bother. Instead, they may want to maintain control until the day they decide to shut down utilities during wartime.

‍

So losses, alongside other indicators like DFIR engagements, are a more accurate measure than indicators of exploitation alone. There is value in knowing what hackers are up to, but we have to be careful that we aren’t focusing our efforts on areas that aren’t leading to any true reduction of risk.