Threat Modeling: What You Need to Know About Prioritizing Attacks and Vulnerabilities

Lamine Aouad

Threat modeling gives vulnerability management teams a good understanding of how attacks work, enabling them to focus prioritization efforts around the bugs most likely to affect their environment.

The importance of threat modeling in assessing security postures is a given nowadays. The vulnerability view, while it does play a central role, is only one part of an assessment. It’s not enough to pinpoint which vulnerabilities or attack vectors are the most relevant at a given time. Taking into account the characteristics of individual attacks and the strategies of attackers enables defenders to prioritize. Instead of defending against all vulnerabilities (which can number in the hundreds and thousands), defenders can prioritize their efforts to focus on a select number that the attacker needs to breach the system. 

In this blog post, I will share a few notes on how attacks are carried out, links to vulnerabilities, and how the right threat model can save the day.

Threat modeling: vulnerabilities vs. attacks

Threat modeling is the formal process of identifying and ranking the threats most likely to affect your environment. Typically, there are two views to threat modeling:

  • the vulnerability view, in which system vulnerabilities, either taken individually or combined, define the technical exposure to attacks; and
  • the attacker and threat landscape view, in which the modeling takes into account the threat landscape, in the form of attack instances, and attacker strategies. 
  • These models are typically represented through attack graphs, game theory or decision analysis. Regardless of the modeling approach, our interest here is to define the threat-modeling steps most likely to make a difference when it comes to protecting your system.

    Targeting all known vulnerabilities that an attacker may exploit is usually pointless. Out of tens of thousands of vulnerabilities, only a fraction is actively exploited in the wild. In addition, it has been shown that vulnerability exploitation can be described by a heavy tail distribution, which basically means a very small fraction of vulnerabilities is responsible for orders of magnitude more attacks than the remaining majority. 

    A good example here would be exploit kits, which drive millions of attacks, yet use only a dozen vulnerabilities each at a maximum. Data from Tenable and ReversingLabs, from January 1 through May 5, shows only 2 percent of all known and detected vulnerabilities were seen in ReversingLabs's threat detection feed (file-based malware). Additionally, the top 10 percent of CVEs (out of 638) from that feed is responsible for 50 percent of exploit detections. 

    Additional data from Recorded Future, including a broader range of cyber attacks — such as fileless or Web attacks — shows a further 172 CVEs being exploited in the same period, which brings the total to 2.5 percent of all known and detected vulnerabilities in Tenable data. This shows that it’s unrealistic to assume attackers can choose any available vulnerability or path to compromise. 

    What You Need to Know About Prioritizing Attacks and Vulnerabilities

    There is no 'one-size-fits-all' attack strategy, nor defender strategy for that matter. Outside of the 'Attacks-as-a-Service' model, using pre-existing mechanisms — such as the above-mentioned exploit kits — or an existing infrastructure controlled by cybercriminals to launch distributed denial of service (DDoS) attacks, for instance, the attack generation process is usually dynamic and made-to-measure. In fact, attackers might need to re-engineer their attack strategy if nothing in their toolbox works on a target environment, which might translate to a lot more effort in terms of reconnaissance, enumeration or even exploit modification and engineering. 

    It’s equally unrealistic to assume attackers are all-knowing about their targets and can choose whichever attack strategy they believe is best.

    A typical attack scenario might, for instance, involve a watering hole attack, a phishing attack or password spraying to establish the initial foothold. Once inside, additional effort is required to identify the network and system configuration visible from there and understand which attacks are needed to move to the next target. 

    Even though no two attacks are exactly alike, there are similar tactics, techniques and  procedures (TTPs) that attackers use. These should be well understood on the defender side. The MITRE ATT&CK framework offers a good high-level reference. 

    Leveraging real-world and timely threat intelligence and attacks knowledge is essential to define (and narrow down) the search space to highly likely and high impact threats for a given environment.

    Steps for Threat Modeling

    The main question, from the defender perspective, remains “how to decide which vulnerabilities to fix first?” Starting with a given technical exposure, i.e. exploitable vulnerabilities and weaknesses on a system, the basic process would be to identify attack scenarios and characteristics, based on known attack strategies and threat intelligence reports. This would narrow down the initial set to a much smaller number of vulnerabilities that are more likely to lead to realistic attacks on that environment. 

    Threat modeling would then require the following basic steps: 

    • Identify system vulnerabilities and weaknesses.
    • Identify attack paths against your assets, based on these vulnerabilities and weaknesses, taking into account existing countermeasures and safeguards.
    • Identify realistic attacks that can leverage existing vulnerabilities and weaknesses on those paths, using both generic and timely knowledge about threats and threat actors. 
    • Prioritize risks based on impact and asset/ application criticality.

    Prioritizing Attacks and Vulnerabilities Four Key Steps

    Under this modeling, the defender is able to reason about the attackers’ ability, not only to find an initial entry point, but also to do further reconnaissance, enable persistence, escalate privileges, move laterally and so on, which could be aligned with the MITRE ATT&CK framework. 

    Ideally, a threat model is enhanced by emulating TTPs used by adversaries and carried out by red teams. This can also be done by mapping those TTPs along the attack surface without necessarily carrying out real-world campaigns. The main advantage to real-world campaigns, however, is taking into account the human factor (employees’ skill gaps) and how the company and blue teams react (mainly reflected by metrics such as Time to Detect and Time to Mitigate). 

    The appearance of a new vulnerability might not carry any weight on the overall model, in terms of scenarios and risks. If it does, however, the available description and severity, combined with threat intelligence activity, will estimate attack likelihood and impact factors to update the model. It is then imperative for security teams, responsible for assessing security postures, to have a good understanding of how attacks work, keep an open eye on the latest reports and make sure they understand how adversaries are operating and changing their attacks.

    Most vulnerability management practitioners understand the importance of risk-centric vulnerability prioritization and remediation. The main focus currently is on imminent (and most of the time, commoditized) attacks, which, in fact, should be the first priority. A more efficient threat model, based on the steps above, will take defenders further by including relevant advanced attacks and continuously assessing the threat landscape for more effective overall risk reduction.

    Learn more:

    Read more >

    Published on Jun 19, 2019

    People also viewed

    Enterprise Territory Manager - Atlanta

    Atlanta Georgia United States Atlanta, Georgia, United States Sales Sales
    Your Role:Tenable is currently searching for an Enterprise Territory Manager. The Enterprise Territory Manager (ETM) is responsible for establishing and developing business through existing and new clients in an assigned territory.Your Opportunity...

    Business Cost Analyst - Cloud Infrastructure

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
    Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

    Security Sales Engineer

    St. Louis Missouri United States St. Louis, Missouri, United States Sales Engineering Sales
    Your Role:Tenable is seeking an experienced Security Sales Engineer to own and drive the Business and Technical aspects of strategic Enterprise selling in your assigned region. You will be partnering with Enterprise Territory Managers and a strong...

    Business Cost Analyst - Cloud Infrastructure

    San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
    Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

    Professional Services Engagement Manager

    Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
    Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

    Senior UX Designer

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
    Your Role:Are you excited about product design? Are you passionate about user interaction design and simple beautiful user experience? Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creatin...

    We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.