If you’re not gluing your vulnerabilities together you are likely missing the bigger picture
?
TL;DR
If like most, you separate your security estate and vulnerabilities into atomic chunks, by project, business unit, and CVE, then you will likely be missing critical attack chains, and that will leave your assets exposed to attack.
Context
If you’ve worked within security for any length of time, you’ll have seen the cute memes that circulate, poking fun that just because you have risk-accepted an issue, or categorised something out-of-scope, it doesn’t mean the hackers are playing by the same rules. And whilst these memes are meant as a bit of light-hearted humour, they are also 100% correct.
In the same way, people (and by extension) the tooling, like to break things up into manageable chunks. Technical vulnerabilities are resolved down into individual CVEs. The budgets for assessments and reporting are broken down by team, business unit, and application, and so the scope will likewise be defined along the same lines.
However, that’s not how the hackers actually work. They have no interest in your arbitrary departmental lines, or industry-standard categorisation scheme. They are just looking for an effective attack they can use.
Example One – Triage by CVE Impact
CVE classification is great for tool efficiency, and clarity of root-cause reporting, but it really doesn’t reflect the reality of how exposed your estate is. For a start, at the CVE level, most organisations are only interested in high impact issues and above. I have lost count of the number of project wash-ups I have sat-in on, where the other vulnerabilities aren’t discussed at all. However, it is often trivial to combine a few lows together into an effective attack, with a high impact.
As a simple example of this, you often see a finding for allowing the email address attached to an account to be changed, without requiring authentication. And this will generally be rated as a low. ?You also often see CORS misconfigurations, which again will be rated as a low. But a path that is affected by both could allow a full account take-over, locking a valid user out of their own account, and leaking all their data. Not a low impact.
And there are thousands of other combinations like this. Ooops.
领英推荐
Example Two – Triage by Organisational Unit
Budgets and reporting are generally organised along departmental, or project boundaries. And as such, so is the security testing and reporting. However, the actual vulnerabilities can happily be combined across projects. More oooops.
As a simple example of this, something like a cookie XSS vector will be reported as just a reflected value, and probably only a low or informational impact, as on its own, it is indeed unexploitable. But to make it useful, all that is required is another low impact, response header injection (CRLF) vulnerability, anywhere in the eTLD. That’s right: anything that shares your TLD: the dev platforms that you don’t care about, because they don’t have live data in them; the marketing blog; the third-party e-commerce platform. And likewise, all of those may have rated the response header injection low, because there is nothing in their scope that it can be combined with.
Improving your Workflow
If your tooling, suppliers and workflow do not currently consider chaining vulnerabilities across your entire estate into meta-attacks, then you are missing important issues that may eventually come back to bite you on the butt.
Introducing some form of cross-platform workflow, where you regularly review all the outstanding vulnerabilities, to see if they can be combined, should help pick up a lot of these kind of issues. But doing this at scale will likely be unmanageable. This is a problem that is crying out for some form of automation!
Nota bene: it is worth noting, that any red team on the payroll should be looking at precisely this kind of thing. If not, then you should be questioning why that is so.
About the author
Martin O’Neal has spent the majority of his life gainfully employed in the shady world of information security. He's seen things you people wouldn't believe. Dandruff in drifts on the shoulders of Ryan. Watched LEDs glitter in the dark near Bishopsgate. All those moments will be lost in time... like tears in rain...
?
?