Prioritize the Active Bad in Network Security
2022-09-20 | 5 min read
Risk management regarding known vulnerabilities is not a binary yes/no decision based on the disclosure of a vulnerably; other factors should be included into the decision whether to act on a known vulnerability such as: the severity, whether the organization has the vulnerable software, the complexity, etc. One red flag that should supersede all others is if that vulnerability has been caught being used in the wild. The very nature that it has been caught by a security professional in either their security infrastructure or in their sandboxes shows that the CVE is practical, in use, and could be widespread now or in the future.
Fig. 1: An example of an impractical, theoretical threat that is a waste of resources
How to know what is currently active
Knowing what attacks are currently in common use will save time deciding what to prioritize. There are many private sources that will provide insight based on their industry and expertise. A relatively new authority of aggregated security knowledge is the Cybersecurity and Infrastructure Security Agency (CISA). They are the operational lead for federal cybersecurity, and they are the national coordinator for critical infrastructure security and resilience. In November 2021 they issued a directive that requires all federal agencies to patch against a frequently updated list of exploited vulnerabilities. This is an expansive list of high value vulnerabilities that all private and public institutions should mitigate.
How to test with and for those attacks
Keysight ATI Research Center has committed to prioritizing this list of vulnerabilities as targets to create for Strikes for inclusion in the ATI biweekly releases. Currently, there are 812 in the CISA list with ATI supporting 264 of those.
Fig. 2 Mapping ATI Coverage of CISA Vulnerabilities by year for BreakingPoint
Threat Simulator is a product that differs from BreakingPoint: all the content in Threat Simulator has been observed in the wild. This product validates operational endpoints in their live environments to understand how it will respond to realistic scenarios; there is less latitude to run theoretical attacks.
The ATI Threat Intelligence project is a source for high quality, actional intelligence both internally and externally. Their network of honeypots and sandboxes primarily feeds defensive-oriented products, but this is being leveraged to provide another layer of value to ATI users.
Threat Simulator contains Assessments recreating the intricate steps of real malware (ransomware, mostly) as observed by the ATI TI team in their sandbox environments.
ATI TI informs individual Strike creation from the content-perspective and StrikeList creation in BreakingPoint. The searchable Strike keyword “ati_rapsheet” will notate which attacks were caught by ATI Threat Intelligence. This can then be used to create a highly effective test of real-world attacks that only ATI has.
Fig. 3: BreakingPoint Strike Manager Strike selection screen searching for the Strikes that include “ati_rapsheet”
ATI StrikeList called “in-the-wild” that includes attacks that have been either externally or internally (“ati_rapsheet”) verified. This expands the radius of relevant attacks beyond the bounds of Keysight to include other sources while not dimensioning the overall quality of the selection.
Fig 4: BreakingPoint Strike Manager Strike selection screen showing the contents of the “In-the-wild" StrikeList
Time is at a premium so focus on what can provide the highest value first: in the wild attacks. This can be done quickly and easily by leveraging the verified attacks in BreakingPoint for either CISA or Keysight’s own “ati_rapsheet” or using Threat Simulator.
The ATI research team continually delivers valuable, timely content of this nature in every release. As these threats emerge, we will continue vigilance in researching the threat and re-creating how it operates so that our customers are better prepared to recognize it in the future.