How Are Computers Compromised (2020 Edition)

Understanding the way intrusions really happen is a long-standing interest of mine. This is quite a different set of questions compared to “how long does it take to detect,” or “how many records are stolen?” How the intrusion happens is about questions like: Is it phishing emails that steal creds? Email attachments with exploits? SQL injection? Is it APTs or scripts? Which intrusions lead to major breaches? Without knowing these things, it’s hard to evaluate the ways in which we engineer defenses. Taking answers from the headlines is sane if the breaches that result in headlines are distinguishable at the start in some way.

And that’s what makes US CERT’s new alert AA20-133A, “Top 10 Routinely Exploited Vulnerabilities” interesting. The US Government has some interesting advantages: a large collection of attractive targets, a mandate that all CFO agencies have a security process, published investments in security, a large and skilled incident response force. And so when they tell us that these vulnerabilities are ‘routinely exploited,’ that is both fascinating and prompts me to ask additional questions.

  • What fraction of incidents have a discovered initial access method?
  • What fraction of those initial access methods are “use of vuln” (as opposed to credential theft, USB in the parking lot, evil maid attacks, attacks on servers in the cloud.
  • What fraction of incidents are covered by the top 10?
  • What’s the relationship between #1 and #10?
  • Who’s excluded from the set “state, nonstate, and unattributed cyber actors”?
  • Has there been a “5 whys” or other analysis of why those patches were missing? (I’m not saying “root cause” because we all know there’s never one root cause.)
  • What was the investment of controls in the organizations attacked? Was patch management a priority?

For some of these, releasing specific answers are going to be tricky because of details of a specific incident, where there’s concern that even saying ‘attacker jumped an airgap’ exposes information. For others, such as the first, there’s a risk that journalists are going to say ‘really, we only know how 15% of incidents start?’ (I would be surprised if it’s that high.)

Nevertheless, having details like these are going to help us move forward. What’s more, we don’t really need incident by incident details – much like the advisory is generalized, we can also hear what program issues are correlated with intrusion. For example, I believe that patch management is way harder than you’d believe if you read infosec twitter, but so what? What would be interesting is “80% of the entities breached were rated as ‘needs improvement’ in patching, while only 54% of entities were rated at ‘needs improvement.’ That’s not only interesting, but if we have a collection of such statements, then we can prioritize advice by correlation with not being breached. That would be exciting and actionable.

There is a tremendous amount that governments can do with data that they gather about themselves, and I look forward to the day we expect them to do it.

Related: My 2013 SIRA talk, “Building a Science of Security“, “Zeroing in on Malware Propagation Methods .”

2 Comments on "How Are Computers Compromised (2020 Edition)"


  1. Adam–I think the point you are trying to make about vulnerabilities that are ‘most often attacked’ as the CISA alert details, misses the mark by speaking to only intrusion-based vulns. This is always done ‘after the fact’ in the post-mortem of the intrusion. To get to the point you are trying to make you need to use ‘pre-intrusion’ vulnerability data. Vulnerability Disclosure Programs (VDPs) provide that data by using the cybersecurity research community to report vulnerabilities and weaknesses in internet-accessible information systems. The proofs-of-concept provided in VDP reports provide pre-attack vulnerability data. One of the key shifts in your thinking for this to work is to broaden your definition of ‘vulnerability’. You’re blog implies that you think (and CISA does this as well) vulnerabilities need to be a software error or code issue. NIST SP800-30 broadens that definition to also include misconfigurations and environmental variables. In other words, vulnerabilities should be defined from a systemic perspective, which can include sofware based (CVE) vulns, but system weaknesses (CWEs +) that can be exploited. If you and your readers are interested, check out the DoD VDP website and check out the Bug Bytes monthly rollup. These docs provide most commonly see vulnerabilities encountered in the program each month. Also see the 2019 Annual Report that provides a cumulative rollup for 2019.

    Reply

    1. Thanks Chuck!

      First, I fully agree that we would like to know about more than just vulns. The “Zeroing in” link in the post is the work I did to get the autorun fix into Windows update, changing the behavior of XP and Vista. As I said in https://msrc-blog.microsoft.com/2011/02/08/deeper-insight-into-the-security-advisory-967940-update/

      I also think we agree there’s a strong argument against driving by looking in the rear-view mirror, and that vuln disclosure programs, such as the one you link to, are positive steps.

      At the same time, I don’t agree that exposure data is the best answer. We have pretty good evidence that some issues are more exploited than others. We can use data on actual incidents to change things.

      Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.