It can be easy to forget as defenders that when attackers look at your perimeter, they don’t see the same thing you do. Armed with limited information and an incomplete picture, what attackers can see, can differ significantly from those on the inside. Faced with too many assets to monitor and too many vulnerabilities to patch, security teams can cut down their work considerably by better understanding which assets their adversaries are most likely to target first.
The Attacker’s Perspective – More than Visibility
Many security teams looking to gain an outside perspective mistake visibility for focus. The point of gaining an outside perspective is not to discover more assets (although you may), that simply creates more work, but rather to ensure teams are focusing on the right assets by identifying the assets that pose the greatest risk – to do this, you need to know a lot more than simply what can be discovered, you need to know most likely to be targeted. The question you need to answer is the same as an attacker – where should I strike first?
Like you, attackers have bosses, budgets, and timelines – so while it can be easy to think of every external asset as equally vulnerable, attackers are quite selective. Based on our decades of red team experience, we believe there are six key factors that determine if a target is likely to be attacked: enumerability, weakness, criticality, applicability, post-exploitation potential, and research potential. At Randori, we call these factors “Target Temptation”. Security teams that are able to understand these factors and convert their understanding of how these play into a target’s attractiveness into proactive action – will have the upper hand and significantly raise the cost of attack to their adversary.
Let’s look at these six factors and how they play into an attacker’s decision of where to strike first.
Enumerability: The Precision of Detection
Enumerability describes the level of detail an outside actor can determine about a particular piece of software. If an adversary can understand the exact version of the service and glean insights into its configuration, they can be more precise with the exploits they use and attacks they run. This maximizes their odds of success while reducing the risk a capability is caught and blown.
Depending on the service and its deployment, the level of detail made known to an external party can vary greatly. Critically, the information returned is often configurable, providing security teams with an easy way to increase the cost to an attacker simply by blurring their view of what’s truly exposed.
Weakness: Known Disclosures and Exploits
While weakness considers vulnerability weighting criteria, it also considers the interest or required next steps for the attacker. Weakness scoring should also consider the availability and cost of exploits in non-public circles (e.g., Canvas, Zerodium). These are often overlooked as adversaries employ private capabilities in attacks far more frequently than many realize.
Furthermore, it is important not to assume that when a known vulnerability has a high CVE or CVSS score, that doesn’t necessarily mean it’s of great interest to an adversary. This is a common misconception — broadening what factors are considered when evaluating a vulnerability is an easy way to improve the prioritization process.
Criticality: Importance of Function
An adversary doesn’t know the importance or use of any particular device with certainty from the outside. What may be of obvious value to an employee may be entirely disinteresting to an outside observer and vice versa. An adversary must assume that a device is used for its intended purpose and make judgments off this assumption. From this perspective, services that define a critical security boundary are of the highest interest. These would receive a high criticality rating.
For example, if a company’s perimeter has an exposed VPN, an adversary is likely to assume it’s protecting something of value and is not just a bridge to nowhere. Compromising it not only provides access to the other side of the firewall but may also result in an ability to collect or manipulate credentials that can be used to advance additional objectives. When prioritizing security resources, defenders should be extremely aware of which of their assets protect crown jewels and which ones contain lower-risk information.
Applicability: Level of Adoption
While this factor is outside a defender’s control, it is still important to the vast majority of adversaries looking to maximize their investments. Adversaries — even nation-states — have limited resources and must often prioritize their focus and development of capabilities on platforms likely to be useful across multiple engagements.
From this logic, adversaries are less likely to invest in vulnerability research for a service used by only a handful of organizations and of little interest to their mission. However, there might be other reasons to go after the esoteric program on a target perimeter, such as criticality. It is not unheard of for an attacker to exploit home-grown applications, but at least in this category, these would be scored lower since the investment is likely a one-time sunk cost.
Post-Exploitation Potential: Usefulness After Compromise
Post-exploitation potential describes the usefulness of the device to an adversary after compromise. In short, is it a welcoming and hospitable environment in which to persist?
The ideal scenario for an adversary is to exploit and gain execution in a well-known environment where few defenses exist. VPNs often represent such an environment. Many vendors’ VPNs are proprietary software built upon common operating systems (e.g., Linux) and usually holds a familiar execution environment with standard tools pre-installed.
Because these are typically closed source appliances, they are often either out of scope or legally restricted. In some cases, they can even be overlooked for security controls such as EDR or application control that would have been mandated on any similar Linux device. Together, this combination gives appliances such as VPNs a high post-exploitation potential and contributes to their attractiveness as targets. Other examples of systems that frequently catch security professionals by surprise are phone, VoIP, and print servers. Any of these may be a resource worth developing a private capability to exploit if it will provide long-term, persistent access.
Research Potential: Ease of Development
Research potential assesses the ease by which an adversary could develop capabilities for a particular service or platform. Time is expensive, and barriers to entry can limit adversaries’ ability and incentive to develop capabilities against specific targets. While security through obscurity is a bad idea in most cases, it can be a significant deterrent for low-skill or low-resourced adversaries when it comes to vulnerability research.
For example, while an expensive and esoteric platform may be of high interest to an adversary due to the value of data stored and the level of access required, it calls for special skills and resources. It would therefore receive a low score on this specific metric. Meanwhile, a well documented and open-source tool that can easily be obtained and tested would have a high research potential for a broad range of adversaries.
The hard reality is that modern businesses are too dynamic to fully “secure” and that security teams need to focus their efforts on reducing their greatest risks first. Tasked with protecting hundreds of thousands of assets, to be an effective security professional needs more information to better assess where to apply their limited resources – they need the attacker’s perspective.
By using an attacker’s perspective, security teams can quickly cut down the noise and stress that comes with worrying about every asset and identify the ones most likely to be attacked, and perhaps most importantly – explain why to those that seek to understand.