How The Ancient Greeks Got Vulnerability Management Right
At the Battle of Thermopylae, a group of 300 Spartans faced off against an invading army of 300,000 Persian warriors. Discover how vulnerability management lessons taught over 1500 years ago can still apply today.
The thousand nations of the Persian Empire descend on you. Our arrows will blot out the sun.
If you have ever been responsible for vulnerability management in a large organisation, this image probably hits quite close to home. With dozens of scan results, bug bounties, penetration testing reports, and published exploits to deal with, the sheer volume of findings can sometimes appear insurmountable.
Then we will fight in the shade.
The Spartan’s were not concerned. While outnumbered, they knew that their training, equipment, and use of terrain were far superior to their enemy. The same can apply to vulnerability management; with the right strategies and tools in place it is possible to take on any number of potential issues.
Just as the Spartans used a small mountain pass to funnel their enemies towards them a few at a time, the first step to dealing with thousands of vulnerabilities should be implementing a vulnerability management system that can use effective strategies to focus them down into a more manageable number.
It goes without saying that critical-impact issues should be prioritised over high-impact, and medium-impact over low… but how do we actually make sure that the ratings are accurate to begin with?
Unfortunately there’s no magic bullet to this, especially when you’re talking about multiple business units, assets, or vulnerability types. As a result businesses often elect to develop their own unique methodologies. Some of the factors that I’ve seen businesses consider include:
- Exposure to risky control sphere (Internet, Intranet, VLAN, HSE, Local)
- Sophistication required to exploit (Nation state, org. crime, hacktivist, script kiddie)
- Impact of exploitation to organisation (P1, P2, P3)
- Value of target to attacker (Key objective, pivot point, no apparent benefit)
- Is the exploit regularly used by relevant bad actors
Whether you chose a standard like CVSS, develop an inhouse approach, or outsource to one of a number of available vulnerability prioritisation services, understanding and being confident that your rating methodology can accurately capture the risk to your business is very important. As is being able to efficiently apply your methodology to the vulnerabilities en masse.
At Cytix, we don’t like to tell you how you should rate your vulnerabilities, we like to adopt the solution that you’re most confident in, and the one that works for you.
Whenever you’re looking to address a large number of vulnerabilities at once, your defence-in-depth and compensating controls are a good place to start.
We generally begin by asking “What controls are available and what vulnerabilities can they be applied to?”
Most of the controls that come to mind are likely to be technical ones, things like:
- Firewalls - Generally used to restrict access to vulnerable services
- WAFs - Which can make exploiting web vulnerabilities much harder
- EDR - To contain and eradicate a breach before it causes a high impact
Non-technical controls also have their place here. These often involve leveraging an opportunity to transfer the responsibility for dealing with a vulnerability to someone with more bandwidth. For example:
- Contractual obligations from a vendor
- Insuring against the loss associated with certain risks
- Training and education to recognise and limit the impact of a breach
By creating a register of available controls, we can begin to address vulnerabilities in a few ways…
Firstly we can ensure that the controls conform to best practices (e.g. only allowing necessary ports through the firewall). This can be much faster than going through each vulnerability one-by-one.
Secondly, we can separate vulnerabilities into groups. We can then go from group-to-group and see if any of the controls in the register can be used to mitigate them. As far as short-term solutions go, half of the OWASP-10 vulnerabilities can be managed through a WAF, for example.
Finally, we can refer back to the mitigating controls on a more granular per-vulnerability level. When exploring remediation, consider whether a compensating control might actually be the pragmatic short-term solution.
Tip: One option that often gets forgotten is simply turning something off. Asking the asset owner if they really need that piece of software, or the CTO if that feature is essential to the release, can avoid pumping the breaks on a major release because of one small element.
Validate Out the Noise
It often seems that the further left you shift your security testing, the more false positives you end up with. SAST, for example, is over 100x more likely to inaccurately report an issue than a manual tester.
Having said that, noise isn’t just about false positives. It’s also about issues that lack context and actionable information, or include far too much jargon and boilerplate information. That means shifting right, with lazy bug bounty reports and duplicate scan results, creates plenty of noise too.
Validating vulnerabilities to reduce the noise does come at a cost though. It requires specialist skills and time, which is why you might be better off exploring things like our validation-as-a-service offering rather than trying to address that problem yourself.
It goes without saying that validating issues should only be done where the cost of validation is less than the cost of fixing the issue, but when used correctly it can be a valuable tool to save yourself from wasting a lot of time trying to fix something that wasn’t a real risk to begin with.
Map The Attack Paths
Above all else, what made the Spartans so effective in the battle was their ability to figure out the routes the offending army might take, so they could select the best place to focus their strengths in defending.
Attack path mapping does exactly this. Instead of looking at vulnerabilities in isolation, it looks at how a bad actor might chain together vulnerabilities to achieve their objectives.
The way I look at it, there are three key benefits to doing effective attack path mapping.
The first is probably the most obvious… we can identify “bottleneck” vulnerabilities that can be remediated to make several other vulnerabilities impractical to exploit; If there are several local privilege elevation issues but only one authentication weakness, it would normally make sense to address the auth first.
The second is that we can often identify “low cost” wins. Where there is a very expensive to fix vulnerability, that might take months, in the same chain as a cheap and quick fix vulnerability it’s easy to see which one should be bumped up the queue.
Finally, it allows us to detect themes across the organisation. Where a framework, like MITRE ATT&CK is used, the volume of issues at a particular stage in an attack path can be a clear indicator of where a business needs to focus on maturing.
We’ve now got a list of vulnerabilities with accurate severity scores, none of which can be easily mitigated by compensating controls. They’re all fully validated, contextualised, and you know which are the most useful to an attacker… But there’s still a lot to do.
Now is the time to start looking at the operational capability to actually address the issues. As in, to consider the capability of the team to be able to treat the issues.
We start by asking “What can’t I fix”… because there’s little point dwelling on things that are out of your control. Don’t forget about them, because they will need some TLC at some point, but don’t waste energy fighting a battle you know you can’t win at the moment.
For what remains, we should apply quantified metrics to the costs of who, what, when, where, why, and how.
Return On Investment
With an understanding of what vulnerabilities are a priority, how they will be fixed, and what it will cost, scoring the expected return on investment is penultimate step in the process.
It’s difficult to prescribe an exact method of arriving at this figure, because it depends so much on how we quantify the metrics in the previous steps… but we can always help support you in developing a method.
Once you’ve arrived at a metric and sorted the vulnerabilities into it, it’s time to look to the pareto principle; If 20% of your effort is going to produce 80% of the results, take the highest ROI issues and sort them into those that will take a fifth of the effort, and what remains.
Work through that first fifth first, and then apply the same principle over the remaining.
Get a Free Trial From Cytix
Haven’t tried Cytix yet? Try our free trial to see how it works.Get a Free Trial
The Battle of Thermopylae is often seen as a story of glorious defeat, but in reality it was a victory. The Spartans managed to hold out for three days, long enough for the Athenians to prepare for the battle and ultimately win the war.
In the same way, vulnerability management can be seen as a daunting task, but with the right strategies and tools in place it is possible to take on any number of potential issues. By rating methodologies, leveraging compensating controls, validating out the noise, mapping attack paths, and understanding return on investment, organisations can gain a clear understanding of the risks posed by their vulnerabilities, and the most effective way to manage them.
That’s where we come in. Our business is built around being able to support with any/ all of the steps along the way, so that, just as the Spartans used their superior tactics and equipment to defeat an army 300,000 strong, you can use your superior vulnerability management techniques to stay secure.
Question 1: What is vulnerability management, and why is it important?
Vulnerability management is the process of identifying, accessing, prioritizing, and mitigating security vulnerabilities in an organizations system or infrastructure. It's important because it helps prevent cyber attacks and data breaches.
Question 2: What did the ancient Greeks do to manage vulnerability?
The ancient Greeks implemented a concept known as 'steganography', which involved hiding messages in plain sight using codes and symbols. They also used physical barriers, such as walls and gates to protect their cities from invaders.
Question 3: How can modern organizations learn from the ancient Greeks' vulnerability management practices?
Modem organizations can learn from the ancient Greeks by implementing similar concept of steganography, such as encryption, and data masking techniques, to protect sensitive information. They can also use physical barriers and access control to secure their infrastructure.
Question 4: What are some best practices for effective vulnerability management?
These include conducting regular vulnerability assessment, prioritizing high-risk vulnerabilities, implementing security patches and updates promptly, and monitoring systems for suspicious activity. It's also essential to establish a clear security policies and train employees on cybersecurity awareness.
Start Detecting Vulnerabilities Others Miss Today
- Detect Vulnerabilities Faster
- Patch Vulnerabilities Faster
- Be more compliant