Exploitability

E
Written By Threat NG Staff

Exploitability refers to the degree to which an attacker can successfully use a vulnerability to achieve their malicious goals. It measures how easy or difficult it is to turn a vulnerability into a working exploit.

Here's a breakdown of the key factors that influence exploitability:

  • Ease of Discovery: How easy can an attacker find the vulnerability? Some vulnerabilities are apparent, while others are deeply hidden and require specialized knowledge or tools.

  • Ease of Exploitation: How easy is it for an attacker to craft an exploit once a vulnerability is found? Some vulnerabilities can be exploited with simple, readily available techniques, while others require complex and sophisticated code.

  • Attack Vector: How can the vulnerability be reached and exploited? Some vulnerabilities can only be exploited by someone with local access to a system, while others can be exploited remotely over a network. Remote exploitability generally increases the risk.

  • Required Privileges: What level of access or privileges does an attacker need to exploit the vulnerability? Exploiting a vulnerability that requires administrator privileges is generally harder than exploiting one that can be done with a regular user account.

  • Availability of Exploit Code: Does working exploit code already exist? If a proof-of-concept (PoC) exploit or a fully functional exploit is publicly available, the exploitability is much higher because attackers don't have to develop their own.

  • Mitigating Factors: Are any existing security measures that make the vulnerability harder to exploit? For example, a strong firewall might make a remotely exploitable vulnerability less practical.

Exploitability is a crucial factor in assessing the overall risk posed by a vulnerability. A highly severe vulnerability with low exploitability is less urgent than a moderately severe vulnerability with high exploitability.

ThreatNG's capabilities provide a strong framework for assessing and managing exploitability across an organization's external attack surface. Here's how:

1. External Discovery

ThreatNG's external discovery is the foundation for assessing exploitability. By identifying all externally accessible assets, ThreatNG defines the scope of potential vulnerabilities. This is crucial because exploitability must be evaluated regarding how an attacker can reach a vulnerability. For example, a highly exploitable vulnerability on an internal system is less critical than a moderately exploitable vulnerability on a public-facing web server.

2. External Assessment

ThreatNG's external assessment capabilities directly address factors that influence exploitability:

  • Web Application Hijack Susceptibility: This assessment analyzes the attack vectors and ease of exploitation for web applications. For example, ThreatNG might identify:

    • Weak input validation increases exploitability because attackers can easily inject malicious code.

    • Lack of authentication makes it highly exploitable for unauthorized access.

  • Cyber Risk Exposure: This assessment considers factors that directly impact how easily a vulnerability can be exploited:

    • Exposed ports and services increase the attack vector and thus the exploitability of any vulnerability associated with those services.

    • Outdated server software increases exploitability because known exploits are more likely to exist.

  • Code Secret Exposure: Discovering exposed credentials or API keys dramatically increases exploitability. An attacker doesn't need to find a complex exploit if they can use leaked credentials.

3. Reporting

ThreatNG's reporting helps prioritize remediation based on exploitability:

  • Prioritized Reports: These reports should highlight vulnerabilities with high exploitability, even with moderate severity. For example, a cross-site scripting (XSS) vulnerability might be moderately severe, but ThreatNG should flag it as a high priority if there's a readily available exploit.

  • Technical Reports: These reports provide details that help security teams understand the exploitability. For example, they might show the exact input validation flaw in a web application or the outdated version of a server software.

4. Continuous Monitoring

Continuous monitoring is crucial because exploitability changes:

  • New exploits are developed: A vulnerability with low exploitability today might become highly exploitable tomorrow if a PoC exploit is released. ThreatNG's continuous monitoring helps track these changes.

  • Attack surface changes: A change in the organization's infrastructure (e.g., exposing a new service) can increase the exploitability of existing vulnerabilities. ThreatNG detects these changes.

5. Investigation Modules

ThreatNG's investigation modules provide tools to analyze exploitability:

  • Vulnerability Intelligence (DarCache Vulnerability): This is the most critical module for exploitability. It includes information on:

    • Known exploits: ThreatNG can directly link vulnerabilities to known exploits, significantly increasing the exploitability score.

    • Exploit Prediction Scoring System (EPSS): This data provides a probabilistic estimate of the likelihood of a vulnerability being exploited shortly, giving a dynamic measure of exploitability.

    • CVSS Score: While CVSS primarily focuses on severity, some metrics, such as "Attack Complexity" and "Attack Vector," contribute to the exploitability assessment.

  • Domain Intelligence: Analyzing domain-related information can reveal phishing or other attack vectors that increase the exploitability of web-based vulnerabilities.

6. Synergies with Complementary Solutions

ThreatNG's external view enhances the exploitability assessment of other security tools:

  • Vulnerability Management Solutions: ThreatNG's external assessment complements vulnerability scanners. A scanner might find a vulnerability, but ThreatNG provides the external context:

    • Is it remotely exploitable?

    • Is there a known exploit?

    • Is it exposed through a web application?

  • Intrusion Detection/Prevention Systems (IDS/IPS): ThreatNG's exploitability assessment helps tune IDS/IPS. Highly exploitable vulnerabilities should be more closely monitored.

  • Security Information and Event Management (SIEM) Systems: ThreatNG data can enrich SIEM events. For example, a SIEM alert about a web application attack is more critical if ThreatNG indicates that the application has high exploitability and a known exploit exists.

Examples of ThreatNG Helping:

  • ThreatNG identifies two XSS vulnerabilities. One requires local access, and the other is remotely exploitable with a known PoC. ThreatNG correctly assesses the remote XSS as having higher exploitability and prioritizes it.

  • ThreatNG's continuous monitoring detects the release of a new exploit for a vulnerability in the organization's web server. ThreatNG immediately increases the exploitability score for that server.

Examples of ThreatNG and Complementary Solutions Working Together:

  • ThreatNG and a vulnerability scanner both find a SQL injection vulnerability. ThreatNG's assessment reveals that the vulnerable web application is publicly accessible and has weak authentication (high exploitability). This combined information triggers an urgent patch.

  • ThreatNG identifies a vulnerable service. The IDS/IPS is automatically configured to monitor for exploit attempts targeting that specific vulnerability based on ThreatNG's exploitability score.

ThreatNG provides a comprehensive approach to assessing exploitability by considering various factors, integrating vulnerability intelligence, and working in synergy with other security tools. This enables organizations to prioritize their security efforts effectively and mitigate the risks of exploitable vulnerabilities.

Threat NG Staff
Previous

Actionable Proof-of-Concept Intelligence
Next

Proof of Concept (PoC) Exploit