At a security conference, ask someone in attendance what they do. More than likely they are a consultant, either doing penetration testing, vulnerability hunting or both. Penetration testing and vulnerability hunting are mainstays of security testing, many times required by laws, regulations, or contracts. They exist ubiquitously in information security.
But we don't have a good model for how they fit into improving defense. The prevailing knowledge is that disclosing vulnerabilities leads to their mitigation which leads to more security. However there is a counter-argument that disclosing vulnerabilities helps the attackers more than the defenders. Can we build a model that takes both views into account? Let's see.
So what do you 'do' here?
So what do penetration testers and vulnerability hunters actually 'do'? If we think of information security as a game, (a very high-stakes game), we could say that penetration testers and vulnerability hunters reveal paths on the game board that attackers can take to reach their objectives. That begs the question:
How does this benefit the defenders?
Let's take four scenarios:
- No-one knows about the path: In this case no-one benefits, no-one loses, because no-one knows. No change.
- Only the defender knows about the path: In this case, the defender either benefits none or actually loses as they expend resources to mitigate the path. Defender Cost.
- Both defender and attacker know about the path: In this case, the attacker either benefits some or none depending on whether they successfully exploit the path. The defender probably loses some (mitigates the path) or loses a lot (is exploited) though there is the off chance they lose none due to the attacker's failed exploitation. Attacker potential Profit. Defender potential for more Cost.
- Only the attacker knows about the path: Here the attacker's chance to benefit goes up significantly as the defender is unaware of the path. The defender, on the other hand, doesn't even have the chance to mitigate the path and can only lose. And after exploit, they return to step 3 and still lose as they mitigate the path. Attacker most Profit. Defender most Cost.
Based on the model above, penetration testers and vulnerability hunters can be most helpful by using their knowledge of paths to detect when attackers know them and to disclose them to defenders in situations when the attackers already know of the path. This helps move from Scenario 4 to Scenario 3. It's not ideal, but it's better than the status quo.
If only it were so simple
This model is admittedly naive. It's a starting point, not an end-all-be-all. Some things to consider:
- There is a time lag from knowledge of a path to its weaponization or mitigation. The model should take that into account.
- Attackers and defenders are not homogenous. This model doesn't consider what some attackers/defenders know and what others do not. Nor does it model the spread of that knowledge through the population.
- This model relies on defender's knowledge of attacker's knowledge. Something that will always be imperfect.
- Paths are made up of individual pieces. This model doesn't account for the rearranging of pieces of the path, combined with other information in the attacker/defender's knowledge, to form new paths.
This model is not perfect, but hopefully it's a start in how to consider the role of penetration testing/vulnerability hunting in information security.