Vulnerability Advisory: User clicks on something that they shouldn't have (CVE-0)

Description: There exists a vulnerability in all versions of user. An attacker can execute arbitrary code on a system by sending a specifically crafted message to a vulnerable user.

Exploit: There are numerous exploits in the wild.

Remediation: Patches do not currently exist. For workarounds, see below.

Impact:

CVSS Base Score: 10

CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:W/RC:C)

How the Exploit Works

An attacker crafts a message and delivers the attack to the victim via a service such as email or Instant Message. A vulnerable user will click on the link (directing the system to another attack) or the message contains the malicious payload which is executed when the user activates it.

This gives the defender 4 leverage-points:

A – The incoming message

Depending on the service that is used to deliver the message, the defender may be able to employ spam-filtering or anti-virus if they payload is included with the message.

B – On the system

Anti-virus on the system, process white-listing, and limited privileges could all help protect a vulnerable user from themselves.

C – The user

An alert and educated user (see below) may resist attacks that evade other protection mechanisms.

D – Outgoing requests

Web proxy filtering and anti-virus may succeed where all other methods have failed.

The Bad News

This is a typical defense-in-depth strategy. Although it's the current best-practice, I see it fail constantly. However, this is no reason to abandon the strategy. Because things would be much worse without it.

Vulnerability Management of Users

When there is an announced system vulnerability, it is common practice to deploy patches and workarounds to reduce the number of vulnerable systems in your environment. One should strive to similarly reduce the population of vulnerable users on your network.

Everyone is Vulnerable – The User Vulnerability Model

Remember that everyone is vulnerable, even you, dear reader. There will come a time when you haven't had your morning wake-up juice, or you are distracted, or one of your friends/family/clients gets compromised and they send you a message, or you become specifically targeted, then you will likely click on something that you shouldn't have. Users are either vulnerable to CVE-0 or resistant to CVE-0, but no user is 100% CVE-0 proof all of the time. Users may shift state from vulnerable to resistant and back over time. The ratio of vulnerable to resistant users is one (albeit difficult to measure) indicator of your environment's welfare.

As mentioned earlier, a user may change state from resistant to vulnerable if they are distracted, and alertness can change a user from a vulnerable state into a resistant state. New attack methods or schemes can shift a large population of users from resistant back to vulnerable. While timely communication out to the users can counter this shift, returning them to a resistant state.

New-hire/new-user training is key. As your user population increases, you want them to start off resistant. This also means that your training must be flexible and updated to keep pace with new attacks. Training is not perfect, and it there is no guarantee that the user will be receptive to it.

Realizing that users will make errors, that training will not be perfect, and new techniques will emerge to further drive down the number of users resistant to CVE-0 can make make one feel that defeat is inevitable. If you can train the majority of your users to be "link-suspicious" they will be remarkably resilient. This, coupled with the other layers in your defenses, should keep the number of CVE-0 events that you have to respond to down to manageable levels. Manageable levels is what you want, chasing for zero will cause other issues as we'll see below.

A System Model of the Attack

To gain more insight into the problem, I propose the following model of the typical attack:

Criminals that are motivated financially to exploit CVE-0 style attacks are going to spend enough effort to achieve a certain level of vulnerable users to meet their profit goals.

Defenders attempt to drive the level of vulnerable users down as low as possible.

Users need to use systems and consume information resources.

These forces combine to form a dynamic, non-linear system, that can express some surprising behaviors and respond unexpectedly to your attempts to control it.

Your security efforts may have unexpected results for the following reasons:

Non-linearity -- There isn't a linear relationship between the defenders' efforts and its impact on the level of vulnerable users. Doubling your rule set will not block twice as many attacks, and sometimes increasing effort only leads to even fewer results.

-- There isn't a linear relationship between the defenders' efforts and its impact on the level of vulnerable users. Doubling your rule set will not block twice as many attacks, and sometimes increasing effort only leads to even fewer results. Externalities -- There is more going on outside of this model that can have an impact on the level of vulnerable users.

-- There is more going on outside of this model that can have an impact on the level of vulnerable users. Linked requirements-- a security manager may have a number of levers to pull to define their strategy, but due to interrelated systems, and limited resources, cranking up one lever may have little to no effect, because that effort may starve another effort or a different lever is set to low.

Delays -- it takes a while for policy changes to be communicated out to the staff, or for increased law-enforcement to reduce the number of cyber-criminals. It may take more time than expected to detect the results of a change in strategy.

-- it takes a while for policy changes to be communicated out to the staff, or for increased law-enforcement to reduce the number of cyber-criminals. It may take more time than expected to detect the results of a change in strategy. Bounded Rationality-- every actor in the system is going to act in his or her own best interest based upon how they perceive the world. With incomplete and imperfect information they are going to make decisions that may not be in the best interest of the whole.

This particular system of criminals, defenders, and users can express a number of vexing scenarios for the users and the defenders.

In our model there is a clear conflict between the goals of the criminals and the defense. The harder that the defenders try to push down the vulnerability rate, the more effort and resources the criminals will leverage against them. New tools will be circumvented, take-down efforts will be countered with bullet-proof hosting, and fast-flux networks. The result is a never-ending arms-race. The fix is to not push so hard. Instead, you must "push smarter."

Don't let CVE-0 events get to the point where they become "business as usual." It may be disheartening to realize that as more users come on-line, they'll breathe new life into old scams, or feel frustrated when delays allow criminals to operate with seeming impunity. New ground gained by the criminals should not redefine the "new normal." This will result in a race to the bottom where these events are tolerated or ignored. CVE-0 events should not become proceduralized and outsourced to your managed security service provider. Each incident is an opportunity to improve the defender's strategy and position.

Users are caught in the middle between the defenders as they apply new rules, tools and policies to counter the criminals' change in message and tactics. Depending on how the defender reacts the users can end up as one of the following: allies, wards, or enemies.

If the defender deploys too many rules, or too restrictive policies, the users (in their bounded rationality) will organize "solutions" that circumvent these controls so that they can get their jobs done. In the worst cases, this can turn the users hostile to the defenders. When these "solutions" and workarounds are discovered, you have to resist the urge to clamp down harder, because this is a clear sign that your policy lever is already pushed too far, and now is not the time to push on it harder. It's time to rethink and redesign your strategy and try to leverage the creativity of the users to your benefit.

Another common result of this conflict between defenders and criminals is that the defenders assume more and more control from the users so that they eventually they become wards of the defenders. This works for a while as the team deploys new tools and processes. Unfortunately these efforts only serve to mask the root cause of the problem (vulnerable users in this case.) As time goes on, the defenders' resources will dwindle and when the layers of the defenses are circumvented, the users won't have any experience in dealing with the threat on their own and will likely fail. They essentially become addicted to the security tools and no longer make security decisions on their own.

Finally, a note on metrics. Another trouble point for the defense's efforts is how they are measured. If the security of the firm is measured by the size of security budgets, then security budgets will grow. If it's measured by the number of detections, then rule-sets will expand. The goals have to measure the real welfare of the system. Otherwise the system will head off in unwanted and unexpected directions.

Integrating Incident Response with Vulnerability Management

CVE-0 caused incidents should be handled like any other system compromise. While you can't reimage a user and move on, you can educate and inoculate them. The user's team and peers should also be educated at that time. The lessons learned from the incident should be captured and any new-hire or ongoing training should integrate those results. When delivering education remember that everyone is sometimes vulnerable to CVE-0.

Acknowledgement

I'd like recognize the large influence that Donella H. Meadows' "Thinking in Systems," had on this analysis. I strongly recommend it as a source of new ways to look at the problems you currently face everyday.