There’s a lot to be said about Indicators of Compromise (IoCs) these days. With the growing threat intelligence market, and a certain cache with the technology, it seems like every security product on the market will help you identify, find and mitigate IoCs.
While the infosec pendulum is swinging firmly in the direction of detective controls, let’s take a minute to think about the waning emphasis on preventative controls by considering a different kind of indicator. After all, before the compromise, you’ve likely had some kind of vulnerability. So, what are the Indicators of Vulnerability?
While you may be familiar with the concept of a vulnerability, as in a specific flaw in software that an attacker might exploit, the concept of an IoV encompasses the myriad of configurations, software and behaviors that an organization may exhibit, which indicate it’s likely to have some kind of a compromise in the future.
To use a metaphor, they’re the erratic driving before an accident, or perhaps the genetic pre-disposition to a particular disease. Sometimes, you can just tell that an organization is headed for trouble, even if they haven’t quite found it yet.
Let’s put this in more concrete terms with a little help from the Twitterverse.
Every idea has a muse, and this tweet got me started on this concept. A server with browser add-ons installed is a clear IoV. In fact, any system with a bunch of sketchy browser add-ons demonstrates a certain lack of hygiene in the organization. It’s not that those individual bits of software lead to compromise (thought they may), it’s more that they are the evidence of a user population that clicks on things with a particular reckless zealousness.
If that’s one example, let’s see if we can create a classification system for IoVs, along with some examples.
Authentication, Authorization, Auditing
Nearly all the systems we access on a daily basis have some kind of authentication involved, from the code to get into your iPhone to the secure token used for two factor authentication to critical systems. There are a number of AAA situations that would constitute an indicator of vulnerability. For example, organizations that use any kind of shared login are openly declaring a lax attitude towards the whole subject.
Here’s an incomplete list of IoVs in the AAA class:
- Shared logins
- Using root or Administrator for tasks directly
- Granting desktop users local administrator rights
- Missing or limited user audit logging
Organizations that do a good job managing their systems overall tend to have better security practices. The inverse is also true; organizations that run a ‘wild west’ style IT environment have a higher probability of being metaphorically shot outside the saloon. The Ask toolbar tweet above is one example. There’s zero reason to have a toolbar add-on like that installed on a server (or a desktop, really). It’s an indication of administrative laziness that belies a similar attitude towards security.
What else might fall into this category of IoV?
- Add-ons, plugins and other bloatware
- No inventory, complete or reasonably complete, of assets or software
- No process for decommissioning systems
- Reliance on anti-virus as a primary security tool
Network Access Control
Attackers get past the best defenses available today. It’s part of the perpetual arms race that information security experiences. We build sophisticated defenses and attackers work to get around them. Defense doesn’t stop at the first intrusion, however. Defense-in-depth, now even a bit passe, is really about ensuring that a successful attack isn’t always a successful compromise. The network is one of those layers of defense, and certain network configurations are definitely an indicator of vulnerability. When someone says they have a flat network, what they’re really saying is that they haven’t thought about how an attacker might traverse their environment once they’ve gained a foothold.
Some of the other IoVs for networks are:
- A ‘flat’ network
- No VPN solution for external connectivity
- Firewalls everywhere; over-reliance on one defensive tool
This isn’t an exhaustive list of classes or specific examples. You can probably come up with more. The question to ask is really what would happen if there were a standardized taxonomy for Indicators of Vulnerability, and if organizations actually monitored for them? Could a lonely InfoSec pro, trapped at a misguided organization, rally for change around such a standard?
Regardless, understanding that a compromise isn’t the start of your response is important. Being able to see and interpret the signs of impending compromise is a valuable skill for the InfoSec pro, because an attack is as inevitable as the change of seasons.