Black Swan Theory for Vulnerability Management

The black swan theory grew out of a metaphor that referred to something that didn’t exist at one point. When it was discovered and proven that black swans actually did exist in nature, the term took on its current meaning, referring to big events that were unexpected prior to their occurrence.

In cybersecurity, these “Black Swan” events — malware attacks — are not very rare at all. These malware attacks seem to blind-sight the cybersecurity industry every month or two

The proliferation of these events have led to the development of Black Swan Theory for Vulnerability Management. Developed by NopSec CTO Michelangelo Sidagni and Head of Security Research, Shawn Evans, the theory aims to describe a method for predicting these ‘black swans’ more reliably. By breaking down the aspects of what make these black swan vulnerabilities so serious, wide-ranging and damaging, they have made it possible to predict them with better accuracy.

Vulnerabilities, as a whole, can be effectively described with just a few characteristics:

  • Criticality: The amount or significance of damage that can be caused, if exploited
  • Popularity: The commonality of the component, hardware, software or protocol in question (Is it used by 50 businesses, 2 billion consumers or somewhere in-between?)
  • Attack vector: One of the most often overlooked when the media tries to report on security vulnerabilities, attack vector is concerned with how the vulnerability is exploited.
  • Ease of Exploitation: This characteristic describes the difficulty of performing the exploit, including the effort and skill necessary to create it, find it and execute it.

Combining these characteristics provides the ability to perform a sort of ‘backward search’ to find these black swans. By searching through known software, hardware, devices and protocols using these criteria, it is possible to predict where serious vulnerabilities may be waiting to be discovered. This is the same logic researchers, criminals and government-funded hackers will use to find new and novel targets as well.

Using this criteria, the following are some of NopSec’s predictions for 2018:

  • Remote command execution (criticality) vulnerabilities in JavaScript frameworks, like JQuery, Angular and Node: these frameworks are widely used (popularity), web-based (ease of exploitation) and are accessible via the Internet (attack vector).
  • SQL injection and command execution vulnerabilities in popular open source content management systems (CMSs), like WordPress, Drupal and Joomla.
  • Enterprise platforms exposed to the Internet or internal corporate networks, like ManageEngine (IT management software), lesser-known (and thus probably not well-examined) web-based enterprise resource planning (ERP) and asset inventory platforms.

General threat intelligence can also help to create likely risk scenarios by studying and analyzing past attacks and breaches. Industry reports like Verizon’s Data Breach Report, FireEye’s M-Trends report and Microsoft’s Security Intelligence Report (SIR) contain intelligence and recommendations based on actual attacks, breaches and incidents.

To learn more about the Black Swan Theory for Vulnerability Management and NopSec’s Top Cybersecurity Threat predictions, click here to download of copy of our 2018 Top Cybersecurity Threats White Paper.