Understanding what vulnerabilities exist in your hardware and software is a critical feature of securing corporate infrastructure. It’s well-known that having a high number of vulnerabilities and taking advantage of identified weaknesses in your systems isn’t conducive to a strong security posture. 

However, a weakness must be exploited before it leads to a demonstrated vulnerability in a piece of software or hardware. There are no guarantees that this vulnerability will ever be used as part of a cyberattack. If and when it does, this demonstrates that a weakness exists, it has led to a vulnerability that has a proven exploit.

There are lots of definitions of exploitability in cybersecurity. For our purposes today, we’re going to define it as the possibility of a vulnerability actively being used by malicious actors to compromise systems, applications, or networks. In Internet of Things (IoT) security, this appears in two general ways: exploitability in the wild and complete exploitability analysis. Both of which we’re going to cover in this blog. 

What Is Exploitability in the Wild?

The concept of “exploitability in the wild” means in general that the exploit has been actively used in a malicious attack or other real-world scenario. Someone, somewhere broke the CIA triad (Confidentiality, Integrity, Availability). avenue. The vulnerability shifts from a theoretical risk to an actual concern. 

Whether an exploit is spotted in the wild or not is difficult to predict. The Exploit Prediction Scoring System (EPSS) aims to conquer this challenge, but the reality is that it’s only one threat intelligence feed (albeit one with the novelty of being forward-looking). Using multiple sources helps cast a wider net to find what is exploitable and urgent to consider. 

Trying to determine exploits in the wild focuses on active threats. All else being equal, this is the right prioritization. However, it can be somewhat problematic because it can potentially ignore theoretical or emerging exploits that may not be quite as commonly used among threat actor groups. Moreover, predicting exploits can evoke a “So what” response from defenders; what matters is what they should do about it. Exploitability analysis does not provide a comprehensive understanding of how the exploit fits into a kill chain or what makes it possible for the exploit to function. 

An exploit being spotted in the wild doesn’t necessarily mean that your specific systems are under threat, however. When an exploit is identified in the wild, it ignores the specific device context that might exist in your network. If a worm for an IP camera is identified that relies on lateral movement to other cameras, and you’ve set up the cameras such that they can’t communicate with each other, then exploitability in the wild may not be as impactful. 

What Is a Complete Exploitability Analysis?

A complete exploitability analysis is a thorough assessment of a vulnerability relative to a single device and its context, such as its network neighbors and configuration. This process takes a single device weakness and fully explores the relevant kill chain and attack process, demonstrating how the exploit is used in a successful attack. 

Understanding the kill chain involves fully examining the steps that an attacker would take to exploit a given vulnerability. Each identified weakness in an IoT device involves specific steps that need to be executed for the exploit to be successful. By understanding the kill chain, you can more readily defend against a security incident occurring. 

A complete exploitability analysis takes the specific device context into account as well. In our previous example with an IP camera, an exploitability analysis takes into account how the camera is configured on a network, how the inter-camera lateral movement occurred, and what preconditions are necessary for the attack to succeed (such as an open port, or possessing a specific firmware version). 

The end result of a complete exploitability analysis is protection for critical IoT devices over and above knowing the vulnerability or vulnerabilities used in that exploit are being used. Knowing how a kill chain could proceed based on device context ensures that you have a more informed remediation process and choose effective fixes for the IoT devices on your network. 

What are the Key Differences in Exploitability Analysis Methods?

The distinction between exploitability in the wild and complete exploitability analysis comes down to three factors: the scope of analysis, the depth of understanding regarding vulnerabilities, and the approach to protecting IoT devices. 

Analyzing exploits based on identification in the wild is a less intensive analysis. It doesn’t tell you anything about how the exploit is used as part of the kill chain, only that it has been used. 

A complete exploitability analysis also ensures a deeper understanding of the vulnerabilities in your systems. Knowing how they can be used to compromise your systems ensures that you can defend them more effectively. 

These two methods also differ in their approach to IoT device protection. Defense based on in-the-wild exploits focuses on protecting against attacks that are actively occurring (or expected to occur soon), whereas a complete analysis can emphasize a more proactive defense. 

Some of the added benefits of a complete exploitability analysis include: 

• Comprehensive security posture enabled by understanding the kill chain more effectively. Cybersecurity teams who understand the kill chain better can implement more protection against potential exploits. These allow for teams to add defensive capabilities in a more forward-looking approach. 
• Proactive Protection: A complete exploitability analysis enables teams to adopt a more proactive approach. This analysis ensures that your teams are looking ahead to possibilities instead of emphasizing only the exploits that are known and growing. Taking the initiative to be more effective in their defense could help your team get ahead of attackers. 
• Informed Decision-Making: The more detailed information you have about potentially exploitable vulnerabilities, the more informed your decision-making can be about which weaknesses to resolve first and which IoT devices to add more protection to.

Ultimately, a complete exploitability analysis provides a richer and more detailed strategy to defend your IoT devices against cyberattacks regardless of whether the exploit is active or not. 

Final Thoughts 

A complete exploitability analysis is absolutely vital for IoT security. Emphasizing defense based on whether an exploit is actively being used by threat actors is a recipe for a reactive defense that only serves to keep your team one step behind. 

With a complete exploitability analysis, you can take a proactive approach that ensures better defense and can even potentially put you ahead of attackers. Indeed, defensive methods that take into account your unique network architecture are sure to be more secure than the generalized focus of exploitability in the wild. 

To find out more about how Asimily can help improve your organization’s security posture, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.