As security professionals, we have limited time and resources, so we tend to focus our attention on the threats and vulnerabilities with the highest significance. Those that are rated lower can be fixed later when we have time—which, in reality, is never. We have no spare time. So, what happens is that these low-risk vulnerabilities end up having long lives in our infrastructure and generally don’t make a nuisance of themselves.
A Trio of Deuces
At F5, we’re seeing skilled attackers stitch together esoteric and low-risk vulnerabilities into devastating attacks. In the same way that a trio of deuces will beat a pair of kings, low-risk attacks can add up to one very high one—and defenders need to keep their eyes peeled.
Why are Some Attacks Rated Low Risk?
Any security pro worth his or her certifications will tell you that risk has two components: impact and probability. Sophisticated attacks with deep impact can still be rated low risk because of their difficulty to realize. One such an attack is Marco van Beek's Microsoft Exchange Autodiscover attack against Microsoft Exchange Server. According to The Register, Microsoft has downplayed the seriousness of an alleged Exchange auto-discovery vulnerability, saying that it sees no need to patch the reported security weakness.1 Fair enough.
Attacks can also be rated low risk because of their minimal impact. Domain name client poisoning is an example of such an attack. It’s not difficult to pull off; in fact, there are point-and-click tools to help. But, the impact has been limited to fooling a single user in limited ways. No big deal.
And, perhaps one of the lowest rated risks is information leakage. Not leakage of confidential data, but something innocuous like an attacker learning your email address. (Heck, for anyone who hands out business cards, that’s not even considered a vulnerability.)
The Power of Sequencing Low-Risk Attacks
If attackers sequence together these three low-risk attacks in the right way—one trivial (information leakage), one old and weak (DNS cache poisoning), and one esoteric (van Beek's Microsoft Exchange Autodiscover)—they can build a very effective, high-risk attack method, enabling them to snatch someone’s login credentials from Microsoft Exchange. This is just how attackers think—because they will do whatever it takes to get you. Given enough time, someone will automate this sequence and then every hacker will be doing it.
So, what’s the sequence? It looks like this: