The Security Mendoza Line - Metasploit
When we think about risk, one of the key concepts we like to understand is the strength of our controls. If you think about it, we spend a lot of time gathering information about patch levels, vulnerability scans, and audits of control functions. If there’s one thing our profession is good at, it’s trying to understand the weaknesses in our systems.
Thing is, in order to really understand risk - we need to compare the strength of our controls to the level of force an attacker will apply to them. To this extent, in FAIR, we define Control Strength as:
The strength of any preventative control has to be measured against a baseline level of force.
One of the fun discussions around Control Strength asks the question, “what is that baseline?”
ON THREAT CAPABILITY, CONTROL STRENGTH, GAUSSIAN DISTRIBUTIONS, AND LIGHT-HITTING SHORTSTOPS
It works well to think of both Control Strength and Threat Capability as population distributions. Somewhere out there - there is this population of threat agents. They have some level of skills and resources, some are better than others, some are worse. Because we have no evidence to the contrary, it is a “good statistical practice” to use a standard distribution to represent the # of threat agents and their capabilities (see Jaynes/Bretthorst, Probability Theory: The Logic of Science).
Similarly, the same applies to the strength of our controls. Control Strength can be represented by using a standard distribution. The functions of our controls (Prevent, Detect, Respond) and our capability to successfully manage those controls are represented in this measured estimation.
Now when we go to compare Threat Capability, and our ability to resist the force applied by that Threat - we must take into account the category of threat we’re measuring against. There are nine major categories of threats, but most of the time we worry about threats that are Technical in nature, and we’re generally worried about threats from outside our perimeter of trust. We call these Threat Communities the External Technical Professional or Amateur. Using the qualitative label “Professional” vs. “Amateur” creates a nice semantic divide for the analyst. Many times, thinking of the difference between the two can help the architect, log/event analyst or risk analyst filter the information they need to process for relevancy.
Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”?
Mario Mendoza played shortstop for the Pirates, Mariners and Rangers about the time I really first got into baseball (mid 70’s). He was a very good defensive player - he had an adept throwing arm, excellent range, and a very good glove. Unfortunately for Mendoza, he was as bad on offense as he was good at defense. He struggled his entire career to hit .200 (one base hit every five at bats). This prompted his teammates to declare a .200 batting average The Mendoza Line - suggesting that .200 was the measurement that was the minimum amount of offense a player could provide to justify their place in the lineup. Hit below .200, and, well, you better get back up above the Mendoza Line or face demotion. The ability to hit .200 separated the professionals from the wannabes.
When thinking about technical controls I have in place, I use a Mendoza Line mentality of my own. That comes to us thanks to H.D. Moore - a founder of both DigitalDefense and DigitalOffense - and the principle figure behind the Metasploit framework. Metasploit is easily available, easy to use (click’n'drool) and has a significant amount of “brand recognition”. These three factors alone make it useful for us to use as our “Mendoza Line” between Professional and Amateur, and use as a yard stick when thinking about the strength of our controls.
Now I’m using Metasploit as one example, there are other tools for other uses that can be thought of in the same manner. Point is, the amateur can be defined as those whose competency stops at what Metasploit (or some other “Mendoza Line” tool) can do for them, and the professional are those whose expertise extends beyond what is commonly available in a format needs only a modicum of UNIX experience to use.
So when considering the strength of your controls, the attackers you wish to study - consider your baseline measurement of force here. It may not be too hard to find a point of reference to use.
Richard Johnson Oct 12
Your idea of finding a dividing line between professionals and amateurs is interesting, but I submit that using Metasploit is far and away from batting .200. It may even be on an entirely different axis.
In my experience, professional attackers include those who will not develop their own exploits. They use tools built by others, yet they fail to meet the ‘kiddy’ portion of the ’script-kiddy’ epithet.
Putting it another way, there’s a quality of persistence and inventiveness in a professional threat that has nothing to do with whether or not they use Metasploit.
Alex Oct 12
Hi Richard!
I don’t think we’re at odds here. My contention is that Metasploit would provide a “floor” for considering the strength of our controls - the “baseline” we might be interested in understanding. In looking at the framework of controls we architect into a business process, one significant question we might ask is can these controls protect us against “the Mendoza line”.
W/regards to using Metasploit as a Mendoza Line for Threat Community differentiation -
If we were to use a population distribution, to compare various communities of threats (professional/amateur) what we’re really doing is saying that the ability to use Metasploit creates a near maximum capability of an amateur. In general, they will be able to use what is handed to them on a plate. Now if we were to call that “around the 75%(I’m using the number not so that we can argue about the number, but as a reference). we might then refer to all “professionals” as those represented by TCap >=75% what we’re doing is accounting for the persistence, inventiveness in that greater numerical determination (Threat Capability consists of skills and resources).
roodee Oct 31
What I’d like to see, and maybe this is posted somewhere on this site, is an application of FAIR using fairly common scenarios. Is this available anywhere? The ‘Introduction’ document doesn’t really contain anything that I would consider “real-world”.
Ben Voigt Oct 13
I think you entirely missed what Richard said.
You claim to set up a distinction between amateur and professional, then go on to describe differences between exploit developers and tool users.
Fun vs profit and level of technical acuity are definitely different axes, and quite possibly almost uncorrelated.
Alex Oct 13
@Ben
Maybe I didn’t communicate as well as I should. “Amateur” and “Professional” are qualitative labels around skills & resources. Not around motivations (as you say, they are priors for different posteriors).