Capability Risk Remediation Can Be Unsettling

While developing Endpoint Capability Risk (ECR) framework and scoring into LARCK, instantly seeing all of the endpoint risk data populate the system really uncovered just how powerful, dangerous, and 'over-tooled' a lot of my computers and servers were.

In other words, it worked exactly as intended. Truly Eye-Opening.

When importing CVE insights into the system for analysis and enrichment, I quickly saw all of the vulnerabilities and supporting information about them. Exactly as intended.

Viewing the results of incorporating remediation prioritization and ECR Risk Scoring, though, made me... unsettled.

Looking at the results, in my case, node.js sprang to the top of the list, over things I would have thought to score higher, such as Edge/Chromium patches, or a Microsoft Cumulative Update that impacted more endpoints.

At first take... I didn't like what I was seeing. "Did I do all of this for nothing?" I questioned the entire initiative.

It worked exactly as it was supposed to.

Why did LARCK put node.js first? Because it resided on critical infrastructure that had multiple, and overlapping, features and tools on them, that would really wreak havoc if they were to be compromised by a LOTL or similar attack. So it was node.js on a handful of servers- over a High-Risk Chrome vulnerability that affected a higher number of machines, but lower blast radius or capabilities.

This was and is, a paradigm shift.

The normal Patch Narrative is:

• Patch Faster

• Reduce CVSS

• Lower your Critical CVE counts

• Work on Making a Dent in the piling list

The ECR Patch Narrative is:

• Patch Custom to Your Environment's Capabilities and Risk

• Lower Capability Risk in addition to CVSS and CVE counts

• Remove unnecessary tools and feature overlap

• Reduce the Attack Surface

The old way: Risk is the Sum of Vulnerabilities.

The ECR way: Risk is the interaction of capabilities.

For larger environments, this patch priority technique shifts the remediation list order by about 5% to 10%, which validates the approach (too much skew would call the methodology into question)...

That 5 to 10 percent can be critical to protecting your environment versus working a traditional numbers-based scale, however. Your domain controllers, DNS and File Sharing Servers, ADFS/Identify Sync Servers, Endpoints with unapproved Admin rights, rise to the top... the endpoints that really need scrutiny, care, and protection.

It takes a moment of working past initial uneasiness at prioritizing a different way, but it works... exactly as intended.

Have any questions, or want to see for yourself? Feel free to reach out - LARCK is currently open to Pilot for a select amount of businesses.

-Jacob