Threat Management, Vulnerability Management

Terminology is Tough

by  •  • Comments Off

TQBF takes me to task about my use of the phrase "in the wild":

Also, as an aside to Lindstrom, you betray a certain mindset when you refer to exploits as "in the wild". We don’t work in antivirus, and I think you’d agree, there’s no such thing as a "dormant" vulnerability.

Terminology ends up being very important in this discussion because there are many qualifiers. I find it extremely difficult to get my point across, given the predisposition of many folks to assume quite a bit. I usually catch myself when I misuse terms, but not always.

I have started using the phrase "in-the-wild exploit of an undercover vulnerability" to attempt to describe the exact point where a threat becomes what I call a "manifest" risk: when the attack is launched against a target. I used to call this simply a zero-day exploit until people started incorporating theoretical exploits against known vulnerabilities that weren’t patched. The terminology problem is evident in TQBF’s list of reasons that shifts back and forth between holes and exploits. (Note: at this intersection, I believe in full, immediate disclosure of any/all details of the exploit and the vulnerability, because I consider this an imminent threat).

So, I am looking for something that describes the intersection of an exploit and a vulnerability where the exploit was actually used in an attack against a vulnerability that was not previously known to any good guys. I thought "in the wild exploit against an undercover vulnerability" was pretty clear. I would only have a problem with antivirus folks interpreting this their way (and I do actually work in all threat spaces, including antivirus) if my own interpretation of "in the wild" diverges from theirs. I say "in the wild" means "found live on the Internet, in active use." I believe that is what they mean as well.

The word "undercover" is an attempt to clarify the nature of a vulnerability that hasn’t been identified by a good guy. It is not "unknown" or "unidentified" – there are likely many vulnerabilities that have been created and remain unknown (and actually, I do like the word "dormant" and consider all of the future vulnerabilities found in products that exist today to be currently "dormant") but in order to exploit a vulnerability, it must be "known." Adam used "unannounced" and I find that too vague. Particularly now that supposed "white hats" are not announcing, it becomes a problem. The same problem goes with the word "undisclosed."

So I am actively looking for a way to describe an exploit that is seen attacking and perhaps compromising a system by targeting a vulnerability that no good guy is aware of until the attack occurs. If there are true black hats doing completely independent research and compromising systems out there, we would have evidence of this situation.

For now, I am going to use "in-the-wild exploit against an undercover vulnerability".