Temptation

Edit online

The Randori Temptation model provides a realistic adversarial assessment of the likelihood a Service (and therefore the associated Target, Hostname, IP, etc.) will be attacked. These Temptation scores are used internally by the Randori Attack Team to prioritize vulnerability research and by the Attack Platform to target attacks — it is not a theoretical model but one backed by results and put into action.

When it comes to managing your attack surface, a critical risk factor you need to be able to accurately assess is how likely an adversary is to target a specific asset. Existing models focus almost exclusively on vulnerabilities, ignoring the multitude of other attributes a real adversary is likely to consider before targeting an asset. Randori’s adversarial-informed model is grounded in the team’s decades of experience conducting high-end red team engagements and the thousands of attack results continuously gathered by the Randori Attack Platform.

The 6 Factors of Temptation

Below is a list of the 6 Factors of Temptation. Each factor is scored individually, and then incorporated as an input into the overall Temptation model to come up with a single Temptation score for the Target.

  • Applicability - level of adoption

  • Criticality - importance of function

  • Enumerability - precision of detection

  • Exploitability - susceptibility to weakness

  • Research Potential - ease of development

  • Post Exploitat Potential - usefulness after compromise

Applicability

The measure of how useful knowledge of this service is, incorporating sub-elements like how widespread the use of the service is in the market.

  • High: The service is in common use and has few competitive services. A market may exist for vulnerabilities for this service due to its popularity alone.

  • Medium: This service is at or near its end-of-life, or the service is likely to be found only in a particular market segment or industry.

  • Low: The service is deployed in few circumstances, is significantly out-of-date, is past its end-of-life, or is unique to this detected instance.

Criticality

Measure of whether the service performs, or is constituent to, the protection of a critical boundary. That is, if this service is always, or commonly involved in protecting of a sensitive integrity boundary, or a sensitive confidentiality boundary, or a sensitive availability requirement.

  • High: The service is intrinsically associated with an integrity boundary. It is intended to protect or separate services or data.

  • Medium: The service might be a component of an integrity boundary or could be configured to protect other services, but this function may not be detectable.

  • Low: The service is not intrinsically associated with an integrity boundary

Enumerability

The measure of how precisely this Service can be detected, including sub-factors such as versioning precision, or configuration information relevant to attack.

  • High: Specific version or configuration information was discovered for this service. This is useful for determining the applicability of vulnerabilities.

  • Medium: Major or major & minor version information was discovered for this service. Associations with vulnerabilities may have low accuracy.

  • Low: No version or configuration information was discovered for this service. Without probes, the applicability of vulnerabilities is uncertain.

Exploitability

The measure of public and private disclosures around this Service, factoring in known vulnerabilities, available exploits, and very importantly the implications of these weaknesses.

  • High: Exploitable vulnerabilities exist for this version. A reliable exploit may be public or available from private parties.

  • Medium: Weaknesses, including potentially exploitable vulnerabilities may exist for this version. Public exploits are not widely available.

  • Low: Known weaknesses, including vulnerabilities, are either nonexistent or of low impact.

Research Potential

Measurement of sub-factors relating to how viable the service is as a research target. Incorporates measures of difficulty in performing research, getting exemplars, or performing exploitation of the service. Also includes a history of weaknesses in the family of related services.

  • High: This software is widely available or easy to obtain. Proof-of-concept exploits or significant research is available.

  • Medium: This software is available and some amount of prior research may be available. A history of impactful weakness may exist.

  • Low: This software is unavailable, is difficult to obtain, or is prohibitively expensive for most researchers. Public research is limited.

Post Exploit Potential

Measures the usefulness of the service’s environment for post exploitation, as determinable by only the presence of the service. Includes aspects such as whether rootkits exist for the environment as well as whether privilege or defenses are knowable.

  • High: The post exploitation environment is well known. Tooling is typically available and defenses are usually unlikely to be present on these systems.

  • Medium: The post exploitation environment is known, and tooling varies. Attackers may expect typical defensive capabilities or endpoint protections.

  • Low: This service runs in an esoteric environment, such as a proprietary embedded systems, for which little or no tooling exists.

Temptation Scores and the Randori API

Temptation is the overall summary score for the Service calculated from the 6 factors mentioned above. Temptation is measured on a scale from Critical to Low, as defined below:

  • Critical: >=40 and <=100

  • High: >=30 and <40

  • Medium: >=15 and <30

  • Low: >=0 and <15

    • NOTE: If we can't identify the specific Service Vendor / Name and only know the protocol( example: "Unknown, HTTPS Service"), they will be still be scored, but the resulting score will almost always be Low as unknown services are not as interesting to attackers.

  • In Review Temptation: null [no score listed - the service is still under investigation by our Hacker Operations Center]

When viewing this data exported from Randori or via the Randori API, you will see an individual score for each factor of temptation rated on the 0-5 scale. A score of 0 indicates that this factor does NOT contribute to making the overall Service more tempting to an attacker. A score of 5 indicates that this factor contributes greatly to making the overall Service more tempting to an attacker.

  • High: 4-5

  • Medium: 2-3

  • Low: 0-1