Why Vulnerabilities Are Only the Tip of the Cybersecurity Iceberg
Vulnerabilities are not the real enemy
I once commissioned a security audit from a highly reputable firm. The scope was straight out of a pentester's dream::
carte blanche to target any asset within the company.
I wasn't keen on testing the initial entry point as we had done so multiple times. After all, a dedicated attacker will invariably find a way through that initial barrier. Instead, I wanted to gauge the potential damage once an intruder got inside. So, we granted them typical employee access: the SSO portal, a YubiKey, VPN access, and so forth.
The tests spanned a couple of weeks, they did their reconnaissance, found vulnerabilities, escalated privileges…all the shenanigans you’d expect from a pentest.
Now came the debrief session. I listened to their rehearsed presentation, watched their slides fade one into another, and then asked them at the end:
- "So, how would you rate our overall exposure? Where did we excel, and where did we falter?"
- “Based on our findings, we identified seven vulnerabilities, three of which are critical. This indicates that the security level is very low," they replied.
That, right there, is why most pentests fall short in delivering meaningful value. Companies often only get feedback on a fraction of vulnerabilities that auditors were lucky to stumble upon. It’s a valuable feedback, but it’s missing the bigger picture. There will always be vulnerabilities. What a company needs, is feedback on the protections and detections in place that might have complicated the attacker’s job in finding and exploiting those vulnerabilities.
- “You make it seem as if you breezed through our systems in mere hours. Let's sidestep the vulnerabilities for a moment. Allow me to seed the question with its context then: It took you 7 days to achieve admin access, during which you triggered 25 alerts and 2 honey tokens. A mere two hours into the engagement, the first alarm sounded. Our network ACLs were so stringent that when you did manage to crack a legitimate password, you struggled for two days to utilize it. You managed to find an admin account after many failed attempts, but given the tight permissions, were still denied access, flooding our alerting system. I had to step in and help you shape your queries to bypass our security policies. And of course, all of this required a Yubikey, a VPN and Ops privileges. Now, given all this, especially when juxtaposed with other engagements and breaches in the wild…. How do we fare? What protection faltered, and which one gave you problems? ”
Don’t be fooled into thinking that I wanted a glorious report praising the job we did. No, what I wanted was feedback on the threat model we followed this past year. Did we prioritize the right topics? Had we contemplated every plausible scenario? Were our security measures adequate?
See, pentesters, red teamers and security auditors chase the illusion of a vulnerability-free utopia. They believe that adhering to every guideline, hardening systems rigorously, and swiftly patching will somehow usher in an era of unparalleled security.
I got news for you: That ain’t happening. Period. Vulnerabilities will always be there. Even with an army of researchers tirelessly probing your infrastructure, an attacker might discover a previously unidentified zero-day exploit. It’s bound to happen. Attackers have time and resources on their side.
What makes the difference, what gives the company a fighting chance, is the journey taken by the attacker in finding and exploiting that vulnerability. Do they simply append bash commands to the first parameter and sail through privilege escalation all the way to data collection in two hours, or do they struggle for weeks to find that first remote command execution? Do they dump passwords left and right, or do they get detected and booted out of the network at the slightest hint of a suspicious command? Does the first service account grant them admin access, or do they have to cycle through a hundred service accounts before finding the proper one?
The way I visualize it is the following: I think of a company’s assets as a collection of crown jewels in a dense tropical forest. Every attack scenario is a pathway that leads to that treasure. The job of the security team is to identify every potential pathway, shortcut, alley and shut them down or barricade them as tightly as possible.
However, the reality is that every fence can be picked by a clever marauder. Hence, multiple layers of defense—ACLs, 2FA, network policies, approval systems—are crucial. These different types of fences offer distinct protections, not to block the attacker, but to slow them down and trick them into tripping over a hidden wire that reveals their presence—that’s your detection system. It’s such a powerful insight, I’ll repeat it again: you cannot completely shut off the most insidious attackers, but you can invest in multiple layers of protection that increase the likelihood of a slip-up that triggers an alert.
Keep in mind that employees, contractors, and partners must navigate these pathways to access vital assets and have a thriving business. These paths should be meticulously overseen, with any superfluous ones closed off.
The astute security team anticipates attackers attempting these routes and sets up additional defenses, like landmines and tripwires. Regular employees know the route by heart, they all step on the same cobblestone at a predictable pace. An attacker, instead, is likelier to race through that alley, or maybe walk a tad awkwardly, or keep to its left instead of its right…something, anything, that deviates from the norm and offers a significant detection potential. That should be one of the main detection strategies of every organization.
With a company's ever-evolving structure, countless new paths emerge every other week. A security team cannot automatically barricade each new alley with five robust fences. So there is a probability game taking place: given what we know about attackers, which path is the likeliest candidate? Which techniques will they commonly use? Should we focus on the third fence of Alley number 137 or the first fence of shortcut number 28? How long should we spend on each fence?
These are very delicate questions that require a mixture of helicopter view and deep dives. Unfortunately, many security teams reason by instinct and don’t spend time building and optimizing their decision framework. These questions are the bedrock of the company’s security stance, and that’s what any real full scope security audit should assess!
Yes, pentesters should find vulnerabilities and follow them with exploits, escalation and lateralization, but at the end of the day, the real added value is the feedback on how well the security team protected their pathways. Did they find them all? Did they prioritize the right ones? Did they barricade them enough? Did the fences withstand the charges as expected? Were there enough trip wires? Were they well hidden? Did they go off? Did someone pick them up? Etc.
That’s immensely more valuable and more pragmatic than the myopic exercise of simply listing vulnerabilities as if fixing these will magically dry up the well they came from. That’s not how it works. There will always be vulnerabilities, new ones and old ones. What matters is how complicated it is to find them, exploit them and leverage them to inflict damage without being noticed. A security audit should give you clarity on these precise questions, so you can adjust your prioritization framework and perhaps shift your focus to neglected pathways.
Beware of vulnerabilities. They’re not the true adversary.
