this post was submitted on 27 Dec 2023
529 points (98.2% liked)

Technology

59424 readers
3116 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 27 points 10 months ago (3 children)

I recently invented a "People First" Cybersecurity Vulnerability Scoring method and I called it CITE, Civilian Internet Threat Evaluation with many benefits over CVSS. In it, I prioritize "exploit chains" as the primary threat going forward. Low and behold, this new exploit, although iOS, possibly one of the most sophisticated attacks ever using one of the longest exploit chains ever! Proof positive!

Depending on how you define it; I define the Kaspersky diagram has 8 steps. In my system, I define steps that advance the exploit discretely as stages, so I would evaluated Triangulation to be a 4 stage exploit chain. I should tally this attack to see how it scores and make a CITE-REP(ort).

You can read about it if interested. An intersting modeling problem for me was does stages always equate to complexity? Number of exploits in the chain make it easier or harder to intrusion detect given that it was designed as a chain, maybe to prevent just that? How are stages, complexity, chains and remediation evaluted inversely?

https://www.quadhelion.engineering/articles.html

[–] [email protected] 39 points 10 months ago (3 children)
[–] [email protected] 23 points 10 months ago* (last edited 10 months ago) (1 children)

That's Standards, isn't it?

Edit: yup

[–] [email protected] 10 points 10 months ago* (last edited 10 months ago) (2 children)

is this how people who quote Bible verses feel? i can just surmise the meaning by the number and the context because I'm so familiar with the source

[–] [email protected] 4 points 10 months ago

I just surmise by the context and end up usually correct so the numbers haven't quite clicked in yet

[–] [email protected] 1 points 10 months ago

It must be, cause I immediately recognized the numbers.

[–] [email protected] 6 points 10 months ago

no garfield 3:16

[–] [email protected] 15 points 10 months ago* (last edited 10 months ago) (1 children)

Glancing through your article, while you have correctly assessed the need for risk based prioritization of vulnerability remediation and mitigation, your central premise is flawed.

Vulnerability is not threat— CVSS is a scoring system for individual vulnerabilities, not exploit chains. For that, you’ll want to compare with ATT&CK or the legacy cyber kill chain.

[–] [email protected] 2 points 10 months ago

Thanks for sharing! I'm amazed at how sophisticated this was.