The longer I’m in the world of Cyber Security the more I realize that people like to throw these phrases around seemingly interchangeably. The problem is though that these aren’t interchangeable. Each word has a specific meaning and using them wrong will lead to unexpected reactions from senior management.
Let’s first set the mood for this. I’ve been working in Cyber Security for 10 years now. During this time, I’ve seen amazing levels of panic over things that really didn’t matter; all because someone used these words interchangeably. I worked in a security operations center during incidents like Shellshock, Heartbleed, WannaCry, NotPetya, BlueKeep, CCleaner, and others. In every one of those incidents, the same thing happened every single time. Someone briefed senior leadership that hackers were exploiting our servers when they were vulnerability scanning.
In fact, just recently my boss can talk to me about our security posturing. He read a news article that WannaCry was still the most used exploit in the world, 3 years later. My boss wanted to know what we were doing to ensure we were protected against WannaCry. I politely informed him that WannaCry is dead, it dead when Marcus Hutchins registered the kill switch domain. What the article was talking about was the exploit EternalBlue, but my boss wanted us to brief him in a week about what our plan was to deal with the uptick of WannaCry.
My boss would not accept that WannaCry wasn’t a threat, all because someone used the wrong wording on in an article.
According to Wikipedia the definition of a vulnerability is: “a weakness which can be exploited by a threat actor “. In WannaCry the vulnerability was CVE-2017-0144. The vulnerability was an issue with SMBv1 (which should never be exposed to the internet).
A vulnerability is a weakness, but a vulnerability by itself isn’t that big of a deal. An exploit by itself has no real impact on the computer.
Years ago, I was working in an SOC when Shellshock was released. Everyone started freaking out because it had a CVSS3.0 score of 10/10. After several hours of chaos senior leadership finally calmed down enough for us to tell them that we weren’t vulnerable because we didn’t have any public-facing Linux servers, all our servers were Microsoft IIS
Shellshock was a huge vulnerability, but it wasn’t a threat to us. To that same extent, CVE-2017-0144 was a huge threat, but Microsoft had patched it before EternalBlue was public.
An Exploit is a tool that is used to manipulate the vulnerability. There can’t be an exploit without first being a vulnerability; however, just because there is a vulnerability doesn’t mean there is an exploit. A prime example of this was BlueKeep (CVE-2019-0708).
BlueKeep was a vulnerability with RDP (which also should never be exposed to the Internet); however, it didn’t have a working exploit for several weeks after it was released. If you ever go to the CVSS website, you’ll see that there are plenty of vulnerabilities there but there isn’t an exploit for every vulnerability.
In the case of Wannacry, and my personal story, the exploit was called EternalBlue. In my personal story, the news article my boss read should have said that EternalBlue was still the most common exploit since it was heavily wormable.
After the vulnerability is discovered, and exploit is created and used, then a payload can get loaded. The payload is a malicious program that allows hackers to obtain their objectives. In the case of WannaCry, the payload was the destructive malware (commonly referred to as Wannacry Ransomware). The Payload was an encryptor.
You can have a vulnerability, and you can have an exploit, but without a payload again it doesn’t really matter; however, payloads are interchangeable. Once you exploit something you can load most payloads onto a system.
This is the most overused and incorrectly used phrase of all time in Cyber Security. Let’s get a few things straight; there is no such thing as a zero-day malware. There is no such thing as a zero-day payload. Zero-Days refer exclusively to the exploit.
A Zero-Day is what an exploit to a vulnerability that doesn’t yet have a patch. In the case of WannaCry EternalBlue was not a zero-day because Microsoft had already patched that vulnerability two months before that.
An example of a Zero-Day is the recent WordPress vulnerability that was being exploited.
While in theory, you can call a vulnerability a zero-day because it hasn’t been patched without an active exploit the vulnerability would need to be extremely serious because it was extremely prevalent like BlueKeep.
Words matter; I’m not sure if I’ve mentioned that yet. We need to use the right words when we are talking about things. Our senior leaders shouldn’t be getting their information from the news; they should be getting their information from us, and we need to be giving them the correct information.