Scanner vs. RidgeBot™ = Vulnerability vs. Exploit

by | Jul 28, 2020 | AI in Automated Pen Test

In our previous introductions to our product, we emphasized on how RidgeBot™ not only finds vulnerabilities of the system, but also uses proof of concept to test the vulnerabilities in order to find possible exploits. A natural question that arises would be the difference between vulnerabilities and exploits and why such difference matters in modern cybersecurity and sets RidgeBot™ apart from our competitions.

A vulnerability is a weakness in a system, or some software in a system, that the attacker could potentially abuse to bypass the system’s security infrastructures. Often when we use a vulnerability scanner, we will see a myriad of vulnerabilities in the report. For example, in memory unsafe languages like C, a buffer that fails to check its boundary is a vulnerability, as attackers could potentially overwrite the memory spaces above said buffer. While vulnerability will pose a significant problem, as its definition suggests, it is merely a potential attack target, meaning that out of these vulnerabilities, only 3% will result in an exploit.

Exploit by definition is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. Unlike vulnerabilities, which pose a potential for adversaries to attack the system, exploits will cause real damage to the system, stealing valuable information and resulting in massive financial loss. In the above example, the adversary’s actions to actually use the vulnerability to overwrite memory fragments constitutes a buffer overflow exploit.

       With a clear understanding of the difference between the vulnerability and exploit, it is easier to set RidgeBot™ apart from the scanners.  RidgeBot™ is an ethical hacking tool which performs real exploits, advanced iterative attacks and post exploitation activities. While a scanner is able to find most vulnerabilities in a system, it does little validation which results in a high false positive rate and an unrealistic risk picture. Many of said vulnerabilities are low risk, i.e. they are infeasible or even impossible for an attacker to exploit. But a scanner does not distinguish exploitable vs. unexploitable vulnerabilities: it will always recommend a thorough patching of all vulnerabilities it finds, which in a realistic setting would be highly time-consuming and inefficient.

Therefore, security testing shall not just stop at “vulnerability scanning”, the “validation (a.k.a Exploit validation) is imperative under today’s cyber environment. In addition to vulnerability scanning, RidgeBot™ will run real PoC exploits, and additional iterative exploits with new information in order to verify the risk of a vulnerability. In the report, we call the exploited vulnerabilities “business risks” and prioritize their patching; we categorize said vulnerability as High/Medium/Low, and will patch them in this order. As a result, RidgeBot™ has zero false positive rate and saves valuable time for our users while guaranteeing the same level of security as an average vulnerability scanner.