Richard Bejtlich just put up a post about the debate around whether we as security practitioners should focus on vulnerabilities or on threats.

I commented on his post, but thought it worth it to reproduce my thoughts here as well. Here’s what I said:

If you’re a left-handed soup sandwich, then the focus should be on vulnerabilities because the likelihood that you’ll be compromised by an advanced attack is low. No need to break down a door when there are no walls.

If your vulnerability management, i.e. KNOWN vulnerability management, is mature then it’s better to focus on the actors capable of launching unknown attacks. At that point it becomes worth it to ask, “Who wants to hurt me? Who can benefit from stealing my data?” Etc.

But having this conversation when you lack the basics is like working on an airborne plane’s air conditioning while it lacks navigation and landing gear.

So, yes, there is something to be said for “fix the vulnerability and stop worrying about where a potential exploit might come from”, but this mentality ignores the fact that the most dangerous threats are likely attacking vulnerabilities that you aren’t yet aware of. As such it’s more effective to think about what they might be after, and about defense-in-depth, rather than staying limited to the patch game.