Using Google Adwords to Refine Your Network Threat Model

by Karl Tatgenhorst on February 16, 2011

Over the course of the past year, I have been working as an IT director for an internet marketing company. This has allowed me to continue working technology but to see my tools through a new set of eyes, but it has not precluded me from seeing other peoples tool sets with an old set of eyes. I remember when I first learned that the bulk of compromises came from malware created by people searching for exploit kids and available loaders and packaging them up… these people were often referred to as “script kiddies”. One of the things that hit me while in my current job is that the exploit code could be found by simply searching Google for it and indeed many did just that.

Google Adwords is a text based ad platform which allows you to place your ads above and to the right of search results. Basically, if you want to insure that your link will be found on a search you bid on the keywords or phrase and then your ad will display for that (assuming your bid won). That turns a search query into a product and as such it must have a quantifiable value, for this we use the Keyword Tool. The Adwords Keyword Tool allows you to input a bunch of phrases and it tells you how many searches were run for those phrases in the last month. This allows you to generate a value for your search term.
The version of “threat model” which I like to use is from Richard Bejtlichs book The Tao of Network Security Monitoring (Amazon affiliate link). This model has us assigning a value in a numeric scale to: The threat, Vulnerability, and the Asset value and then multiplying them to determine a value for our risk. So using the Adwords Keyword Tool allows us to better quantify the “threat” posed by a vulnerability by obtaining data on how many people are searching for an exploit to our vulnerability (pair that with whether or not an exploit is known to exist).
To give an example I’ll use MS10-090 which is a “remote code execution” vulnerability in Internet Explorer. First, we’ll look at Microsofts page about MS10-090 which doesn’t yield much in the way of good material for a vulnerability search. So, the next stop is the CVE site for this vulnerability. Using that page we come up with this list of keywords:

  • CVE-2010-3962
  • EXPLOIT-DB:15418
  • EXPLOIT-DB:15421

Which yield the following results:
Adwords Keyword Tool results for our exploit search
Knowing that it was searched by CVE with the word exploit, tells us that it is interesting. Knowing that a variety of search terms probably also work tells us the number could be higher than the 210 that we see there. We can either assume a high value for the threat or research more search terms to get a better picture. Either way when we tell the CEO tomorrow that the risk level is “elevated” we can have an excellent piece of supporting documentation in our hands. What additional tools do you include in your threat modeling toolset?

About the author

Karl Tatgenhorst wrote 31 articles on this blog.

Comments on this entry are closed.

Previous post:

Next post: