The Bar Fight Risk Taxonomy
Update: Ricki has put t-shirts based on this tweet - literally - up in an Etsy store. They are 25 AUD and all proceeds go towards helping students and others get into cybersecurity as a career field. Yeet!
After hearing the words "vulnerability" and "threat" used interchangeably for the >9,000th time, I decided to take action, and the Bar Fight Risk Taxonomy was born.
Risk is an ambiguous and abstract concept, so I rely heavily on metaphors to explain cybersecurity and risk concepts. Using a situation or experience that the majority of people have experienced, thought about, heard about, or seen on TV provides a solid foundation for understanding. Another technique I frequently employ is visceral hyperbole to immerse the reader in the scenario while keeping the focus on the point. In this case, even if the reader hasn't considered avoiding a fight before, it's still a relatively simple (if unpleasant and violent) threat model to consider.
Hat tip to the legendary Jack Daniel who has been using a similar fighting analogy to communicate risk concepts for years...
Patch Tuesday = your weekly gym visit
— ARJ (@AndrewRJamieson) April 20, 2021
Security stack = your mates at the pub with you
APT = a mate who also wants to punch you in the face
Air gap = avoiding the pub by staying at home
Side channel = your wallet being nicked whilst you are being punched in the face
In any case... It went viral quickly, to the point where my friend Ricki Burke started making t-shirts out of it. - Of all the tweets I've sent that could have ended up on a t-shirt, I'm glad this one did:
3000+ Posts
I'm clearly not the only one who frequently needs to explain these terms and gets mildly irritated when they're switched around (especially by those in the space who really ought to know better). The original tweet was viewed, liked, and reposted 250,000 times, and it spawned a thread with extensions of what I now refer to as "The Pub Brawl Risk Taxonomy," which ranged from the concisely accurate to the deeply snarky and hilarious.
Here's the original tweet::
threat actor = someone who wants to punch you in the face
— cje ๐๐ (@caseyjohnellis) April 19, 2021
threat = the punch being thrown
vulnerability = your inability to defend against the punch
risk = the likelihood of getting punched in the face
My apologies to the tenured risk and GRC professionals who have already identified what appears to be a mistake here... Risk is mathematically defined as: Likelihood x Impact. Because Twitter has a character limit of 240, I descoped Impact as a modifier by considering a successful punch as a breach (i.e. A pass/fail DO NOT WANT). Daniel Miessler did an excellent job expanding on the alternative treatment of risk in this analogy in his blog... but Twitter is written in pen, not pencil, so my Impact = 1 definition remains unchanged.
Here are some subsequent additions to the thread...
acceptable risk = your willingness to be punched in the face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
exploit = the fist
— cje ๐๐ (@caseyjohnellis) April 20, 2021
attack surface = the size and shape of your face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
And on, and on it went...
Patch Tuesday = your weekly gym visit
— ARJ (@AndrewRJamieson) April 20, 2021
Security stack = your mates at the pub with you
APT = a mate who also wants to punch you in the face
Air gap = avoiding the pub by staying at home
Side channel = your wallet being nicked whilst you are being punched in the face
bounty hunter = someone who promises to wear gloves when they punch you if you promise to pay them based on where they punch you
— ec0 || james ๐ดโโ ๏ธ (@devec0) April 20, 2021
bugcrowd = cage fight organiser
asymmetric threat = studying this entire thread then getting kicked in the crotch
— cje ๐๐ (@caseyjohnellis) April 21, 2021
cyberrisk insurance = your mates at the pub betting on if you can "talk that kinda shit" and not get punched in the face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
Threat intelligence = โBobโs going to come at you with a right crossโ
— Bill Kyrouz (@Kyrouz) April 20, 2021
attack surface = the size and shape of your face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
canary = a loud obnoxious friend who is daring everyone to punch them, wearing identical clothes
— Picaro Byte (@__picaro8) April 20, 2021
pentest = sparring partner, former welterweight boxer, will hit you until you say stop, no below the belt
compliance = how you think this all works until you've been punched in the face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
Parameterized query: understanding the proper defensive ninja moves while someone is talking to you all friendly like and then suddenly tries to punch you in the face
— Jim Manico (@manicode) May 3, 2021
Risk acceptance = ok getting punched
— SecFightClub (@SecFightClub) May 3, 2021
Risk mitigation = practice taking a pinch
Risk mitigation = consider guards
Risk proactive controls = snipers pic.twitter.com/mHQTyMdw3R
bad threat intelligence = people are generally mad at you about stuff, and might try to punch you at some point in the future
— cje ๐๐ (@caseyjohnellis) April 20, 2021
CVE = list of known standard punches
— David Heath (@david_heath) April 21, 2021
Port scan = looking around the bar to see what everyone is drinking
Bouncer = Firewall
Band-aids = Initial post-event remediation
Blood = data-loss
No memory of the event = Ransomware, must rebuild from backups stored in the memory of pals
CVE=A Chuck Norris movie
— Mathias (@matthegap) April 21, 2021