Assessing the likelihood of exploitation for an out-of-support application or operating system involves evaluating specific factors such as exploit availability, attack complexity, threat intelligence, and exposure. Each of these factors should be individually scored to provide a clear and evidence-based likelihood assessment.
Exploit availability examines whether known exploits for the vulnerabilities in the unsupported system are publicly accessible. If exploits are readily available through platforms like exploit databases or tools such as Metasploit, the system is significantly more likely to be targeted. In this case, a high score (e.g., 4 or 5 on a 1–5 scale) would be appropriate. Attack complexity evaluates the level of skill and effort required to exploit these vulnerabilities. Unsupported systems often have well-documented weaknesses that require minimal technical expertise to exploit, leading to a similarly high score (e.g., 4). Threat intelligence adds further context by assessing whether attackers are actively targeting similar systems. Evidence of active exploitation or inclusion of the vulnerabilities in widely used exploit kits would elevate the score to very high (e.g., 5). Exposure considers the system's accessibility to attackers. Internet-facing systems are highly exposed and vulnerable,
justifying a high score (e.g., 5). However, if the system is located behind a firewall, accessible only through VPNs, or segregated within the network, this reduces exposure and might lower the score (e.g., 2 or 3).
For example, an unsupported operating system running on an internet-facing server with a known exploit and evidence of active targeting would likely receive a likelihood score of 4 or 5 (high to very high). In contrast, the same system placed behind robust firewalls, restricted to internal use, and requiring complex lateral movement to access might score 2 or 3 (moderate to low) for exposure, reducing the overall likelihood score. Controls like firewalls, network segmentation, intrusion detection systems (IDS), and strict access controls can significantly mitigate the likelihood by reducing the system’s accessibility and increasing the complexity of an attack.
By scoring each factor independently and incorporating existing controls into the evaluation, organisations can produce a detailed and defensible likelihood assessment. This structured approach ensures that risk decisions are transparent and based on a thorough understanding of the system's vulnerabilities and its exposure to potential threats.