The Heavy Tails of Vulnerability Exploitation

Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense

Etalle

2017

Self Cite

Current threat models typically consider all possible ways an attacker can penetrate a system and assign probabilities to each path according to some metric (e.g. time-to-compromise). In this paper we discuss how this view hinders the realness of both technical (e.g. attack graphs) and strategic (e.g. game theory) approaches of current threat modeling, and propose to steer away by looking more carefully at attack characteristics and attacker environment. We use a toy threat model for ICS attacks to show how a realistic view of attack instances can emerge from a simple analysis of attack phases and attacker limitations.

Section: Empirical Views On Attacksmentioning

confidence: 81%

Towards Realistic Threat Modeling

Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense

Etalle

2017

Self Cite

“…This requires the definition of models that jointly evaluate attacker's and defender's strategies: (89) several independent studies showed that most attacks are driven by a handful of vulnerabilities only, suggesting that attackers choose vulnerabilities to exploit as opposed to launching attacks drawn randomly from a pool of exploits for all vulnerabilities. (46,47,103) Capturing these aspects may require to integrate socioeconomic models to evaluate attacker's incentives in marketing or buying a new vulnerability (91,102) or choosing a target. (89) We consider these aspects for future work.…”

Section: Discussionmentioning

confidence: 99%

“…(37,45) Due to the studied along the guidelines of traditional safety analysis and QRA in the same fashion that natural risks are studied. prevalence of untargeted attacks in the overall risk scenario, (38,46,47) in this article we focus on this type of attacks.…”

Section: Following Ransbotham Andmentioning

confidence: 99%

“…For example, distribution of attacks against web software components seems to follow a log-normal distribution whereby for certain software types 95% of attacks are driven by as little as 5% of the software's vulnerabilities. (46) Hence, the frequency and impact distributions defined in Equation (2) can be collapsed to a single probability estimate for a given number of events z.…”

Section: A Quantitative Model For Likelihood Of Cyberattacksmentioning

confidence: 99%

See 1 more Smart Citation

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Massacci

2017

Risk Analysis

Self Cite

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two-stage attacks whereby the attacker first breaches an Internet-facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of "weaponized" vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.

“…is is particularly unfortunate as the CVSS score gives a clear, well-de ned and readily available assessment of the vulnerability that can be used 'out-ofthe-box' to take a rst security decision on whether the vulnerability is (not) likely to represent a signi cant risk [5]. is is especially relevant as recent empirical [1] as well as analytical [3] ndings indicate that most vulnerabilities remain unexploited by a ackers. It is therefore especially important to devise measures that rule out 'low-risk' vulnerabilities to prioritize ne-grained assessments on high-potential vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

Attack Potential in Impact and Complexity

Proceedings of the 12th International Conference on Availability, Reliability and Security

Massacci

2017

Self Cite

Vulnerability exploitation is reportedly one of the main a ack vectors against computer systems. Yet, most vulnerabilities remain unexploited by a ackers. It is therefore of central importance to identify vulnerabilities that carry a high 'potential for a ack'. In this paper we rely on Symantec data on real a acks detected in the wild to identify a trade-o in the Impact and Complexity of a vulnerability, in terms of a acks that it generates; exploiting this e ect, we devise a readily computable estimator of the vulnerability's A ack Potential that reliably estimates the expected volume of a acks against the vulnerability. We evaluate our estimator performance against standard patching policies by measuring foiled a acks and demanded workload expressed as the number of vulnerabilities entailed to patch. We show that our estimator signi cantly improves over standard patching policies by ruling out low-risk vulnerabilities, while maintaining invariant levels of coverage against a acks in the wild. Our estimator can be used as a rst aid for vulnerability prioritisation to focus assessment e orts on high-potential vulnerabilities. CCS CONCEPTS•Security and privacy → Vulnerability management;