New technique maps attack paths to quantify cyber risk
- By William Jackson
- Oct 04, 2011
Researchers at the National Institute of Standards and Technology have come up with a way to take some of the guesswork out of IT security.
“Currently, management of security risk of an enterprise network is more an art than a science,” they write in a new Interagency Report. “System administrators operate by instinct and experience rather than relying on objective metrics to guide and justify decision-making.”
One of the problems in measuring security is that a network attack is likely to progress through a number of machines, exploiting different vulnerabilities as it goes. As attacks and networks become more complex, the possible attack scenarios grow exponentially and evaluating real-world risk levels becomes difficult.
With new FISMA rules, security progress can be measured
How do you measure IT security? These metrics offer a standardized way
NIST’s technique offers a standard model for measuring security in a quantifiable, comparable way.
Called Probabilistic Attack Graphs, it charts the paths through a network used to exploit multiple vulnerabilities, assigning a risk value to each vulnerability that takes into account how easy or likely it is to be exploited at that point in the path. These metrics can be used to objectively assess the security risks and to evaluate the return on a cybersecurity investment.
NIST IR 77788, “Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs,” builds on earlier efforts to create data models that can be used to assess IT security.
One limitation of an attack graph is that it assumes a vulnerability can always be exploited, the report states. But there is a range of probabilities that vulnerabilities at different steps in the path can be exploited, depending on the skill of the attacker and the difficulty of the exploit. Attack graphs typically show only what is possible rather than what is likely.
Probabilistic attack graphs use the industry standard Common Vulnerability Scoring System as a starting point for quantifying risk, also taking into account the likelihood that a given vulnerability can be exploited given its position in the path being charted.
The goal is to make security quantifiable by “capturing vulnerability interdependencies and measuring security in the exact way that real attackers penetrate the network,” the report states. “We analyze all attack paths through a network, providing a metric of overall system risk.”
With an objective metric, trade-offs between security costs and benefits can be analyzed, so organizations can spend their money on security measures that pay off.
“Our metric is consistent, unambiguous, and provides context for understanding security risk of computer networks,” the report states.
The report describes tools and techniques available for creating attack graphs through complex networks, which can help a system administrator understand weaknesses based on the configuration within the network. An automatic attack-graph generator can identify obscure attack possibilities arising from intricate security interactions within an enterprise network that could be easily overlooked by a human analyst.
“Since all the attack nodes in an attack graph do not always guarantee success, we can attach a component metric to each attack node,” the researchers write. This “is a numeric measure indicating the conditional probability of attack success when all the preconditions are met.”
Aggregating the probabilities over the attack-graph structure provide a cumulative metric, indicating the absolute probability of attack success in the specific system. The longer the attack path and the harder it is for an attacker to reach a particular vulnerability, the lower the cumulative risk from that vulnerability, even though it might be evaluated by itself as high-risk.
Establishing the risks of different elements in the attack graph helps to determine the most cost-effective mitigations, which might not be initially obvious or intuitive because of complex interactions.