User Tools

Site Tools


riskanalysis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
riskanalysis [2017/10/23 17:05] – [References] lallodiriskanalysis [2021/01/10 21:04] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Cyber-Risk Analysis and Quantification ====== ====== Cyber-Risk Analysis and Quantification ======
  
 +This research line at TU/e SEC is led by [[http://www.win.tue.nl/~lallodi/|Dr. Luca Allodi]] and is focussed on quantitative aspects of cybersecurity risk assessment. This line of research is also informed by results from the [[attackereconomics|attacker economics]] research track.
 ===== Vulnerability remediation ===== ===== Vulnerability remediation =====
  
Line 10: Line 11:
   - introduce new vulnerabilities.   - introduce new vulnerabilities.
  
-The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http://www.win.tue.nl/~lallodi/allodi-tissec-14.pdf|Allodi (TISSEC 2014)]]. The Figure on the side {{ :imgs:riskanalysis:vulnvens.png?nolink&300|}} depicts a Venn Diagram distribution of vulnerabilities (NVD), vulnerabilities with a Proof-of-Concept exploit (EDB), vulnerabilities in the black markets (EKITS), and vulnerabilities exploited at scale (SYM). Areas are proportional to number of vulnerabilities, and color mappings match High (red), Medium (yellow), Low (blue) CVSS severities ([[http://nvd.nist.gov|(NVD)]]. As one can see, CVSS severities do not appear to be good predictors for probability of inclusion in SYM, an insight that remains valid also after more formally controlling for possible  +The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http://www.win.tue.nl/~lallodi/allodi-tissec-14.pdf|(Allodi et al. TISSEC 2014)]]. The Figure on the side {{ :imgs:riskanalysis:vulnvens.png?nolink&280|}} depicts a Venn Diagram distribution of vulnerabilities (NVD), vulnerabilities with a Proof-of-Concept exploit (EDB), vulnerabilities in the black markets (EKITS), and vulnerabilities exploited at scale (SYM). Areas are proportional to number of vulnerabilities, and color mappings match High (red), Medium (yellow), Low (blue) CVSS severities [[http://nvd.nist.gov|(NVD)]]. As one can see, CVSS severities do not appear to be good predictors for probability of inclusion in SYM, an insight that remains valid also after more formally controlling for possible  
-confounding factors [[http://www.win.tue.nl/~lallodi/allodi-tissec-14.pdf|Allodi (TISSEC 2014)]]).+confounding factors [[http://www.win.tue.nl/~lallodi/allodi-tissec-14.pdf|(Allodi et al. TISSEC 2014)]].
  
 This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above.  This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. 
Line 24: Line 25:
 Cyber-attacks can be roughly classified in two categories: Cyber-attacks can be roughly classified in two categories:
  
-  - **Targeted cyber-attacks**: these attacks target specific systems and organizations and are typically carried by sophisticated, technically advanced attackers. These may be nation-state agencies as well as resourceful enterprises (e.g. for espionage purposes). These attack may be carried by means of the so-called “0-day” attacks, i.e. exploits that attack a vulnerability that is unknown to the defender (e.g. because the attacker discovered it). These attacks are very rare. A 2012 study revealed that only a small fraction of overall attacks involve 0-days [[https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf| (Bilge CCS 2012)]].+  - **Targeted cyber-attacks**: these attacks target specific systems and organizations and are typically carried by sophisticated, technically advanced attackers. These may be nation-state agencies as well as resourceful enterprises (e.g. for espionage purposes). These attack may be carried by means of the so-called “0-day” attacks, i.e. exploits that attack a vulnerability that is unknown to the defender (e.g. because the attacker discovered it). These attacks are very rare. A 2012 study revealed that only a small fraction of overall attacks involve 0-days [[https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf| (Bilge et al. CCS 2012)]].
   - **Untargeted cyber-attacks**: these attacks are launched against the population of Internet users at large. Vulnerable targets end up being infected, whereas non-vulnerable targets remain unaffected. The attacker does not target specific systems or users, but rather a class of users with certain characteristics . These attacks are by far the most common and exploit well-known vulnerabilities. For example, the recent WannaCry malware exploited a long-patched vulnerability and affected millions of users worldwide without targeting any specific organization (for example, the UK NHS has been a victim of the malware not because of attacker interest in its systems, but because of its reliance to old software configurations.   - **Untargeted cyber-attacks**: these attacks are launched against the population of Internet users at large. Vulnerable targets end up being infected, whereas non-vulnerable targets remain unaffected. The attacker does not target specific systems or users, but rather a class of users with certain characteristics . These attacks are by far the most common and exploit well-known vulnerabilities. For example, the recent WannaCry malware exploited a long-patched vulnerability and affected millions of users worldwide without targeting any specific organization (for example, the UK NHS has been a victim of the malware not because of attacker interest in its systems, but because of its reliance to old software configurations.
  
-==== Factors of risk ====+==== Factors of risk: attacker economics====
  
 Whereas targeted attack scenarios vary on a case-by-case basis, untargeted attacks can be more generally characterized. Due to the relevance of the latter on the overall threat scenario, in the remainder we focus on this. Whereas targeted attack scenarios vary on a case-by-case basis, untargeted attacks can be more generally characterized. Due to the relevance of the latter on the overall threat scenario, in the remainder we focus on this.
Line 33: Line 34:
 Untargeted attacks are used to achieve a number of impacts on victim systems; for example, installing banking Trojans; stealing credentials, credit card numbers, and other private information; using infected systems to mine bitcoins or other virtual currency; launching denial of service attacks through botnets; etc. Untargeted attacks are used to achieve a number of impacts on victim systems; for example, installing banking Trojans; stealing credentials, credit card numbers, and other private information; using infected systems to mine bitcoins or other virtual currency; launching denial of service attacks through botnets; etc.
  
-This lead to the commodification of cyber-attackers whereby attackers can buy attack technology and products of attacks (e.g. spam services) from other attackers. A non-technical summary of the characteristics of underground markets can be found in [[http://damonmccoy.com/papers/WEIS15.pdf|(Kurt et al WEIS 2015)]]. +This lead to the commodification of cyber-attackers whereby attackers can buy attack technology and products of attacks (e.g. spam services) from other attackers.
- +
-The core idea of an underground market is to breakdown the phases of an attack in “atomic units” that can then be re-composed by the customer to generate the attack he/she wishes to launch. For example, an attacker may compose an attack with specific exploits (e.g. for internet explorer vulnerabilities), targeting machines in a specific country (e.g. Brazil), delivering specific malware (e.g. a Trojan for Windows systems that hijacks the web interface of a Brazilian bank), that is obfuscated on the fly to minimize detection.+
  
 While this obviously simplifies the attack process for the attacker (who does not need to be technically sophisticated to engineer all attacks from scratch), introduces limitations in the likely sources of attack as these will coincide with the market’s offering/portfolio. More details on this are given at [[attackereconomics|this page]]. While this obviously simplifies the attack process for the attacker (who does not need to be technically sophisticated to engineer all attacks from scratch), introduces limitations in the likely sources of attack as these will coincide with the market’s offering/portfolio. More details on this are given at [[attackereconomics|this page]].
riskanalysis.1508771151.txt.gz · Last modified: 2021/01/10 20:59 (external edit)