Data Model Takes Some Guesswork Out of Cyber Security

A team at the National Institute of Standards and Technology have come up with a new mapping procedure to quantify cyber threats.

"Currently, management of security risk of an enterprise network is more an art than a science," they write in a new Interagency Report. "System administrators operate by instinct and experience rather than relying on objective metrics to guide and justify decision-making."

One of the problems in measuring security is that a network attack is likely to progress through a number of machines, exploiting different vulnerabilities as it goes. As attacks and networks become more complex, the possible attack scenarios grow exponentially and evaluating real-world risk levels becomes difficult.

NIST's technique offers a standard model for measuring security in a quantifiable, comparable way.

Called Probabilistic Attack Graphs, it charts the paths through a network used to exploit multiple vulnerabilities, assigning a risk value to each vulnerability that takes into account how easy or likely it is to be exploited at that point in the path. These metrics can be used to objectively assess the security risks and to evaluate the return on a cybersecurity investment.

NIST IR 77788, "Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs," builds on earlier efforts to create data models that can be used to assess IT security.

One limitation of an attack graph is that it assumes a vulnerability can always be exploited, the report states. But there is a range of probabilities that vulnerabilities at different steps in the path can be exploited, depending on the skill of the attacker and the difficulty of the exploit. Attack graphs typically show only what is possible rather than what is likely.

Probabilistic attack graphs use the industry standard Common Vulnerability Scoring System as a starting point for quantifying risk, also taking into account the likelihood that a given vulnerability can be exploited given its position in the path being charted.

The goal is to make security quantifiable by "capturing vulnerability interdependencies and measuring security in the exact way that real attackers penetrate the network," the report states. "We analyze all attack paths through a network, providing a metric of overall system risk."

With an objective metric, trade-offs between security costs and benefits can be analyzed, so organizations can spend their money on security measures that pay off.

"Our metric is consistent, unambiguous, and provides context for understanding security risk of computer networks," the report states.

The report describes tools and techniques available for creating attack graphs through complex networks, which can help a system administrator understand weaknesses based on the configuration within the network. An automatic attack-graph generator can identify obscure attack possibilities arising from intricate security interactions within an enterprise network that could be easily overlooked by a human analyst.

"Since all the attack nodes in an attack graph do not always guarantee success, we can attach a component metric to each attack node," the researchers write. This "is a numeric measure indicating the conditional probability of attack success when all the preconditions are met."

Aggregating the probabilities over the attack-graph structure provide a cumulative metric, indicating the absolute probability of attack success in the specific system. The longer the attack path and the harder it is for an attacker to reach a particular vulnerability, the lower the cumulative risk from that vulnerability, even though it might be evaluated by itself as high-risk.

Establishing the risks of different elements in the attack graph helps to determine the most cost-effective mitigations, which might not be initially obvious or intuitive because of complex interactions.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.