Modeling Reality: Under Attack
Modeling Reality is a series of blog posts describing how real world scenarios are modeled by our software. This is the second installment.
Last week we discussed our vulnerability model; on the other side of that coin are the attacks. In our system we model two distinct types of attacks: targeted attacks and indiscriminate attacks.
Targeted attacks occur when an attacker decides to specifically target a particular business operation. Because of their targeted nature, these attacks are almost always persistent; the attacker doesn’t give up until they achieve their goal or their attack is detected and defended against. We make the simplifying assumption that all targeted attacks are persistent. These attackers are generally highly skilled; once they gain entry, they are adept at chaining together multiple vulnerabilities to reach their target, and thus have a high rate of success. They also often have knowledge of zero-day exploits at their disposal, which we model by assigning our forecasted zero-day vulnerabilities to a particular attacker.
We categorize targeted attacks based on their mode of entry: vulnerable software, malware, password guessing, social engineering, third-party services, etc. We use industry-specific attack data to determine the rate of attack for each of these categories in a particular industry segment. Combining that information with an estimation of the number of business operations that exist in the industry segment, we can determine how often these attacks are likely to target a particular operation.
Indiscriminate attacks occur when a new software vulnerability is disclosed publicly. Once a vulnerability is made public, attackers scramble to get as much use out of the vulnerability as possible before it gets patched. Indiscriminate attacks are not persistent: if the attacker can’t get in on the first try, they give up and move on to the next target in order to cover more ground more quickly. These attackers are generally less skilled and have to rely on known vulnerabilities, because the skilled attackers who have access to zero-day exploits prefer to stick to targeted attacks. They often rely on scripts they find on the internet to carry out their attacks, so they may have difficulty chaining together multiple vulnerabilities if the initial attack doesn’t give them access to their target.
Because of the widespread nature of indiscriminate attacks, we assume that it’s just a matter of time before every business operation gets hit, so every vulnerability disclosure triggers an indiscriminate attack in our model. The date of the attack is determined based on a combination of two factors: the amount of time required to develop an exploit of the vulnerability and the amount of time before an attacker gets around to attacking a particular business operation.
Tags: analysis, assessments, attacks, cybersecurity, modeling