The likelihood of success of a cyber-attack and its relevance within the HERMENEUT model

Introduction

Today, the elusiveness of targeted attacks (TAs) [1] and the number of evasion tactics exploited by the ongoing attacks are so significant that monolithic defence strategies are still notefficient. Successful attacks are built to stay under the detection threshold on all the layers of the security (from network to the human layer): e.g., network scanning is usually today a feeble activity, systems’ compromising happens with ad-hoc copies of unique malware, and phishing campaigns are tailored around single humans [2] [3]. Cybercrime is increasingly going in the direction of sophisticated “low-and-slow” attacks [4]. The low-and-slow approach involves attackers remaining invisible for as long as possible while stealthily moving from one compromised host to the next without generating regular or predictable network traffic patterns or data exfiltration purposes as they hunt for specific data or system targets. The rapidity of the single attack steps is one crucial element of being stealthy.

Therefore, The defence paradigms must adapt to this increasingly flexible and feeble scenario, where the usual defence systems based on pattern recognition are no longer useful. For example, a recent report from FireEye cites, “the average time from an email phishing breach to detection is 146 days globally, and a colossal 469 days for the EMEA region. According to the report, “At a basic level, the notion that hackers are rooting around in companies’ networks undetected for 15 months is sobering, as it allows ample opportunity for lateral movement within IT environments.” [5].

The early detection of the weak signals of an ongoing attack is probably the most important challenge in today’s security market. Within this context, one of the most interesting innovative approaches is the ability to analyse an increasing amount of data, with the assistance of Artificial Intelligence (AI), to capture an emerging and unnoticed trend. Cyber Threat Intelligence (CTI) tools are facing this challenge. However, the most problematic issue of CTIs is not only the complexity of the evaluation models but also the potentially uncontrollable divergence of their forecasts. The model is strongly based on the preciseness of the Indicator of Compromise (IoC), whose collection is nowadays regulated through different bodies (mainly European bodies such as the ISACs [6] or crowd-based efforts such as VERIS CDB [7]) and supporting (usually de-facto) standard technologies (STIX being the reference serialisation language [8]). CTIs are also affected by the intrinsic instability of the forecast models, which require efforts to collect the IoCs, elaborate the models and distribute the early alerts. This fact implies a cost model that goes beyond the possibilities of an organisation with low-budget security programs, such as an SME.

Context

As reported by [9] the current approaches to IT security and risk management tend to underestimate the following key aspects:

• The human factor (covering subjective, organisational, societal and economic aspects) in identifying vulnerabilities to cyber-attacks. This aspect is often ignored despite the fact that, as recently demonstrated [2], Social Engineering 2.0 (SE) attacks generate the highest costs in terms of both consequences of and protection against attacks [10] [11].
• The attacker’s strategy in identifying vulnerabilities and assets at risk. Modern attacks follow the same business logic as that followed by big companies that involve multidisciplinary competences in the definition process of their strategies and business plans [10] [11] [12]. The same multidisciplinary approach combining engineering, risk assessment, economic, cognitive, behavioural, societal and legal knowledge is needed to address the strategy of professional IT attackers properly.
• The role of intangible assets in the quantification of the consequences of cyber-attacks. As reported in [13], “More than half the value of companies worldwide is in intangible assets, such as intellectual property, much of which is stored on computers and could therefore be vulnerable to hackers. That figure could be as high as $37.5 trillion of the $71 trillion in enterprise value of 58,000 companies, according to Brand Finance, a consultancy specializing in valuation of intangible assets”. Moreover, according to [14], more than 70% of attacks target small businesses, and as much as 60% of hacked small and medium-sized businesses go out of business after six months.

Given the described scenario, HERMENEUT aims to create an inclusive approach to cyber-security cost-benefit analysis. It starts (i) from an integrated assessment of vulnerabilities and their likelihoods and (ii) exploiting an innovative macro- and microeconomic model for intangible costs, ends (iii) with an estimation of the cyber-risks for an organisation or business sector followed by guidelines (iv) on investments, to mitigate the loss of an enterprise’s integrity.

The likelihood of success of a cyber-attack

In the HERMENEUT approach, the risk is equal to the product of likelihood, vulnerability and impact [15]. From a general point of view, the likelihood of success of a cyber-attack is composed of five relevant elements: business plan, commoditisation level, operational security, exposure of the target and human factor. These four elements can be used, together with a proper economic model, to estimate an enterprise’s tangible and intangible risks.

• The business plan of the attacker is typically tied to the ease of monetising the stolen assets. Putting aside a few more specific cyber-attacks conducted for different motivations, the ease of monetisation of a stolen asset is the main driver used in the black market — and thus a motive for performing cyber-attacks. Thus, understanding the attacker’s business plan usually requires monitoring the dynamics of the black market’s selling fluctuations and its interest in specific assets. This monitoring function is already provided by big players in IT security and integrated into current risk estimation approaches[1]. Moreover, this element is correlated with the remaining four factors (commoditisation level, operational security, target exposure and human factor). Black-market dynamics are driven by the evolution of attacking tools (e.g., the recent evolution of Shark Ransomware as a Service, see [16]), as well as by the difficulty of stealing valuable assets (e.g. see [17] for a discussion about price fluctuations of Gmail fake accounts in the black market, as a consequence of the hardenings released by Google). HERMENEUT does not concentrate on exploring and evaluating black market dynamics; instead, it concentrates on evaluating the less explored commoditisation level, exposure of target and the human factor.
• The commoditisation level is an approximate measure of how easy it is to launch a cyber-attack against an organisation. This can only be assessed by simulating a cyber-attack against the IT systems from an attacker’s viewpoint. The assumption is that the effort undertaken by a penetration tester to break into a system in a simulated environment is proportional to the effort of a real cyber-attack. The higher the effort of the cyber-attack (e.g. regarding applied competencies and instruments), the higher, in general, its price on the black market. With the evolution of TA, the exploits have become more subtle, and the strategies used are less universal (and thus less identifiable by statistical methods) and more easily adaptable to single victims [6]. A recent example of how the business models of cybercrime evolve, impacting both the commoditisation level and the economic cost models, has been reported by [16]: a new Ransomware-as-a-Service project has sprung up, and the “service providers” are allowing others to use it for free, but take a 20 percent cut out of every ransom that gets paid by the victims. This change in the threat landscape implied a modification of the techniques used to simulate the cyber-attacks to become more adjusted to the reported exploits. HERMENEUT uses a novel vulnerability assessment methodology to evaluate the commoditization level of the cyber-attacks.
• Operational security, from the attackers’ point of view, refers to the ability to exfiltrate an asset or complete an attack business plan and remain unnoticed or uncaught. This element is connected to the commoditisation level of the black markets mentioned before. The underground economy is a loose federation of specialists selling capabilities, services, and resources explicitly tailored to abuse the ecosystem, among which services are used to safely re-sell the stolen services.
• Exposure of the target measures how exposed the target is to cyber-attacks. This is essentially the amount and relevance of the information exposed by the victim or other parties on the internet or in general to the outer world (e.g. in social media or unmonitored assets, like open resources or uncontrolled metadata of public documents) that can be directly (ab)used by the attacker to craft more successful cyber-attacks. This not only refers to unleashed assets but, more generally, to information used to improve the effectiveness of the cyber-attacks (e.g., roles of personnel in the organisation, information about activities, locations visited during work hours, etc.), according to the logic and trends of the TA tactics. HERMENEUT measures the exposure of the target through the indirect estimation of the digital shadow of an institution[2]. That is the portion of the enterprise’s data space which is unintentionally leaked on the Internet by its employees (e.g., employees speaking of work on social media) or directly through digital channels not monitored by the enterprise (e.g., the presence of unofficial support pages in some social media). The extension of the digital shadow is proportional to the enterprise’s exposure.
• Human factor measures how the behaviour of individuals, as well as social and organisational problems, indirectly affect the success rate of real-world cyber-attacks, for instance, due to a lack of respect for existing policies or other potentially detrimental behaviour of employees. This also includes user-motivated security incidents, threats of human error by insiders, and the role of human vulnerabilities in successful cyber-attacks. The human factor is another rough measure of the softness of the target, but in contrast to the commoditisation level, it links to an internal point of view. This is evaluated using an internally run assessment, performed using a “grey-box” approach[3], and the vulnerabilities detected are not necessarily all known and abused by real attackers. However, they are a proactive indicator for the enterprise in which cyber-attacks could potentially occur.

Among these elements, only the quantification of the commoditisation level of the exposure of the target and the human factor can be partially automated and integrated into the HERMENEUT cost-benefit framework. They also represent the most challenging and less explored elements — and, therefore, lead to key innovations delivered by HERMENEUT.

Bibliography

[1] Trend Micro, “Understanding targeted attacks. What is a targeted attack,” Trend Micro, 24 September 2015. [Online]. Available: http://tinyurl.com/yanqzk9h.

[2] DOGANA, “DOGANA Project,” 2018. [Online]. Available: www.dogana-project.eu.

[3] ProofPoint, “Protecting People Report. A quarterly analysis of highly targeted attacks,” ProofPoint, September 2018. [Online]. Available: https://www.proofpoint.com/sites/default/files/pfpt-us-tr-people-report-summer-2018-180904.pdf.

[4] M. Johnson, Cyber crime, security and digital intelligence, London: Routledge, 2016.

[5] FireEye, “Cyber Threats: A perfect storm about to hit Europe?,” Marsh & MCLennan, 2017. [Online]. Available: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-world-eco-forum.pdf .

[6] ENISA, “Information Sharing and Analysis Centres (ISACs): Cooperative models,” 2018. [Online].

[7] VERIS, “Community Database,” 2018. [Online]. Available: http://veriscommunity.net/.

[8] STIX, “A structured language for cyber threat Intelligence,” 2018. [Online]. Available: http://tinyurl.com/ybjgmoc7.

[9] B. Ahmed, “Micro — and macroeconomic modelling of intangible cyber-costs,” July 2017. [Online].

[10] ProofPoint, “The Human Factor — People-centred threats define the landscape,” 2018. [Online]. Available: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-human-factor-report-2018-180425.pdf.

[11] ENISA, “Threat Landscape Report,” 2017. [Online].

[12] K. Thomas, D. Yuxing Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage and G. Vigna, “Framing Dependencies Introduced by Underground Commoditization,” in Workshop on the Economics of Information Security (2015), 2015.

[13] R. Kerber and S. Jessop, “Asset Managers Urged to Make Cyber Risk Top Priority,” Insurance Journal, 1 September 2015. [Online].

[14] PAYCHEX, “Creating a Cyber Security Culture in Your Business,” 19 January 2016. [Online].

[15] FRONTEX, “CIRAM Common Integrated Risk Analysis Model,” Warsaw, 2012.

[16] L. Abrams, “The shark Ransomware project allows you to create your own customized Ransomware,” 2016. [Online]. Available: http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-cus.

[17] R. K. a. S. Jessop, “Asset Managers Urged to Make Cyber Risk Top Priority,” Insurance Journal, September 2015.

[18] E. Frumento, C. Lucchiari and G. Pravettoni, “Cognitive approach for social engineering,” in DeepSec, Wien, 2010.

[1] For example, refer to HavocScope, www.havocscope.com

[2] Digital shadow [6] is defined as “A digital shadow, a subset of a digital footprint, consists of exposed personal, technical or organisational information that is often highly confidential, sensitive or proprietary. As well as damaging the brand, a digital shadow can leave your organisation vulnerable to corporate espionage and competitive intelligence. Worse still, criminals and hostile groups can exploit a digital shadow to find your organisation’s vulnerabilities and launch targeted cyber-attacks against them”.

[3] Grey-box is a typical way of performing security tests where some insight of the tested systems are known by the testers.