Re: Mathematical Model for assessing Intentional Attacks

[Konrads Smelkovs <konrads.smelkovs () gmail com>]

I skim read the book and have some initial thoughts. For sake of this list,
the TL;DR version of it is (in my poor paraphrasing):
Take network, plot a graph, give nodes score based on connectedness,
estimated attacker value sort by PageRank which gives you the most
nodes-at-risk which then suggests where to concentrate defence efforts. The
Risk formula is adjusted as per the attached png.

I think this is an overall interesting approach and the authors consider
multiple types of attackers - e.g. authorised users exceeding privileges
and ghosts in the network, but I would find the application of this model
in the Real World [tm] problematic for the following reasons:

* value of node for its owner vs value for an attacker differs depending on
the type of attacker (I wish Authors would have used Intel's TARA);
organisations find it problematic to put a value on the asset themselves.
* connectedness matters when you consider inbound connections, but (unless
I misunderstood), it sort of makes endpoints either super-connected (each
surf session to facebook.com makes the node much, much more connected than
anything else inside the network) or connected very little - perhaps only
to nearest management system.
* the value of secrets on a system is quite important as an intermediary
target, for example, a management system in a NOC which has all those RW
SNMP strings is priceless and a big target and stepping stone.
* finally, I think not all nodes are made equal as they have different
"hardness", e.g. something running an ERP probably is a softer target than
a patched and locked down DC.

Regardless, I think this is a good foray into the topic and I wish authors
luck in following revisions.



--
Konrads Smelkovs
Applied IT sorcery

>

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave