[Dailydave] Mathematical Model for assessing Intentional Attacks

Konrads Smelkovs konrads.smelkovs at gmail.com
Tue Feb 2 16:31:49 EST 2016 

I skim read the book and have some initial thoughts. For sake of this list,
the TL;DR version of it is (in my poor paraphrasing):
Take network, plot a graph, give nodes score based on connectedness,
estimated attacker value sort by PageRank which gives you the most
nodes-at-risk which then suggests where to concentrate defence efforts. The
Risk formula is adjusted as per the attached png.

I think this is an overall interesting approach and the authors consider
multiple types of attackers - e.g. authorised users exceeding privileges
and ghosts in the network, but I would find the application of this model
in the Real World [tm] problematic for the following reasons:

* value of node for its owner vs value for an attacker differs depending on
the type of attacker (I wish Authors would have used Intel's TARA);
organisations find it problematic to put a value on the asset themselves.
* connectedness matters when you consider inbound connections, but (unless
I misunderstood), it sort of makes endpoints either super-connected (each
surf session to facebook.com makes the node much, much more connected than
anything else inside the network) or connected very little - perhaps only
to nearest management system.
* the value of secrets on a system is quite important as an intermediary
target, for example, a management system in a NOC which has all those RW
SNMP strings is priceless and a big target and stepping stone.
* finally, I think not all nodes are made equal as they have different
"hardness", e.g. something running an ERP probably is a softer target than
a patched and locked down DC.

Regardless, I think this is a good foray into the topic and I wish authors
luck in following revisions.



--
Konrads Smelkovs
Applied IT sorcery

>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160202/c5f0de9e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-02-02 at 21.16.40.png
Type: image/png
Size: 96526 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160202/c5f0de9e/attachment-0001.png>

More information about the Dailydave mailing list