Probability analysis and financial model development of MITRE ATT&CK Enterprise Matrix's attack steps and mitigations

Probability analysis and financial model development of MITRE

ATT&CK Enterprise Matrix's attack steps and mitigations

LINA EVENSJÖ

KTH ROYAL INSTITUTE OF TECHNOLOGY

SCHOOL OF ENGINEERING SCIENCES IN CHEMISTRY,

BIOTECHNOLOGY AND HEALTH

financial model development of MITRE ATT&CK Enterprise Matrix’s attack steps and

mitigations

LINA EVENSJÖ

Degree Project in Computer Engineering and Economics Date: June 8, 2020

Supervisor: Robert Lagerström Examiner: Ibrahim Orhan

School of Engineering Sciences in Chemistry, Biotechnology and Health

Swedish title: Sannolikhetsanalys och utveckling av finansiell modell av MITRE ATT&CK Enterprise matrisens attacksteg och försvar

TRITA-CBH-GRU-2020:062

Abstract

Cyberattacks are becoming a greater concern as our society is digitized to a greater extent, with the storage of sensitive information being a rule rather than an exception. This poses a need of a time- and cost efficient way to assess the cyber security of an enterprise. The threat modeling language enterpriseLang constitute just that, where a general enterprise system assumption allows for re-usage on several enterprise systems. The language is created with Meta Attack Language and is based on the knowledgeable attack- and mitigation steps of MITRE ATT&CK Enterprise Matrix. Since all possible attack paths are not equally likely, probability distributions need to be applied to the attack- and mitigation steps. The work presented in this paper includes the provision of probability distributions to a handful of them, mainly connected to gaining initial access to a system with the help of user execution. Beyond this, the financial impact an attack can have and if mitigation measures are financially profitable are examined. To calculate this, a Return on Response Investment model is developed.

Keywords

Cyber security, threat modeling, attack paths, probability, financial impact.

Sammanfattning

Cyberattacker håller på att bli ett större orosmoment allteftersom vårt samhälle digitaliseras i större utsräckning, där lagring av känslig information snarare har blivit regel än undantag. Detta utgör ett behov av ett tids- och kostnadseffek- tivt sätt att bedömma cybersäkerheten hos ett företag. Hotmodelleringssprå- ket enterpriseLang är just detta, där antagandet av ett generellt företagssystem möjliggör återanvändning på flera olika system. Språket är skapat med Meta Attack Language och är baserat på kända attack- och försvarssteg från MITRE ATT&CK Enterprise matris. Eftersom alla möjliga attackvägar inte utnyttjas i lika stor utsträckning, behöver sannolikhetsfördelningar tilldelas till attack- och försvarsstegen. Arbetet som presenteras i den här rapporten inkluderar till- delningen av sannolikhetsfördelningar till en handfull av dem, i synnerhet de kopplade till att få inital åtkomst till ett system med hjälp av användarutföran- den. Utöver detta undersöks också den finansiella påverkan en attack kan ha samt om försvarsåtgärder är finansiellt lönsamma. En modell för avkastning på en sådan investering utvecklas för att kunna beräkna detta.

Nyckelord

Cybersäkerhet, hotmodellering, attackvägar, sannolikhet, finansiell påverkan.

1 Introduction 1

1.1 Problem Statement . . . . 2

1.1.1 Research Questions . . . . 3

1.2 Scope . . . . 3

1.3 Objectives . . . . 3

1.4 Outline . . . . 4

2 Background 5 2.1 Threat Modeling . . . . 5

2.2 Domain-specific Language . . . . 6

2.3 Meta Attack Language . . . . 7

2.3.1 Probability Distributions . . . . 9

2.4 MITRE ATT&CK Enterprise Matrix . . . . 11

2.4.1 Attack Techniques . . . . 12

2.4.2 Attack Mitigations . . . . 14

2.5 enterpriseLang . . . . 16

2.6 Return on Response Investment . . . . 17

2.7 Related Work . . . . 18

3 Methods 19 3.1 Literature Study . . . . 19

3.2 Alternative Methods . . . . 20

3.2.1 Observational Study . . . . 20

3.2.2 Experimental Study . . . . 21

3.2.3 Penetration Testing . . . . 21

4 Results 23 4.1 Spear Phishing . . . . 23

4.1.1 Link Clicked . . . . 24

4.1.2 Attachment Download . . . . 26

v

4.1.3 User Training . . . . 27

4.1.4 Antivirus . . . . 29

4.2 User Execution . . . . 31

4.3 Drive-by Compromise . . . . 31

4.4 Brute Force . . . . 32

4.4.1 Account Policies . . . . 33

4.5 Hardware Additions . . . . 34

4.5.1 Limit Hardware Installation . . . . 35

4.6 Financial Impact . . . . 36

4.6.1 An Example Calculation . . . . 37

5 Discussion 39 5.1 Sustainable Perspective . . . . 40

5.2 Economical Perspective . . . . 40

5.3 Ethical and Social Perspective . . . . 41

6 Conclusions 43 6.1 Future Work . . . . 44

6.1.1 Overview Model Guidance . . . . 45

Bibliography 47

Introduction

With the good comes the bad, a suitable expression for the digitized world we live in. Our digital advancements are not without obstacles, such as cyberat- tacks. Cyber security is a field of constant development where new possibili- ties and threats are discovered continuously. The result of these attacks could have a devastating impact on our society. Pontus Johnson, professor in Net- work and systems engineering with a main research interest in cyber security, believes that future wars will be fought in cyberspace

;

It is believed that in the future, wars will be increasingly con- ducted in cyberspace. More and more things are being controlled by computers, everything from electricity supplies to fighter jets, but the inherent vulnerability of computers means there is a risk that all these things can be hacked. The three traditional arenas for battle are ground, sea and air. Now, more and more people are talking about cyberspace as a fourth battleground.

An example of how critical a cyberattack can be, is given by the 2015 Ukraine power grid attack

where the power was cut off in parts of the capital city Kiev.

Can you imagine the effect a longer power cut would have on our society’s infrastructure?

Another consequence of our digitized society, is how sensitive information is stored. Many data leakages have been discovered in recent years, like the

1

https://www.kth.se/en/aktuellt/nyheter/framtidens-krig-utspelar-sig-pa-internet- 1.910918 (visited on 03/29/2020)

2

https://www.wired.com/story/crash-override-malware/ (visited on 03/29/2020)

1

Facebook data leakages

and the 1177 Healthcare Guide leakage

in Sweden last year. The growth in cloud-computing, and thus third-party involvement, increases the importance of enterprise security. However, it can be both diffi- cult and costly to asses the cyber security of such systems.

The threat modeling language, enterpriseLang, creates a suitable approach to this problem by generalizing the enterprise system model in order to sim- plify cyber security assessment. This domain-specific language is built with the Meta Attack Language (MAL) and known adversary techniques found in the MITRE ATT&CK Enterprise Matrix. The enterpriseLang constitute a simplified and cost effective way to simulate possible attack paths in an en- terprise system. For now, the language assume that each attack is either possi- ble or not, depending on mitigation status. This assumption makes the attacks and attack paths appear to be equally likely. In a real-life attack, that is not the case. An experienced adversary is more likely to choose some attacks and attack paths over others. By giving the attacks probability distributions, the language can be further adapted to real-life scenarios.

1.1 Problem Statement

To further develop the enterpriseLang and make the simulations relate more to real-life, the proposed approach is to give the attacks and its mitigations probability values. These values represent the probability that an attack step is compromised by an adversary. Some attack steps are strongly connected to others. For example, if one attack step A is compromised, then attack step B is always compromised as well. Or the other way around, if attack step A is not compromised then B is never reached. Such dependency is realized with binary probability values. The attack steps have mitigations that also play a big role when it comes to probable paths of an adversary. For example, the bruteForce attack step is mitigated by accountUsePolicies. Depending on the nature of an enterprise’s account policies, the bruteForce attack step will take on different probability values. Leading to attack paths via bruteForce to be more or less likely pursued.

From an economical perspective, the cost of a successful attack can be

3

https://www.techradar.com/news/millions-of-facebook-user-phone-numbers-leaked- online (visited on 03/30/2020)

4

https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/ (visited on 03/30/2020)

5

https://computersweden.idg.se/2.2683/1.716432/1177-lackan-vardguiden (visited on

03/30/2020)

great. But at the same time it is not cheap to implement necessary security measures. Together with the probabilities, it is possible to calculate the fi- nancial risk of each attack step. The resulting overall view of the costs in the system architecture can act as a decision basis for budgeting.

1.1.1 Research Questions

• What are the probabilities of the attack steps implemented in enterprise- Lang?

• To what extent do their mitigations protect against compromise?

• What is the financial cost of implementing a defense compared to the financial risk of a compromised attack step? And how can it be calcu- lated?

1.2 Scope

The paper will be limited due to time and information constraints. All at- tack steps will not be be given a probability value or distribution. The values given will be general since enterpriseLang is developed to be used on several enterprise systems, which results in system-specific information having to be applied by the enterprise using the language. Alternative approaches to solve the problem will be discussed but dismissed.

1.3 Objectives

• Provide a probability analysis with relevant discussion based on previ- ous research and experiments in the field.

• Gain overall knowledge, and consider social and sustainable aspects, of the cyber security area.

• Develop experience in different attack techniques and what adversary goals they provide.

• Understand the financial impact a successful attack can have on an en-

terprise. Both for the individual attacks and for the system architecture

from a holistic perspective.

1.4 Outline

In the next chapter, all background information is covered. This information

is necessary to understand the problem statement and the results of the anal-

ysis this paper presents. Threat modeling, MITRE ATT&CK Enterprise Ma-

trix and enterpriseLang are covered among other topics. Following the Back-

ground chapter, is the Method chapter. This chapter covers the methodology

used and describes how the work was conducted in detail. In the following

chapter, the results of the analysis is presented. The results consists of proba-

bility distributions or values of the analyzed attack steps, and a financial model

that can be used to calculate the return on investment of mitigations. The suc-

ceeding Discussion chapter covers an in depth discussion of the analysis and

its results. Comparisons are made and improvements identified. The final

chapter concludes the benefits and contributions of the provided analysis. It

also suggests what the next step of development is.

Background

This chapter presents relevant topics, related to the background of the prob- lem statement, that are needed to comprehend the results. The background is split up into several parts where each part is explained in detail. Starting with what threat modeling is, how it can be used to describe the security of a system and a suitable representation in the form of attack trees. Then the domain-specific language is explained and how it differs from a general pur- pose language. MAL, used to design such domain-specific languages with threat modeling purpose, is presented. After that, the attack vectors found in MITRE ATT&CK Enterprise Matrix is covered with a more detailed explana- tion of examined attack- techniques and mitigations. To conclude, the domain- specific language enterpriseLang, created with MAL and the attack vectors of MITRE ATT&CK Enterprise Matrix, is introduced. Lastly, the chapter ends with mentioning related work.

2.1 Threat Modeling

Uceda Vélez and Morana M [1] define a threat model as

A strategic process aimed at considering possible attack scenarios and vulnerabilities within a proposed or existing application en- vironment for the purpose of clearly identifying risk and impact levels.

The main objective of threat modeling is to understand which threats exists and based on that, secure data and assets from being compromised, i.e., proactively prevent attackers to accomplish their malicious intents [2]. In threat modeling,

5

a threat is split up into multiple attacks in order to make the threat more man- ageable and easier to comprehend. The strategic component of threat mod- eling enables the anticipation of threats via attack simulations. The resulting attack patterns reveal vulnerabilities and possible inadequate defences in a sys- tem or application [1].

One approach to represent these patterns is to use attack trees. Schneier [3] provides a good description of its structure;

Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you rep- resent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes.

These trees can be used to find and organize threats. A graphical represen- tation of a tree is useful for the human comprehension. A tree is also a data structure, which enables logic to be applied to the structure for a wider area of usage. Such logic could be costs for each node in the tree, in the form of probability values for example. Adding a cost can change the availability and probability of the routes taken by an adversary in a system [4].

2.2 Domain-specific Language

A domain-specific language (DSL) is as the name suggests, a formal language, or one that can be processed by algorithms in the context of computing. A for- mal language is built upon syntax and semantics. These two structures work together to form the construction rules of a language. Syntax defines which sequences that classify as valid elements, while semantics specify the signifi- cance of each valid element [5].

Domain-specific languages are developed to solve problems in some spe- cific application domain. This type of language is more expressive than the General Purpose Language (GPL). The purpose for creating domain-specific languages is to simplify the computational expression over bounded structures.

On the contrary, the purpose of GPL:s is to express unbounded computations over unbounded structures. They have more general abstractions and are more problem-oriented than the application-oriented DSL [6].

The main difference between these two languages is how they are intended

to be used. Their distinction is less about differences in technical characteris-

tics [5].

2.3 Meta Attack Language

The Meta Attack Language (MAL) is a threat modeling meta language that can be used for designing domain-specific languages and automating the security assessment of modelled systems within the specified domain [7].

Johnson et al. [7] describe the Meta Attack Language as such;

MAL allows security experts to codify domain-specific knowl- edge in order to allow simulations of attacks on systems in the do- main of interest. The thus generated domain-specific attack mod- eling languages may subsequently be used and re-used by people with lesser security expertise in order to automatically assess the security of specific systems within the domain.

Symbol Meaning Description

-> Leads to The successful compromise of this attack step allows the adversaries to consequently compromise further attack steps.

| OR An OR attack step A can be reached if any of the at-

tack steps that refers to A is reached.

& AND An AND attack step A can be reached only when all

of the attack steps that refer to A are reached.

# Defense As opposed to attack steps, defences are Boolean. A defense step represents the countermeasure of an at- tack step. It is possible to either enable or disable a defense step by setting the defense step value to either TRUE or FALSE.

E Existence It is used when the existence of a connected/associ- ated asset is checked. It acts like a defense but the Boolean value is automatically assigned based on the existence of the asset.

+> Add operator This happens to the child asset. One attack step (e.g.

access) under the child asset leads to its specific at- tack steps besides its corresponding attack step of the parent asset.

TTC Time-To-

Compromise

TTC is a probability distribution reflects an adver- sary’s ability of compromising an asset. Attack steps can have a TTC, and the MAL simulations calcu- late/aggregate TTC for models/scenarios.

Table 2.1: MAL Symbols taken from [8].

An overall description of the symbols in MAL is shown in Table 2.1. An example of the bruteForce attack implemented with MAL can be seen in List- ing 2.1. There are two assets, User and OS, that both have unique attack steps associated to them, userRights, userCredentials and bruteForce. The attack steps userRights and userCredentials are of type OR, which means that only one of its parent attack steps needs to be compromised in order for an adver- sary to reach the attack step. If userRights is compromised then the attack step os.bruteForce opens up to a possible compromise. The attack step bruteForce is of type AND, which means that all parent attack steps need to have been compromised for bruteForce to become available for an adversary. However, bruteForce is defended by accountUsePolicies. Simply put, this means that if the defense is enabled, it won’t be possible to compromise the bruteForce attack step and the user credentials won’t be obtained. On the contrary, if the defense is disabled, bruteForce is executable and the user credentials are ob- tained. The associations follow UML standards in how they show relationships between assets. User and OS communicate via UI (User Interface) and in this example, one User can log into one or more (1-*) Operating Systems (OS).

Listing 2.1: A MAL implementation of the attack step bruteForce

a s s e t U s e r {

| u s e r R i g h t s

−> os . b r u t e F o r c e

| u s e r C r e d e n t i a l s }

a s s e t OS {

& b r u t e F o r c e

−> u s e r . u s e r C r e d e n t i a l s

# a c c o u n t U s e P o l i c i e s

−> b r u t e F o r c e }

a s s o c i a t i o n s {

U s e r [ u s e r ] 1 <−− u i −−> 1−∗ [ o s ] OS }

A simulation on a modelled system using MAL, results in a probabilistic

attack graph with possible attack paths that an adversary can take in order

to compromise the system. The probabilistic component is computed by the

global time to compromise the various attacks. This value helps determine

the shortest path that an attacker can take. This strategy is sensible, because

if an attacker could choose between two paths, the most rational and logical choice would be to choose the one that requires less time and effort. The global time to compromise is based on the local time to compromise each step of the attack. In turn, the local time to compromise is calculated with respect to the probability distribution [7].

Looking at the previous example, an assumption is made on the attack step bruteForce. This assumption is, that when accessed, the compromise is instantaneous. In reality the time it takes to compromise can vary depending on various circumstances. For instance, the attacker might get lucky on the first try and therefore succeed in a very short amount of time. Or, more likely, the credentials vary in length and degrees of difficulty amongst different users and systems, which results in a varying amount of time taken to compromise.

To take this into account, probability distributions can be applied to the attack steps. These distributions represent the average time it takes to compromise each attack step, the local time to compromise.

2.3.1 Probability Distributions

To be able to calculate the Time-To-Compromise (TTC), probability distribu- tions need to be added to the attack steps and their mitigations. An example on how this is implemented on an attack step with MAL is presented in Listing 2.2.

Listing 2.2: An example of how a probability distribution is implemented with MAL

c a t e g o r y S y s t e m s {

a s s e t C o m p u t e r {

& c o m p r o m i s e [ B e r n o u l l i ( 0 . 4 ) ] }

}

This means that the time it takes to perform the attack step compromise on an asset Computer is expressed by the Bernoulli distribution at a probability of 40%. It looks similar for the mitigation steps.

For the AND (&) and OR (|) attack steps, the available probability distribu-

tions are presented in Table 2.2. The mitigation steps (#) available probability

distributions are shown in Table 2.3. Mitigations that are either enabled or

disabled are set by the enterprise using the language, since different defenses

diverge between different enterprises, i.e., enterprise-specific information is

needed to set them

.

Table 2.2: Available probability distributions for the attack steps in MAL

.

Table 2.3: Available probability distributions for the mitigation steps in MAL

.

1

https://github.com/mal-lang/malcompiler/wiki/Supported-distribution-functions (vis- ited on 05/09/2020)

2

https://github.com/mal-lang/malcompiler/wiki/Supported-distribution-functions (vis-

ited on 05/09/2020)

2.4 MITRE ATT&CK Enterprise Matrix

MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a knowledge base and model of adversaries behavioral patterns in the cyber world. Reflecting on the life cycle of an adversary where different phases dur- ing an attack and probable targets are identified. The model consists of three core components; tactics, techniques and documented adversary usage of tech- niques. An adversary’s goal with a specific action during an attack is a tactic and how this goal is achieved is a technique. Each tactic is associated with several techniques, which means that an adversary’s goal can be achieved in various amount of ways. A technique can be associated with more than one tactic. This means that an adversary can use the same technique to achieve different goals [9].

The tactic categories can be seen in Table 2.4 with descriptions of the ad- versary goal for each category.

Tactic Description

Initial Access The adversary is trying to get into your network.

Execution The adversary is trying to run malicious code.

Persistence The adversary is trying to maintain their foothold.

Privilege Escalation The adversary is trying to gain higher-level permissions.

Defense Evasion The adversary is trying to avoid being detected.

Credential Access The adversary is trying to steal account names and passwords.

Discovery The adversary is trying to figure out your environment.

Lateral Movement The adversary is trying to move through your environment.

Collection The adversary is trying to gather data of interest to their goal.

Command and Control The adversary is trying to communicate with compromised systems to control them.

Exfiltration The adversary is trying to steal data.

Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Table 2.4: ATT&CK tactic categories

.

The relationships between tactics and techniques are visualized in the MITRE ATT&CK Enterprise Matrix. A sample from the matrix can be seen in Figure 2.1 where each column represents a tactic with its associating techniques. The matrix also present possible mitigations, ways to prevent or avoid the tech- niques from being executed.

3

https://attack.mitre.org/tactics/enterprise/ (visited on 03/25/2020)

Figure 2.1: Sample from MITRE ATT&CK Enterprise Matrix

.

2.4.1 Attack Techniques

This section presents the techniques that is a part of this papers probability analysis. The necessary information about the techniques is provided in order to comprehend the result chapter later on.

Spear Phishing

Spear phishing is a technique used by an adversary to get initial access to the network. The strategy used involves electronically delivered social engi- neering towards targeted individuals, companies or industries

. A common gateway for both regular phishing and spear phishing is via e-mail. Regular phishing use a more general approach with messages that for example, claim that you’ve won the lottery or that there’s a Nigerian prince that wants to marry you. More sophisticated messages like invoices or delivery notifications are also used. In other words, these messages can be spammed and are most of the time easy to identify as fake. Unlike regular phishing messages, spear phishing messages look authentic and like they are coming from a legitimate source.

4

https://attack.mitre.org/matrices/enterprise/ (visited on 03/25/2020)

5

https://attack.mitre.org/techniques/T1193/ (visited on 04/03/2020)

There are three types of spear phishing approaches, attachment, link and via service. The attachment method use malicious e-mail file attachments.

When opened, the adversary’s payload exploits a vulnerability or directly ex- ecutes on the user’s system

. With spear phishing link, a malicious link is embedded in the e-mail and when clicked, malware is downloaded. The link can also redirect the user to a website that compromises the browser using an exploit, or encourage the user to download contents from the website

. Spear phishing via service means that the adversary makes use of third-party ser- vices instead of targeting the enterprise directly. Adversaries send messages through social media, personal mail services and other non-enterprise related channels. It can be a fake job offer that ultimately leads to communication through enterprise channels. From there the adversary can send malicious links and attachments. This is supposed to increase the likelihood of user ex- ecution since the e-mail is expected

.

User Execution

An adversary may rely upon user execution to gain access. This is the case when performing spear phishing attacks for example. It may be direct code execution or lead to other execution techniques, like exploitation of a browser or application vulnerability. User execution usually takes place shortly af- ter succeeding with the initial access gain, but it can also occur during other phases of the intrusion. An example is when an adversary places a malicious file in a shared directory, hoping a user will open it

.

Drive-by Compromise

A drive-by compromise is when an adversary gains access to a system while a users browses the Internet. There are several malicious or compromised sites out there and a user usually visits a couple during their normal course of browsing. If a user visits a compromised site during this time, they are vulner- able to a drive-by compromise attack. Typically, it is the user’s web browser that is the target for exploitation, but adversaries may also use compromised web sites to acquire application access tokens for example. These attacks are often targeted at a specific community, industry or region, where the goal is to compromise a specific user or set of users. When an attack is constructed

6

https://attack.mitre.org/techniques/T1193/ (visited on 04/03/2020)

7

https://attack.mitre.org/techniques/T1192/ (visited on 04/03/2020)

8

https://attack.mitre.org/techniques/T1194/ (visited on 04/03/2020)

9

https://attack.mitre.org/techniques/T1204/ (visited on 05/11/2020

in this way, it is referred to as a strategic web compromise or watering hole attack

.

Brute Force

The brute force techniques are used to gain access to accounts where the pass- words are unknown or when password hashes has been obtained. This tech- nique can be performed manually or by using automated password- or hash cracking tools, i.e., by guessing the password or testing several common pass- words from a list of known or possible passwords

.

Hardware Additions

Adversaries can plant computer accessories, computers or networking devices in a system or network to gain access

. Such hardware additions can be USB drives, Ethernet adapters and other similar devices. They can be used to inject keystrokes, execute malicious code, gather network intelligence, clone legiti- mate resources and perform other means of access

.

One way of conducting an attack using hardware additions is via a so called drop attack where hardware devices, usually USB flash drives, are left on pur- pose for people to find and hopefully plug them into a computer. A known successful attack where a USB drive was used as an attack vector, infected an Iranian nuclear power station with the Stuxnet worm

.

2.4.2 Attack Mitigations

The mitigations of the techniques are presented here. A mitigation works as a defense for one or several techniques. Some defenses have binary relations with the techniques, where it always mitigate the attack if the defense exists.

Others mitigate an attack X out of Y times. Implicating that the mitigations also need probability estimations for the proposed language to work.

10

https://attack.mitre.org/techniques/T1189/ (visited on 05/19/2020)

11

https://attack.mitre.org/techniques/T1110/ (visited on 05/10/2020)

12

https://attack.mitre.org/techniques/T1200/ (visited on 05/06/2020)

13

https://resources.infosecinstitute.com/mitre-attck-hardware-additions/#gref (visited on 05/06/2020)

14

https://www.scmagazineuk.com/dutch-mole-planted-stuxnet-usb-drive-sabotage-

iranian-nuclear-power-station/article/1595695 (visited on 05/07/2020)

User Training

User training is a mitigation that involves training the users to be aware of adversary attempts that involve user interaction, such as spear phishing and social engineering, among other techniques

. There are different approaches to user training. In the spear phishing case, known methods include fear-based training, game-based training and more informational training for example. A common informational training method is embedded training. This means that the training is embedded in an employees regular working day and that it is conducted when the user triggers something, i.e., the training happens when it is needed. For example, an employee clicks on a link in a simulated spear phishing e-mail that results in the employee receiving user training. If the employee on the other hand does not click the link, no training is received.

Antivirus

An antivirus or antimalware tool can be used to mitigate several attack tech- niques, like spear phishing, template injection and software packing. The tools use signatures or heuristics to detect malicious software

. New pieces of mal- ware are created constantly since antivirus products recognize known malware and treat them to a great extent, which makes them rather unusable to adver- saries in the long run. Therefore, a piece of malware’s active lifespan tend to be quite short.

Account Policies

When attempting to log on to a system using credentials, policies can be used to prevent abuse of the service, like brute forcing. These policies include lock- outs after a certain amount of attempts, duration of lockout and reset methods for example. They need to be carefully crafted because too strict policies can lead to denial of service conditions

.

Limit Hardware Installation

Limiting hardware installation means that users or groups are blocked from installing or using unapproved hardware on systems, like USB flash drives.

15

https://attack.mitre.org/mitigations/M1017/ (visited on 04/16/2020)

16

https://attack.mitre.org/mitigations/M1049/ (visited on 05/08/2020)

17

https://attack.mitre.org/mitigations/M1036/ (visited on 05/11/2020)

Unknown devices and accessories are blocked by endpoint security config- uration and monitoring agent. The limitHardwareInstallation defense miti- gate both hardwareAdditions and replicationThroughRemovableMedia attack steps

.

2.5 enterpriseLang

By implementing the techniques from MITRE ATT&CK Enterprise Matrix with Meta Attack Language, the domain-specific adversary-centric language enterpriseLang is created. The specified domain is enterprise systems. The objective of the language is to find possible attack paths that lead to success- fully compromised parts of, or entire, systems. And by doing so evaluating the cyber security of enterprise systems in a structured way. It assumes a profes- sional adversary profile with knowledge of all 266 techniques found in MITRE ATT&CK Enterprise Matrix [8].

Figure 2.2: The enterpriseLang meta-model containing the enterprise assets and associations [8].

18

https://attack.mitre.org/mitigations/M1034/ (visited on 05/07/2020)

The meta-model of enterpriseLang can be seen in Figure 2.2. The model contains the four categories of assets defined for the modelled enterprise sys- tem, namely Person, Software, Network and Hardware. It also shows how the assets are associated to one another. The categories also have inherited assets, not shown in the model. For example, Root is an inherited asset, by category Person, from the Administrator asset and Windows is an inherited asset, by category Software, from the OS asset.

Figure 2.3 represent a graphical model of the attack step spearphishingAt- tachment and a simulation result showing the attack path. Circle means attack step of type OR. Square means attack step of type AND. A triangle represents a defense step and the big circles show which asset each step belongs to.

Figure 2.3: Graphical model and attack path simulation of attack step spearphishingAttachment. [8].

2.6 Return on Response Investment

A suitable approach to examination of the financial impact of deploying de-

fenses for the attacks is to calculate the Return on Response Investment (RORI)

index. An extended variant of the original RORI index has been developed by

Gonzalez Granadillo et al. [10] where the annual loss expectancy resulting

from an attack, the risk mitigation level and the costs associated with the im-

plementation of a specific defense are evaluated. This variant of the RORI

index is showed in Equation 2.1.

RORI = (ALE × RM − ARC)

ARC + AIV × 100 (2.1)

• Annual Loss Expectancy (ALE) represents the impact cost when attack mitigations are absent. The parameter includes loss of assets, data, rep- utation and revenue, legal procedures, contracted insurance and the an- nual rate of occurrence (ARO).

• Annual Infrastructure Value (AIV) corresponds to the expected costs of the system on an annual basis. This includes equipment and personnel costs among others.

• Risk Mitigation (RM) refers to the percentage reduce a mitigation have on the attack in question, i.e., the effectiveness of the countermeasure.

• Annual Response Cost (ARC) is the cost associated to a particular mit- igation. Including direct costs like implementation- and maintenance costs but also indirect costs.

2.7 Related Work

Other domain-specific languages developed using Meta Attack Language are vehicleLang [11], autosarLang [12], azureLang [13] and AWSLang [14]. They are all probabilistic modeling and simulating languages targeting specific do- mains, with focus on a simplified and inexpensive approach to cyber security assessment. Both vehicleLang and autosarLang target the vehicle domain, mainly vehicle systems. AzureLang targets security within Microsoft Azure cloud-computing services. AWSLang can be used to design IT system models in context to the Amazon Web Service (AWS) environment.

The simulating CAD tool securiCAD [15] developed for enterprise cyber

security management, uses attack graphs to calculate and highlight potential

weaknesses and avenues of attacks. It is applied on a modelled IT environ-

ment and produces a graphical representation of said weaknesses. The afore-

mentioned domain-specific languages, as well as enterpriseLang, make use of

securiCAD to graphically model possible threats and countermeasures.

Methods

This chapter presents the method used to produce the derived results found in the upcoming chapter. Advantages and disadvantages of the chosen method are discussed. Alternative approaches to the problem are considered as well.

3.1 Literature Study

The chosen method to obtain the desired results is to conduct a literature study where previous research are analyzed and used as a basis. By conducting a literature study, a wider range of scenarios can be examined and thus support the objective of obtaining results of general nature. This approach is also more time efficient and will allow for a higher quantity of results, opposed to alter- native methods. The disadvantage of this method compared to others, is the limits of others research. In an experimental study, the researcher decides how it should be conducted and what parameters that are important and so on. By analysing research conducted by others, these are already set and they might not fully correlate to the goals and requirements of your expected work [16].

Since the attacks have different characteristics and prerequisites, the cho- sen research papers will differ in the same manner. Take the spear phishing attacks for example. These attacks very much rely on users and their execution actions or lack thereof. Research papers chosen for analysis is mainly experi- mental ones where a large number of subjects take part in an experiment where their actions provide the resulting probability.

Attack steps that are not dependent on user execution in order to be com- promised, have probability distributions that are based on observational stud- ies of researchers or other experts in the field. All literature have been chosen with a professional adversary in mind.

19

3.2 Alternative Methods

Alternative approaches for the problem statement are presented in this section.

Advantages and disadvantages are discussed for each method. The honeypot approach is considered to be an observational study. While the chosen method is a literature study and the other alternative method is an experimental study.

These three different studies can yield in results on their own, but can also be combined to gain a more nuanced and in-depth result. The alternative methods could also work as validation for already derived results.

3.2.1 Observational Study

An alternative approach to the literature study is the observational study. It is an empirical study, without the experimental element, where effects of some intervention are observed and investigated. An example of a suitable observa- tional study for the problem statement of this paper is the usage of the honeypot tool.

Honeypot

A honeypot is a security resource whose purpose is to be probed, attacked or compromised. It is a tool that provides an environment used as a decoy for attackers. The goal is to trick them into thinking it is a real system with real applications and services for them to compromise. The purpose of a honeypot can differ depending on who is using it. It enables researchers or security experts to gain intelligence on adversaries behaviours and motives. Prevention and detection are other possible objectives. A honeypot is not supposed to be interacted with. This provides the advantage of only capturing malicious activity, which makes the traffic easier to analyze. There are two different types of honeypots, namely research- and production honeypots [17].

For the problem statement of this paper, a high-level research honeypot

would be suggested. It is a great platform for studying and analysing cyber

threats. A research honeypot provide a great amount of data where attack-

ers can be traced step by step. Conclusions about common paths and critical

points can be made from the data and aid in both needed security measures

and probability estimations of the attack steps.

3.2.2 Experimental Study

For some of the attack steps, experimental studies are an alternative approach to estimating probabilities. An experimental study is a study where the con- ditions are under direct control of the investigator and where the effect of an intervention is studied, e.g., A group of test subjects receive user training to improve spear phishing resilience and then this group and another group that did not receive training are exposed to spear phishing. The result obtained by the two groups can then be studied and evaluated by the experiment conduc- tors. This method choice could yield in a more accurate result. The subjects could be chosen to fit the target profile of enterprise employees and the experi- mental material used could be created in accordance of the assumed adversary profile. However, this methodology is time consuming and might be more ap- propriate to use in a larger project [18].

3.2.3 Penetration Testing

Another available method to approach the probability analysis is the penetra- tion testing method. The process involves simulating an unauthorized user attacking the system manually, with automation tools or by a combination of both. It is mainly conducted to find vulnerabilities in a system and to check the effectiveness of implemented security measures. But it can also be used to find probabilistic paths of potential adversaries, by quantifying the impact and likelihood of vulnerability exploitation.

With this approach, the black box penetration method is recommended be- cause it simulates the one of an adversary trying to compromise the system. In this method, the tester have no knowledge of the system and needs to find loop- holes from scratch. There are three areas to test when performing penetration tests;

• Network, the physical structure of the system.

• Application, the logical structure of the system.

• Social engineering, the response or workflow of the system.

Penetration testing requires time, effort and knowledge as well as a plat-

form to conduct the testing on. By not possessing all of these prerequisites,

this method was not chosen. It may also not be the most natural approach to

the problem statement in question. However, it can be an appropriate method

to test and validated obtained results [19].

Results

In this chapter, the results from the literature study is presented. The research found is explained in detail in terms of methodology, material and value. The probability distributions are visualized through graphs and MAL code. The proposed financial model is presented with an example calculation based on real numbers, which concludes the chapter.

4.1 Spear Phishing

91% of targeted cyberattacks involve spear phishing [20] and it is used as a primary infection vector by 65% of hacker groups

. In the 2016 paper by Neely [21], it is stated that 75% of identified and impactful threats initially entered via e-mail attachments. And 46% of attacks were caused by user execution of embedded links in e-mails.

These numbers indicate that the usage of attachments is more common than the usage of links in malicious e-mails. This claim is supported by the increase of usage of the most common malicious attachment type. The increase from 2017 to 2018 was as high as 860%. During the same period a decrease of malicious links in e-mails of 37% was reported

.

The resulting probabilities in the following subsections assume that no mitigations are applied. Furthermore, it is assumed that each attack step is approached by an adversary. In other words, the overall difference in likeli- hood that one attack step might be more common than another is not taken into account. However, that information can be useful when determining probabil- ities nonetheless as a more frequently used attack indicate a higher success rate.

1

https://docs.broadcom.com/doc/istr-24-2019-en

23

4.1.1 Link Clicked

In two experimental studies [22, 23], the success rates of spear phishing showed results of 71% and 72% respectively. One of the studies [22] had 121 students assess the safety of clicking different links in e-mails. The students were not aware of the objective of the study, since research has shown that awareness increases the human perception of the current element of inspection. 71% of the time, the links in spear phishing e-mails were incorrectly assessed as safe to click.

The other study by Jagatic et al. [23] subjected 921 students to spear phish- ing. By collecting information about them from social accounts, such as Face- book, they could compose targeted e-mails with embedded links. 72% of the subjects clicked on the link in the received e-mail. In the same study, a flawed spoofing experiment yielded a 53% success rate. The experiment consisted of 260 targets where the goal was to see how many would act upon a message that appeared to be from someone the target knew. The flaw was that the mes- sage was delivered to the wrong person, so instead of being addressed to the recipient, it was addressed to the intended target. Considering the flaw and the success rate, it’s probable that a correct experiment of this nature would have yielded a higher outcome closer to the one in the first experiment of the study.

Two other experimental studies give a slight deviating result compared to the others. A study [24] conducted on 512 cadets received a spear phishing e-mail urging them to click on an embedded link. 80% of the subjects pursued to act upon the message. The message was addressed from a colonel and the culture at the institution state that whenever a message is signed by a colonel, you act upon instructions even if they seem irrational. This fact may have resulted in a somewhat optimistic outcome. Some of the cadets themselves even stated that they thought the e-mail looked suspicious, but chose to act because of the institution culture.

The other study [25] had 40 employees of a company first participate in a personality study as a first step in their spear phishing campaign. Then some time after, they sent the spear phishing e-mail containing a malicious link.

Approximately 63% of the participants followed the link. In contrary to the cadet experiment, this study show a slightly less tendency to fall victim to spear phishing. This small deviation might be explained by the low number of participants.

A more recent experimental study conducted by Burns, Johnson, and Ca-

puto [26] in 2019, the spear phishing of 260 untrained subjects in an organi-

zation resulted in a success rate of 70%. Many of the subjects had previously

been managers, which gives this study even more relevance, since most spear phishing attacks are targeted towards employees with key positions. The ex- periment had a very high targeting strategy where the e-mails aimed to be very convincing. This corresponds well to the assumption of enterpriseLang, that an adversary is an experienced professional. An expert-panel was included in the study to make sure that the e-mails upheld a certain standard. The e-mails contained an embedded link that the subjects were encouraged to click on.

The mean probabilistic value given by these studies estimates the spearphish- ingLinkClicked attack step to 71%, both with and without regarding the two deviating results. The variance is 36.7% and the standard deviation is 6.06%.

Figure 4.1: The normal distribution curve for the result, shown in percentage values. Interval points represent bounds of the confidence intervals of 68%, 95% and 99% respectively with the mean value in the middle.

MAL implementation

The resulting probability distribution implemented with MAL is the truncated

normal distribution, where the expected value is the mean value. The MAL

representation implemented in enterpriseLang is presented in Listing 4.1.

Listing 4.1: Probability distribution implemented with MAL for attack step spearphishingLinkClicked.

c a t e g o r y P e r s o n { a s s e t U s e r {

& s p e a r p h i s h i n g L i n k C l i c k e d

[ T r u n c a t e d N o r m a l ( 0 . 7 1 2 , 0 . 0 0 3 6 7 ) ] }

}

4.1.2 Attachment Download

There exists significantly less experimental studies on spear phishing with at- tachments and via service. The attachment approach is however the most used when it comes to spear phishing in an enterprise environment. The reason is the frequency of corporate e-mails that contain attachments in the form of re- ports, business documents and resumes for example. According to PhisMe’s Enterprise Phishing Susceptibility and Resiliency report

it’s more difficult for a user to identify a malicious attachment than a link in an e-mail.

This claim is supported by a study [27] that shows a success rate increase of 12 percentage points when spear phishing with attachments compared to with embedded links. Based on the result of spear phishing with links, the estimated probability for attack step spearphishingAttachmentDownload is theoretically 93%.

MAL implementation

The resulting probability distribution implemented with MAL is the Bernoulli distribution, where the expected value is the probability value. The MAL rep- resentation implemented in enterpriseLang is presented in Listing 4.2.

Listing 4.2: Probability distribution implemented with MAL for attack step spearphishingAttachmentDownload.

c a t e g o r y P e r s o n { a s s e t U s e r {

& s p e a r p h i s h i n g A t t a c h m e n t D o w n l o a d [ B e r n o u l l i ( 0 . 9 3 ) ] }

}

2

https://www.infosecurityeurope.com/__novadocuments/351537?v=636276130024130000

4.1.3 User Training

In the previously mentioned study by Burns [26] from 2019, they also inves- tigated the success rate of spear phishing after a sample of the initially spear phished subjects received user training. When a subject fell victim to spear phishing by clicking a link, they got redirected to a web site providing in- formational training. The page displayed an example e-mail with highlighted parts and explanatory texts to each part, with purpose of training the user to be able to identify spear phishing e-mails more easily. Common characteris- tics of a spear phishing e-mail and other considerations that the trainees were informed about;

• Mismatched name and address in the from field.

• Misspelling, incorrect grammar or odd spacing.

• Encouragement to take immediate action.

• Mismatch between link name and link address displayed when hovering the link.

• Intuition - an overall feeling that something is not right. Not expecting the e-mail for example.

The study showed an overall decrease in success rate from 70% to 54%

comparing the two campaigns. The second campaign included 140 subjects that were not a part of the first one and a part of the phished subjects in the first campaign, a control group, did not receive training. Considering only the participants that actually received training, the success rate of the first cam- paign was 71% and of the second 55%. With user training, the probability of succeeding with spear phishing is thus decreased with 23% based on this study.

A similar study by Kumaraguru et al. [28] had 515 participants take part in

an embedded training experiment using the PhishGuru training system. The

participants were split up in three different condition groups, a control group,

a single-training group and a multiple-training group. The control group did

not receive any user training while the single-training group received training

once and the multiple-training group received training twice. All participants

were sent three legitimate and seven simulated spear phishing e-mails over the

course of 28 days. The body of the spear phishing e-mails contained a link

that redirected the user to either a phishing website or a training intervention,

depending on day and associated condition group. The phishing website dis- played a form for the user to fill out to update their credentials. Both clicks and rate of information provision was recorded in the study. For this probability analysis, only the clicking records are considered.

Comparison of the results of the phishing attempts before and after training show a decrease in tendency of falling for phishing. After receiving training once the decrease is 30% and after receiving training twice the decrease is 33%.

Condition group Before training After first round After second round Average

Control 52.3% 62.3% 55.3% 58.8%

Single-training 51.7% 40.3% 32.0% 36.2%

Multiple-training 45.0% 39.0% 30.0% 34.5%

Table 4.1: Click rate of the embedded links before and after first and second round of training, if received, for all condition groups.

Table 4.1 presents the click rate before and after user training, if received, for each condition group. The second column shows the click rate of all par- ticipants from the first spear phishing e-mail exposed to them. The results presented in the other columns are based on this sample of participants. This selection is motivated by the objective of examining the improvement user training has on the user tendency of falling victim to spear phishing. For the table entry of the multiple-training group after receiving training twice, the in- vestigated participants used as basis for this result clicked both in the first and second attempt that both led to training interventions. By comparing the de- crease of spear phishing when receiving training once or twice, the conclusion drawn is that more training does not lead to less link clicking.

Unlike the two studies presented so far, a third study [29] shows no sig-

nificant improvement from embedded user training. The study was conducted

over a period of 90 days with a total of three trials during this time, where 1359

participants took part. Comparing the control group results with the groups

that received embedded training, there was no significant performance differ-

ence. An interesting find that may explain the outcome of the study, was that

many of the participants did not read the training material presented to them

upon clicking a spear phishing link. To support this find, measurements were

made on how long the participants were exposed to the training page, which

showed that the majority did not view the page long enough to actually read

all the material and thus be trained.

Taking into consideration that user training might not result in greater user awareness and lower the tendency of clicking links in a spear phishing e-mail, the probability that this mitigation will decrease the likelihood of getting spear phished is 0%–33%. There are many factors that may affect a user’s suscep- tibility to training, which can be difficult to monitor in an everyday enterprise setting. To present this mitigation with a probability distribution available to defense steps in MAL, the average value of the studies is regarded. This results in a probability value of 22%.

MAL implementation

The resulting probability distribution implemented with MAL is the Bernoulli distribution, where the expected value is the probability value. The MAL rep- resentation implemented in enterpriseLang is presented in Listing 4.3.

Listing 4.3: Probability distribution implemented with MAL for mitigation userTraining.

c a t e g o r y P e r s o n { a s s e t U s e r {

# u s e r T r a i n i n g [ B e r n o u l l i ( 0 . 2 2 ) ] }

}

4.1.4 Antivirus

An observational study performed by Cyveillance

show an effectiveness from antivirus and antimalware products of 19% on average. The data was collected through their patented Internet-monitoring technology platform and was then tested against about a dozen antivirus products. By gathering the data in real- time, the malware that was tested were also in use and thus relevant. Testing malware that are old and not in use does not give a representative result. After 30 days the detection rate increased to 61.7% on average.

Another study by Morales, Sandhu, and Shouhuai Xu [30] test four an- tivirus products in three test scenarios, where the detection and treatment rates were measured. The average success rate was 77% which indicates that the malware used was previously known. The study both tested the detection of one malware as well as the detection of one malware triggering several other pieces of malware, to simulate real-world practices.

3

https://www.businesswire.com/news/home/20100804005348/en/Cyveillance-Testing-

Finds-AV-Vendors-Detect-Average (visited on 05/08/2020)

By combining the data from these two studies, a truncated normal distri- bution is derived and can be seen in Figure 4.2. It is truncated to fulfill the requirement of taking values within the range from 0% to 100%. The mean value is 53% with a standard deviation of 28.8% and thus a variance of 829%.

The acquired result corresponds well to Neely’s reporting of 47% of attacks being detected with antivirus tools [31].

Figure 4.2: The truncated normal distribution graph of the result. Confidence intervals and mean are visualized.

The sample size consisted of 77 data entries which causes the narrow con- fidence interval. In Table 4.2. the values of the interval is presented.

Confidence Level Margin of Error

68% 53% ±3.3%

95% 53% ±6.5%

99% 53% ±8.7%

Table 4.2: Confidence intervals for the truncated normal distribution shown in Figure 4.2.

MAL Implementation

The resulting probability distribution implemented with MAL is the Bernoulli

distribution, where the expected value is the probability value. For this mitiga-

tion, the mean value of the truncated normal distribution is used as probability

value. The MAL representation implemented in enterpriseLang is presented

in Listing 4.4.

Listing 4.4: Probability distribution implemented with MAL for mitigation antivirus if enabled.

c a t e g o r y S o f t w a r e { a s s e t OS {

# a n t i v i r u s [ B e r n o u l l i ( 0 . 5 3 ) ] }

}

4.2 User Execution

For attacks like spear phishing, the success relies on users executing some- thing. This can be clicking on a link or opening an attached file for instance.

The notion of this makes the attack step userExecution binary in relation to its related attack steps. If an attacker has succeeded in spear phishing a user, then it directly implies that the user has executed some desirable action, i.e., if attack step A is compromised then attack step userExecution is always com- promised as well.

MAL Implementation

The resulting probability distribution implemented with MAL is the Bernoulli distribution, where the expected value is the probability value, in this case 1 or 0. An example of how this is implemented with MAL in enterpriseLang is shown in Listing 4.5.

Listing 4.5: Probability distribution implemented with MAL for attack step userExecution.

c a t e g o r y P e r s o n { a s s e t U s e r {

& u s e r E x e c u t i o n [ B e r n o u l l i ( 1 ) ] }

}

4.3 Drive-by Compromise

Dudorov, Stupples, and Newby [32] have estimated that the probability that

an average user is exposed to a drive-by download attack while surfing the

Internet is 37%. This number is based on the detection rate of malicious sites

using the Kaspersky Security Network where the results of several countries are taken into account to form the average value.

MAL Implementation

The resulting probability distribution implemented with MAL is the Bernoulli distribution, where the expected value is the probability value of 37%. The MAL representation implemented in enterpriseLang is presented in Listing 4.6.

Listing 4.6: Probability distribution implemented with MAL for attack step driveByCompromise.

c a t e g o r y S o f t w a r e { a s s e t B r o w s e r {

& d r i v e B y C o m p r o m i s e [ B e r n o u l l i ( 0 . 3 7 ) ] }

}

4.4 Brute Force

Most passwords are weak and people tend to use the same passwords for sev-

eral accounts on different platforms. The reason behind this is the human

tendency to choose things which are easy to remember[33]. A weak password

is estimated to be cracked within 12 days, which can be expressed as an ac-

cumulative exponential distribution with rate parameter set to 0.3[34]. This is

visualized in Figure 4.3.

Figure 4.3: The cumulative distribution function of the exponential distribu- tion with lambda parameter of 0.3.

MAL Implementation

The resulting probability distribution implemented with MAL is the exponen- tial distribution, where the expected value is the mean value. The MAL rep- resentation implemented in enterpriseLang is presented in Listing 4.7.

Listing 4.7: Probability distribution implemented with MAL for attack step bruteForce.

c a t e g o r y S o f t w a r e { a s s e t OS {

& b r u t e F o r c e [ E x p o n e n t i a l ( 0 . 3 ) ] }

}

4.4.1 Account Policies

A common lockout policy is to block an account after three invalid login at-

tempts. The number of possible password combinations an eight character

password has, consisting of upper- and lowercase letters and numbers, are

about 218 trillion. The probability that a correct guess is made on one of the

three tries, considering the number of combinations, is so low that it is neg-

ligible. This makes the mitigation a binary one, where it fully protects from

brute forcing when enabled.

MAL Implementation

The resulting probability distribution implemented with MAL is the Bernoulli distribution, where the expected value is the probability value. In Listing 4.8 an example MAL representation, if the mitigation is enabled, is presented.

Listing 4.8: Probability distribution implemented with MAL for mitigation accountUsePolicies if enabled.

c a t e g o r y S o f t w a r e { a s s e t OS {

# a c c o u n t U s e P o l i c i e s [ B e r n o u l l i ( 1 ) ] }

}

4.5 Hardware Additions

Tischer et al. [35] conducted an experiment where they investigated whether people would pick up and plug in USB drives found by them. The experiment took place on a large university campus and the drives where dropped in mul- tiple locations both in- and outdoors. A total of 297 USB flash drives were used for this experiment, where 290 of them (98%) got picked up and 135 of them (45%) also got plugged in and one or more files were opened.

Some devices need a user to perform certain actions to compromise the

system or network, e.g., opening files or granting permission to the device,

while others only need to be plugged in to accomplish this. Even though the

experiment did not register how many of the drives were plugged in but did

not have files opened, there is a possibility that all picked-up drives were also

plugged. Therefore, the probability that a hardware addition attack is success-

ful, lies within the range of 45% and 98%. This results in a uniform distribu-

tion that can be seen in Figure 4.4.

Figure 4.4: The uniform distribution graph of the result. Endpoints represent the minimum and maximum parameters.

MAL Implementation

The resulting probability distribution implemented with MAL is the uniform distribution, where the expected value is the average of the two parameters.

The MAL representation implemented in enterpriseLang is presented in List- ing 4.9.

Listing 4.9: Probability distribution implemented with MAL for attack step hardwareAdditions.

c a t e g o r y H a r d w a r e {

a s s e t H a r d w a r e A d d i t i o n e x t e n d s C o m p u t e r {

& h a r d w a r e A d d i t i o n s [ U n i f o r m ( 0 . 4 5 , 0 . 9 8 ) ] }

}

4.5.1 Limit Hardware Installation

When enabling the mitigation of limiting hardware installation, the hardware

additions are blocked if they are unknown to the system. This means that

the relationship between the attack step hardwareAdditions and the mitigation

limitHardwareInstallation is binary, i.e., when enabled, limitHardwareInstal-

lation mitigates hardwareAdditions to 100%.

MAL Implementation

The resulting probability distribution implemented with MAL is the Bernoulli distribution, where the expected value is the probability value. In Listing 4.10 an example MAL representation, if the mitigation is enabled, is presented.

Listing 4.10: Probability distribution implemented with MAL for mitigation limitHardwareAdditions if enabled.

c a t e g o r y S o f t w a r e { a s s e t OS {

# l i m i t H a r d w a r e A d d i t i o n s [ B e r n o u l l i ( 1 ) ] }

}

4.6 Financial Impact

To better suit the generality of threat modeling that enterpriseLang provides and to relate to the probability analysis presented in the previous section, a modified RORI index model is presented in Equation 4.1.

RORI = (ALE × AP × RM − ARC)

ARC × 100 (4.1)

• Annual Loss Expectancy (ALE) previously included Annual Rate Oc- currence (ARO). This parameter has been replaced by the Attack Prob- ability (AP) parameter that refers to the estimated average probability value calculated in the previous section. For clarification, this parame- ter is detached from the ALE parameter.

• Annual Infrastructure Value (AIV) has been removed for not fulfilling the objective of generality, i.e., the AIV parameter is strictly system- specific. However, it can be included for those enterprises that wishes to gain a more holistic view of the financial impact.

This model can be used to asses the profitability of employing mitiga-

tions to the attack steps. Different mitigations of the same attack step can be

compared and aid in decision making with regards to the financial costs and

benefits. Several independent mitigations can also be evaluated, using this

suggested model, to gain a holistic view of the impact for a particular attack

technique.