Authors: Tomáš Bajtoš, Pavol Sokol, Terézia Mézešová
Abstract
Information security risks caused by difficult to exploit vulnerabilities are often treated with countermeasures as last due to their low likelihood of occurrence and should be given a high priority in security monitoring. In this paper, we propose an evaluation of detected attacks in terms of their difficulty – by assigning them an attacker’s skill level. We draw similarities between vulnerability’s exploitability score and aim to evaluate intrusion detection system alerts within the same framework. We also present the methodology on attacks from a dataset intended for evaluation of intrusion detection systems.
Introduction
The increasing number of systems connected to the Internet presents a new set of risks for organizations as they become an interesting target not only for opportunistic attacks but targeted multi -stage attacks as well. Security operation centres monitor the activity within an organization’s network for various threats and employ a wide range of tools to provide situational awareness to responsible asset owners. One of the most common practices is to correlate events from intrusion detection systems (IDS) into an attack path, a so-called multi -stage attack. These attacks are further prioritized, and the aim is to minimize the number of attacks that analysts must investigate.
In threat and risk analysis, often risks associated with vulnerabilities considered difficult to exploit are given a low priority for treatment. Therefore, analysts should be able to evaluate how difficult a detected attack is and treat it with high priority. This information can be forwarded to risk management and the appropriate countermeasures should be given a higher priority. To foster feedback between operations and security monitoring, there should be a common understanding of the two terms: the difficulty of an attack and the difficulty of vulnerability exploitation. In this paper, we focus on one of the attacker’s attributes, their ability to perform an attack – their skills, and divide attackers into 3 skill levels.
To formalize the scope of this paper, we state the research objective of determining the skill level an attacker needs to create a detected multi-stage attack. The question of determining how difficult it is to exploit an individual vulnerability and subsequently an attack path generated from host vulnerability data was the scope of one of our previous work [1]. Skill levels are determined and as each vulnerability is scored upon being published, the score metrics are mapped to the skill levels. The idea presented in this paper creates a relationship between what kind of properties those metrics represent and how IDS alerts can be evaluated with regards to those properties. The contribution of this paper is that we can determine the skill level for detected attacks.
This paper contains 5 sections. In section 2 we discuss the related work on evaluating an attacker’s capabilities or difficulty of an attack. Section 3 presents how to adapt the methodology for evaluating skill level based on the vulnerability score to the multi-stage attacks. Finally, we present example cases on data from a public dataset in section 4.
