1. Field
The present disclosure relates generally to identifying and managing network security vulnerabilities and, in particular, to ranking potential attack paths to networks by likelihood of attack based on probability analysis and consideration of non-quantitative factors.
2. Background
Within an enterprise network, multiple security risks exist that may not be easily understood or prioritized. An enterprise network may include many thousands of network objects or nodes. Nodes, depending on their location in a network and their associated access rights, may present different opportunities for ingress to the network, movement within the network, and access to network and enterprise assets. Because of their number of connections, some nodes may offer broader access into and within a network than other nodes that may be otherwise similar. Two nodes may as standalone or isolated devices be of similar attractiveness and ease of access but may be of very different attractiveness to attackers because of their connections and potential as gateways.
Sophisticated attackers may seek entrance points of enterprise networks that lead to the widest access in the network or lead to the most valuable or most proximate assets. Some attackers may target specific assets accessible in a network. Other attackers may seek access for purely exploratory or destructive purposes without specific targets in mind at the outset.
Of further importance to the magnitude of the risks themselves may be the timing or imminence of outcomes associated with the risks. Some risks may require immediate attention while others may wait. Two risks may be of apparent equal magnitude in terms of the damages suffered if security is breached and attackers are successful. The two risks may also present similar costs to investigate and resolve. However, the two risks may upon analysis be determined not equal based on their different timings. A failure and incurrence of damages or liability may in fact be truly imminent for one risk whereas the same event associated with a second risk similar or identical to the first risk may have a more distant time horizon. Correctly projecting these time horizons may promote an enterprise to better manage such situations presenting similar risks with different time frames.
An enterprise managing a large network may have limited resources with which to manage network security risks. The enterprise may seek to direct its resources to the greatest risks with the most imminent time frame. A large concentration of potential security problems may originate from a relatively small number of sources. A challenge for the enterprise may be to correctly identify the small number of sources as well as identify those sources whose risks are not as great or not as imminent. An enterprise may successfully identify several or more paths of attack into its network but may not have the resource to immediately mitigate all of those paths of attack. Choosing which to mitigate immediately while leaving the other until later may be a critical decision. Security managers seek to direct their resources and effort to mitigation of risks that matter most in their environment.
Security resource management processes are traditionally subjective, manual, time-intensive, and static. Traditional processes do not account for the dynamic nature of adversarial behavior and attack scenarios. Traditional processes may also be ad-hoc in nature. Further, previous practices may not consider dependencies between vulnerabilities. Two risks may appear similar in terms of likelihood of realization and magnitude of consequences. However, realization of a first risk may be contingent upon realization of at least one other risk or event occurring whereas a second risk may be realized without the involvement of outside actors or events and not affected by any other contingencies. Traditional processes may be unable to recognize and take account of such differences.
Traditional processes may also include network monitoring tools that may feature real-time monitoring of network activity. Such real-time monitoring may utilize rule sets and thresholds for determining if a type of network traffic is abnormal or may potentially be a network attack in process. These monitoring tools may mark such potentially dangerous traffic for review by a security analyst.
Existing approaches may also not reflect qualitative factors such as business impact or certification impact of a problem. In addition, some network nodes or objects may have some risk mitigation already in place. Traditional approaches may be unable to recognize risk mitigation already in place. Further, current tools may be limited to recognizing of vulnerabilities based on a certain hardware and software configuration and patch level.
Enterprises routinely take over other enterprises which may require absorbing or integrating the target entity's data processing infrastructure. The target entity's infrastructure may have vulnerabilities that would become part of the acquiring enterprise's infrastructure if not detected and mitigated. Traditional approaches may be limited to performing network configuration scans to determine patching levels, for example, of the target entity's network components. Further, there may be less information available than desired about the target entity's infrastructure. Merging or absorbing an outside infrastructure may introduce new risks to the acquiring enterprise or compound existing risks. Thus, effective new techniques for discovering network attack paths and successfully projecting their likelihood and timing are desirable.