Damages resulting from cyber-attack campaigns, like the 2009 Aurora attacks against the networks of hundreds of companies, including Google and RSA, the 2010 Stuxnet attack designed to damage Supervisory Control and Data Acquisition (SCADA) facilities, and the 2011 Sony PlayStation attacks leading to the loss of millions of records of payment information, demonstrate the growing severity of the impact of cyber-attacks on network assets and industrial processes, as well as on economic and financial positions. The immediate sources of damage to assets may include, for example, data deletion, data corruption, data theft, release of protected data to the public, goodwill and reputational loss, system downtime loss, equipment loss, immediate revenue and subsequent financial loss, business continuity interruption, the internal costs detection, investigation of suspected breaches, containment of breaches, recovery of systems, and ex post facto responses including costs of legal ramifications such as class action lawsuits or other litigation, among others. Subsequent damages can range from loss of intellectual property (IP) by data theft to downtime of SCADA systems or other control systems, which may lead to losses of product manufacturing, delivery of critical services, and casualties, including human injury or loss of life. Damage to and/or the compromising of logical controllers and/or data systems (e.g., on vehicles, energy infrastructure, pipelines, and nuclear reactors) can, among other things, disable safety alerts and cause equipment to operate outside of its standard operating range resulting in damage to property and persons.
An organization's assets residing on computer networks have become more difficult to protect as assets and networks have grown in size and complexity. Businesses, governments, and other organizations have expanded computer network access internally across a growing number of fixed and mobile computers and devices authorized for employee access, as well as access externally to public and private cloud environments, and trusted customers/clients, vendors and suppliers. The growth of these access points greatly increases the exposure of organizational assets to potential compromise and loss.
At the same time, network security teams are confronted by a number of challenges, including the large number of channels into an organization (Wi-Fi, USB flash drives, mobile devices, VoIP and the like), the size and diversity of the infrastructure requiring protection, the number and diversity of applications (including plug-ins), and the overwhelming amount of network traffic to monitor and scan—each evolving, sometimes dramatically, in complexity over time. Control systems, such as SCADA systems, that drive manufacturing, critical energy, transportation, and other operational systems, which once used to be isolated and analog in nature, are now migrating to digital systems and are progressively connected via the Internet for on-line licensing, performance tracking, patching and software updating. As a result, the exposure to attack through network pathways continues to increase.
Adding to the complexity, cyber tools that target assets have become more sophisticated, attackers' tactics and techniques more advanced, and the availability of sophisticated commodity malware in illicit markets more accessible to a global set of attackers. The networks they target extend across different devices and site locations globally, and competing security products in the marketplace in many cases have not kept pace with existing and emerging malware threats, and in many cases have opened additional vulnerabilities for attackers by their very operation. There is an expanding array of attacker entry points and capabilities that range from placing insiders intentionally in organizations for physical access, to targeting the supply chain of software and hardware, to false website mirroring, to social engineering against employees in an organization, to mapping out an organization's network and connected assets via external reconnaissance techniques, to other new and evolving methods. Using this increasing range of entry points to access systems, attackers can eventually enter and propagate across a target organization's network subnets at different security levels, obtain local and domain access to systems, and maneuver to gain access through privilege escalation, and then take on the identify of valid users and administrators inside the organization so as to access and damage targeted assets throughout the network.
Furthermore, many security products today suffer from large false alarm rates and ultimately do not forecast where attackers are headed in their attack sequence. During the Target attacks in December 2013 that led to the theft of 40 million credit and debit cards and personal data on another 70 million customers, it was reported (e.g., in Computer World, Mar. 14, 2014) that many alerts were generated from various security layers and products; however, the individual false alarm rate was high enough on security products that the alarms were essentially ignored. In addition, critical security control mechanisms were not properly utilized that could have denied attackers access along likely pathways in a timely manner so as to prevent the attacker's further progression within the system. Finally, intrusion detection systems (IDS) that do integrate security alert data and traffic from different products in order to improve situational awareness typically do not integrate stochastic asset loss forecasting into their methods and therefore cannot include uncertainties when correlating attacker pathways into their alerting calculations so as to further reduce false alarm rates.