Models Show Cyber Attack Probabilities
A team at the U.S. Army Research Laboratory has created four generalized linear models to predict the number of cyber intrusions a company or government will experience on its network. To design the models, the team used empirical data about successful cyber intrusions committed against a number of different organizations obtained from a cyber defense services provider that defended the organizations’ networks.
Researchers examined the security incident reports from 41 organizations and determined a correlation between the number of successful intrusions and observed features of an organization. The reports contained detailed information about malicious activities and computer security policy violations; DNS traffic collected with specialized and open source software; and other data sources that describe a selected subset of features of each organization's network topology and cyber footprint.
Which of the initially conjectured variables should be included in the study brought rather surprising findings. "Several of the predictor variables that were recommended to the researchers by subject matter experts turned out to be lacking in influence or even misleading,” says Dr. Nandi O. Leslie, research team member at the laboratory’s Network Security Branch.
“For example, SMEs felt that the extent to which an organization is visible on the Internet, as measured for example by the number of records found related to that organization on the popular Google Scholar, would be a significant predictor of intrusion frequency. However, it turned out that such visibility alone is not a useful predictor of successful intrusions," Leslie relates.
Not surprising was the role an organization’s users play in a large number of cyber intrusions. Researchers found the number of violations of internal cybersecurity policies is a strong predictor of the number of intrusions.
"This finding is rather intuitive. Indeed, if users such as employees of the organization lack the discipline or knowledge to comply with organizational cyber hygiene policies, and if the organization is unable or unwilling to enforce its own policies, it is easy to expect that the organization's cyber defenses are poor, leading to more frequent intrusions’” he states.
Cyber intrusion prediction models can improve the fundamental understanding of cyber situational awareness and ways to monitor, quantify and manage cyber risk. In addition, they may offer clues about how to enhance the security posture and perhaps the design and operation of an organization's computing systems and networks, the research team says.