Cyber Effects Prediction presented at BlackHatDC 2010

by Shane Powell,


Summary : Once the sole domain of military planners, public sector organizations must begin to understand the extent to which cyber attacks may affect their ability to conduct mission essential operations. Various information security regulations and standards aid organizations with configuring information systems securely. Common processes are used to assess system vulnerabilities and assign risk. However, vulnerability and risk assessments can easily mislead system owners into a false sense of security. While vulnerabilities can be patched and risks may be mitigated, the end result is inevitable that someone must accept responsibility should their organization fall prey to cyber attack through exposures that remain.
The approach to Cyber Effects Prediction proposed in this paper harnesses traditional and emerging analytic methods to provide a deep understanding of the actual security state of an organizations information system. Cyber Effects Prediction harnesses detailed knowledge of how an organizations information systems are configured, business operations, continuity of operations planning, and external relationships. Determination can be made from this information of how information systems will likely be attacked, allowing for prediction of the cascading effects that result from successful cyber attack.
Knowledge derived from Cyber Effects Prediction allows for:
Understanding System Security Baseline Configurations
Assigning System Criticality According to Organizational Mission
Understanding Internal, External, or Hybrid Organizational Exposures to Cyber Attack
Understanding the Reach of Cyber Attacks Vectors crossing Organizational Exposures
Identifying Primary (Direct) Cyber Effects Affecting Systems
Predicting Secondary (Internally Cascading) Cyber Effects Affecting Distributed Services
Postulating Tertiary (Externally Cascading) Cyber Effects Affecting Operations and Mission
Demonstrating System Vulnerabilities through Targeted Penetration Testing
Identifying and Prioritizing Remediation Actions
Allocating Resources Efficiently in Support of Remediation Actions
Calculating Residual Risk either Qualitatively, or More Importantly, Quantitatively
The methodology described focuses on applying Cyber Effects Prediction to the defense of information systems.