Quantitative penetration testing with item response theory

Existing penetration testing approaches assess the vulnerability of a system by determining whether certain attack paths are possible in practice. Thus, penetration testing has so far been used as a qualitative research method. To enable quantitative approaches to security risk management, including decision support based on the cost-effectiveness of countermeasures, one needs quantitative measures of the feasibility of an attack. Also, when physical or social attack steps are involved, the binary view on whether a vulnerability is present or not is insufficient, and one needs some viability metric. When penetration tests are performed anyway, it is very easy for the testers to keep track of, for example, the time they spend on each attack step. Therefore, this paper proposes the concept of quantitative penetration testing to determine the difficulty rather than the possibility of attacks based on such measurements. We do this by step-wise updates of expected time and probability of success for all steps in an attack scenario. In addition, we show how the skill of the testers can be included to improve the accuracy of the metrics, based on the framework of item response theory (Elo ratings). We prove the feasibility of the approach by means of simulations, and discuss application possibilities.

[1]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[2]  Einar Snekkenes,et al.  Measuring Resistance to Social Engineering , 2005, ISPEC.

[3]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[4]  A. Elo The rating of chessplayers, past and present , 1978 .

[5]  Ron Gula BROADENING THE SCOPE OF PENETRATION-TESTING TECHNIQUES , 2001 .

[6]  Pascal van Eck,et al.  Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients , 2008, SAC '09.

[7]  John P. Ceraolo Penetration Testing Through Social Engineering , 1996, Inf. Secur. J. A Glob. Perspect..

[8]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[9]  E. L. Lehmann,et al.  Theory of point estimation , 1950 .

[10]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[11]  Maria Papadaki,et al.  Testing our defences or defending our tests: the obstacles to performing security assessment references , 2008 .

[12]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[13]  Wil Allsopp Unauthorised Access: Physical Penetration Testing For IT Security Teams , 2009 .

[14]  Julian Padget,et al.  Effectiveness of qualitative and quantitative security obligations , 2015, J. Inf. Secur. Appl..

[15]  Wolter Pieters,et al.  Quantitative Penetration Testing with Item Response Theory ( extended version ) , 2013 .

[16]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[17]  Wolter Pieters,et al.  Reconciling Malicious and Accidental Risk in Cyber Security , 2014, J. Internet Serv. Inf. Secur..

[18]  W. D. Linden,et al.  Conceptual Issues in Response-Time Modeling. , 2009 .

[19]  Georg Rasch,et al.  Probabilistic Models for Some Intelligence and Attainment Tests , 1981, The SAGE Encyclopedia of Research Design.

[20]  S. Klinkenberg,et al.  Computer adaptive practice of Maths ability using a new item response model for on the fly ability and difficulty estimation , 2011, Comput. Educ..

[21]  James P. McDermott,et al.  Attack net penetration testing , 2001, NSPW '00.

[22]  David Wright,et al.  Towards Operational Measures of Computer Security: Concepts , 1995 .

[23]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[24]  Edgar R. Weippl,et al.  Towards a Unified Penetration Testing Taxonomy , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[25]  Wolter Pieters,et al.  Security Policy Alignment: A Formal Approach , 2013, IEEE Systems Journal.

[26]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[27]  Wolter Pieters,et al.  A move in the security measurement stalemate: elo-style ratings to quantify vulnerability , 2012, NSPW '12.

[28]  Igor V. Kotenko,et al.  Security Analysis of Information Systems Taking into Account Social Engineering Attacks , 2011, 2011 19th International Euromicro Conference on Parallel, Distributed and Network-Based Processing.