Control Effectiveness: a Capture-the-Flag Study

As cybersecurity breaches continue to increase in number and cost, and the demand for cyber-insurance rises, the ability to reason accurately about an organisation’s residual risk is of paramount importance. Security controls are integral to risk practice and decision-making: organisations deploy controls in order to reduce their risk exposure, and cyber-insurance companies provide coverage to these organisations based on their cybersecurity posture. Therefore, in order to reason about an organisation’s residual risk, it is critical to possess an accurate understanding of the controls organisations have in place and of the influence that these controls have on the likelihood that organisations will be harmed by a cyber-incident. Supporting evidence, however, for the effectiveness of controls is often lacking. With the aim of enriching internal threat data, in this article we explore a practical exercise in the form of a capture-the-flag (CTF) study. We experimented with a set of security controls and invited four professional penetration testers to solve the challenges. The results indicate that CTFs are a viable path for enriching threat intelligence and examining security controls, enabling us to begin to theorise about the relative effectiveness of certain risk controls on the face of threats, and to provide some recommendations for strengthening the cybersecurity posture.

[1]  Teodor Sommestad,et al.  An empirical test of the accuracy of an attack graph analysis tool , 2015, Inf. Comput. Secur..

[2]  D. Kewley,et al.  DARPA Information Assurance Program dynamic defense experiment summary , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[3]  Dorene L. Kewley,et al.  Observations on the effects of defense in depth on adversary behavior in cyber warfare , .

[4]  Jose M. Such,et al.  Cyber security controls effectiveness:a qualitative assessment of cyber essentials , 2015 .

[5]  Daniel W. Woods,et al.  Policy Measures and Cyber Insurance: A Framework , 2017 .

[6]  L. Johnson Cybersecurity framework , 2020, Security Controls Evaluation, Testing, and Assessment Handbook.

[7]  Angelo Furfaro,et al.  An analytical processing approach to supporting cyber security compliance assessment , 2015, SIN.

[8]  Jelena Mirkovic,et al.  Testing a Collaborative DDoS Defense In a Red Team/Blue Team Exercise , 2008, IEEE Transactions on Computers.

[9]  The Relative Effectiveness of widely used Risk Controls and the Real Value of Compliance , 2017 .

[10]  J. Ritchie,et al.  Qualitative Research Practice: A Guide for Social Science Students and Researchers , 2013 .

[11]  Sadie Creese,et al.  Mapping the coverage of security controls in cyber insurance proposal forms , 2017, Journal of Internet Services and Applications.

[12]  Teodor Sommestad,et al.  Cyber Security Exercises and Competitions as a Platform for Cyber Security Experiments , 2012, NordSec.

[13]  Sadie Creese,et al.  A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate , 2018, J. Cybersecur..

[14]  Katharina Krombholz,et al.  Investigating System Operators' Perspective on Security Misconfigurations , 2018, CCS.

[15]  Sadie Creese,et al.  Analysing cyber-insurance claims to design harm-propagation trees , 2019, 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).