Assessing Attack Impact on Business Processes by Interconnecting Attack Graphs and Entity Dependency Graphs

Cyber-defense and cyber-resilience techniques sometimes fail in defeating cyber-attacks. One of the primary causes is the ineffectiveness of business process impact assessment in the enterprise network. In this paper, we propose a new business process impact assessment method, which measures the impact of an attack towards a business-process-support enterprise network and produces a numerical score for this impact. The key idea is that all attacks are performed by exploiting vulnerabilities in the enterprise network. So the impact scores for business processes are the function result of the severity of the vulnerabilities and the relations between vulnerabilities and business processes. This paper conducts a case study systematically and the result shows the effectiveness of our method.

[1]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[2]  Gabriel Jakobson,et al.  Mission cyber security situation assessment using impact dependency graphs , 2011, 14th International Conference on Information Fusion.

[3]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[4]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[5]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[6]  Xiaoyan Sun,et al.  Towards Actionable Mission Impact Assessment in the Context of Cloud Computing , 2017, DBSec.

[7]  Xiaoyan Sun,et al.  Who Touched My Mission: Towards Probabilistic Mission Impact Assessment , 2015, SafeConfig@CCS.

[8]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[9]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[10]  Xu Chen,et al.  Automating Network Application Dependency Discovery: Experiences, Limitations, and New Solutions , 2008, OSDI.

[11]  Xiaoyan Sun,et al.  Gaining Big Picture Awareness through an Interconnected Cross-Layer Situation Knowledge Reference Model , 2012, 2012 International Conference on Cyber Security.

[12]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[13]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[14]  Tin Yu Wu,et al.  Multilayered Impact Evaluation Model for Attacking Missions , 2016, IEEE Systems Journal.

[15]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[17]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[18]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..