A group of security researchers have created what they claim is the first framework to score agility of defenders and cyber-attackers. The framework could enable future attacks to be quantified and scored to see if the defenders are being successful.
"Cyber agility isn't just about patching a security hole, it's about understanding what happens over time. Sometimes when you protect one vulnerability, you expose yourself to 10 others," said computer science alumnus Jose Mireles, who co-developed the framework. "In car crashes, we understand how to test for safety using the rules of physics. It is much harder to quantify cyber-security because scientists have yet to figure out what are the rules of cyber-security.
"Having formal metrics and measurement to understand the attacks that occur will benefit a wide range of cyber-professionals. A picture or graph in this case is really worth more than 1,000 words. Using our framework, security professionals will recognise if they're getting beaten or doing a good job against an attacker."
The team of researchers used a honeypot to capture malicious traffic and then analysed the patterns created as attackers and defenders created new techniques and adapted to the other team. The result is an adaptive, responsive and agile pattern, or ‘evolution generation’.
"The proposed framework is generic and applicable to transform any relevant, quantitative, and/or conventional static security metrics (eg, false positives and false negatives) into dynamic metrics to capture the dynamics of system behaviours", said the researchers in their paper, published in the cyber-security journal, IEEE Transactions on Information Forensics and Security.
Felix Rosbach, product manager at comforte AG told SC Media UK: "With more sophisticated attackers and methods, breaches have practically become unavoidable. While traditional security only protects you from known attack methods, organisations struggle to find the right way to be future proof. More and more organisations are focusing on protecting data itself and properly handling incident responses instead of trying to prevent breaches in the first place.
Especially for cyber-security leaders, it is important to visualise and monitor their success. A good framework not only makes the progress of an organisation comparable to their peers, it also enables security departments to communicate to their board and substantiate their strategy in a better way.
"But even with a good framework, you still have to come to the right conclusions, invest in the right solutions and prioritise. While every organisation has its own vulnerabilities, architecture and mix of solutions, this will remain a complex and difficult playground for security professionals."
Boris Cipot, senior security engineer at Synopsys also commented, pointing out to SC Media UK that just recognising the behavioural elements of an attack would be a useful achievement:
"To effectively fight off attacks, one has to first recognise the attack itself. In many breaches, those were recognised too late in the process or even after the breach occurred, therefore such technology makes a lot of sense as they can follow and evaluate the attacks based on the behaviour rather than just the attack signatures. The signatures (for example malware files or data packages) can change easily, but the behaviour can be something more generally recognisable and therefore easier to track or predict."