Security Risk Analysis of Multi-Stage Attacks based on Data Criticality

Abstract

In recent years, it has become more challenging for organizations to assess the security risks of their assets properly, as more vulnerabilities are discovered, exploited, and weaponized. Further, attackers usually use complex multi-stage attack strategies to compromise a system and achieve their goals by exploiting several vulnerabilities. The number of affected assets and the strategy used to create the compromises by the threat actor will often dictate the costs and damages to the organization. When performing risk analysis, in addition to existing vulnerabilities, it is important, but often neglected, to consider the criticality of the data residing in the vulnerable asset. However, graphical threat modeling techniques often do not offer suitable tools for this type of analysis. In this paper, we propose a class of security risk metrics to estimate the cost of an attack that considers the criticality of data in addition to the dependencies among vulnerabilities. Our metrics are based on graphical modeling techniques in which we incorporate data criticality. We applied our approach to a real-life case study and obtained promising results.