Measuring Return on Attack: Combining Exploit Market Data with Attack Trees (CEMDAT)
Abstract
Information security economics asks is this secure enough?, rather than the traditional question of is this secure? Applying this insight to systems with software vulnerabilities, defenders can think in terms of the cost to the attacker: a system is secure enough when the Return on Attack deters rational attackers. But this requires reasoning about the cost of exploiting a given system. The emergence of public vulnerability markets and brokers (e.g. Zerodium) provides information that could parameterize such a model. Existing approaches do not consider how a given vulnerability relies on other capabilities. For example, some vulnerabilities require local network access, whereas others can be exploited remotely. The former vulnerability would likely be cheaper, and the price differential implies that local network access has a specific economic value—the difference in price between the two vulnerability in this case—but there is currently no formal way of reasoning about these intuitions.
Document Details
- Document Type
- DoD Grant Award
- Publication Date
- Jan 21, 2022
- Source ID
- FA86552117015XX0
Entities
People
- Daniel C. Woods
Organizations
- Air Force Office of Scientific Research
- United States Air Force
- University of Innsbruck