Reliability of exploits and consequences for decision support


  1. Dondo, M.
  2. Risto, J.
  3. Sawilla, R.
Corporate Authors
Defence Research and Development Canada, Ottawa Research Centre, Ottawa ON (CAN);NATO Communications and Information Agency, The Hague (Netherlands)
Limited public information is available about the actual likelihood of success that attackers will have when attempting to exploit a particular vulnerability. The metrics that are available are therefore used to meet the demand for this type of information but that usage does not lead to an accurate threat picture. The exploitability of specific vulnerabilities depends upon the network environment and the attacker of concern, thus there is no reason to expect that metric information that does not include these attributes in its scope will lead to a correct mitigation prioritization, even if that metric information is correct within its scope. However, insufficient threat information, or an incomplete understanding of the scope of particular metrics, leaves network defenders to use the metrics they have for purposes outside of their scope, and that can cause network defenders to prioritize mitigations inappropriately. In this paper we model the largest class of attackers – a basic attacker who uses the widely available Metasploit Framework (MSF) penetration testing tool with its dictionary of exploits. We show that there is only a moderate relationship between the popular Common Vulnerability Scoring System (CVSS) exploitability metric, which provides an indication of the exploitability of a vulnerability, and the success of an attacker in our attacker model. In environments where resources are constrained so that vulnerability mitigation must be prioritized, this work demon
Computer Network Defence Vulnerability exploitation
Report Number
DRDC-RDDC-2015-N061 — External Literature
Date of publication
24 Aug 2015
Number of Pages
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: