Reliability of exploits and consequences for decision support

PDF

Authors
  1. Dondo, M.
  2. Risto, J.
  3. Sawilla, R.
Corporate Authors
Defence Research and Development Canada, Ottawa Research Centre, Ottawa ON (CAN);NATO Communications and Information Agency, The Hague (Netherlands)
Abstract
Limited public information is available about the actual likelihood of success that attackers will have when attempting to exploit a particular vulnerability. The metrics that are available are therefore used to meet the demand for this type of information but that usage does not lead to an accurate threat picture. The exploitability of specific vulnerabilities depends upon the network environment and the attacker of concern, thus there is no reason to expect that metric information that does not include these attributes in its scope will lead to a correct mitigation prioritization, even if that metric information is correct within its scope. However, insufficient threat information, or an incomplete understanding of the scope of particular metrics, leaves network defenders to use the metrics they have for purposes outside of their scope, and that can cause network defenders to prioritize mitigations inappropriately. In this paper we model the largest class of attackers – a basic attacker who uses the widely available Metasploit Framework (MSF) penetration testing tool with its dictionary of exploits. We show that there is only a moderate relationship between the popular Common Vulnerability Scoring System (CVSS) exploitability metric, which provides an indication of the exploitability of a vulnerability, and the success of an attacker in our attacker model. In environments where resources are constrained so that vulnerability mitigation must be prioritized, this work demon
Keywords
Computer Network Defence Vulnerability exploitation
Report Number
DRDC-RDDC-2015-N061 — External Literature
Date of publication
24 Aug 2015
Number of Pages
16
DSTKIM No
CA040893
CANDIS No
801970
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: