Challenges in building a risk and resilience reasoning system

There are three major challenges in building a comprehensive reasoning-based system. The first is the precise semantic analysis of attack techniques, such as those described in MITRE ATT&CK. These are described for human understanding and are not suitable for reasoning systems. The solution is relatively simple to understand but difficult to implement: the techniques need to be rewritten with consistent and precise basic concepts (that is, an appropriate semantic model). Only then can a reasoning system be built. 

Take for example MITRE ATT&CK technique T1210, “Exploitation of Remote Services.” One of the accepted methods is to use a CVE that allows a remote service to be invoked. Therefore, it is necessary to enter into the reasoning system the ways to check the existence of the CVE on a system (Security Content Automation Protocol or  SCAP can help) and to classify the vulnerabilities according to the ability to enable the activation of a remote service. For example, a prerequisite for finding a CVE is the ability to connect to that computer via the network—that is, having physical and logical connectivity that allows the vulnerability to be activated. These two facts are a start that enables reasoning regarding the use of the T1210 technique: “Find a system with the vulnerability that has connectivity that allows the exploitation of the CVE.”

The second challenge is to create a language (ontology) that connects concepts from different attack domains—such as permissions, vulnerabilities, and configurations—and to create the semantic graph. There are some detailed ontologies that explain the relationship between various cyber concepts such as the UCO of the University of Maryland or MITRE D3F3ND.

The third challenge is collecting relevant information from the organization’s systems. This can be done by interfacing with existing systems and translating the information into the common language or by a dedicated scanner.

With these challenges met, the system essentially becomes a digital cyber twin of the organization. It has all the information it needs to simulate millions of cyber attacks, thus identifying which specific attack scenarios represent exposures to the organization and calculating the risk from those exposures. Digital twinning technology is already being used in many industrial applications such as engineering design, building maintenance, and operations management. The time is right for it to be applied to cybersecurity, enabling teams to determine the courses of action that will mitigate attacks, reduce risk, and build cyber resilience.

The end game

Organizations are struggling to answer basic questions regarding their cyber risk exposure. These include organization-wide questions such as: What is our risk of being breached? What will the cost consequences be of a breach? What assets are most at risk? What steps do I need to take to lower my risk of being breached? How much should I spend on security? There are also operational questions regarding cyber exposure: What will be the risk impact to the business if we migrate a specific application to the cloud? If we implement two factor authentication? If we change our firewall controls?

Reasoning systems are showing great promise toward providing organizations with answers to both strategic and operational questions. Along with machine learning systems, reasoning systems will have an increasing use in cyber defense—especially in the world of risk analysis and management. They will provide IT and security teams with the tools and information they need to manage and control risks, better allocate security spending, and narrow the attack defense gap.