CISO Guide to Game Theoretic Model for Security Investment with Penetration Testing | Lucideus Research

Introduction 
Penetration testing is a part of security practices performed to identify the existing vulnerabilities and find out the possible exploits through these vulnerabilities. It is an efficient way to quantify the risk associated with a particular computer system. The process consists of finding out the weaknesses and the strengths in the given computer system, and thereby defining the potential of an attacker when she comes in contact with the given computer system.

In this blog, We are going to describe the idea that is presented in the research article titled “Optimal Information Security Investment with Penetration Testing”, and my take on the same. It describes the ways in which penetration testing can be added to the realm of information security investment. It has been observed that pentesting increases the per-dollar efficiency of the investment.

Model
The entire scenario is transformed into a game between attacker and defender. The game consists of two players: an attacker and a defender. The defender handles a computer system with underlying value ‘a’ that has a return of ‘r’ per period. As per the general scenario there are multiple attackers existing in the environment. But in order to avoid complexities, they are all thought of as one entity. Let there be ‘n’ components in the defender’s computer system that are prone to the risk of getting exploited. It is assumed that the vulnerable component can be successfully protected by investing in the protection of the same. 

An attacker will attack if and only if the benefit she is getting from the exploitation of the vulnerability is greater than the cost associated with it. The defender is required to decide on the investment on the protection of the existing vulnerabilities. But there exists a high level of uncertainty about the the set of vulnerabilities that are the weakest link since the attacker will always go for the weakest vulnerabilities only. Based on expert opinion, the defender’s own judgement or the models used for threat prioritization, the defender arranges the vulnerabilities as per the expected cost. Since none of the techniques define the expected cost to the attacker perfectly, there exists a level of uncertainty between the true cost to attacker and the cost perceived by the defender. This uncertainty is denoted by σ. In case of certainty σ = 0, whereas in case of uncertainty it is equal to 1. A higher value of σ depicts a greater level of mismatch between the attacker’s actual cost of attack and the perceived cost of attack for the defender, which is to say the set of weakest links will differ with a higher extent for both the players. 



Each time the attacker attacks, she loots a fraction ‘z’ from the total valuation of the asset ‘a’. The distortion in the system will be less if the order of the attack is predicted properly, which is to say that the order of the expected cost of attack matches with the true cost of attack. Let there be some reservation cost of attack to the attacker. The vulnerabilities’ cost lying above this will not be attacked as the cost associated with the attack is going to exceed the benefit derived out of it. A secure state is defined as the condition under which there is no attack observed. So the secure state is reached in the situation where all the vulnerabilities lying below the reservation cost are protected. It is assumed that the set of weakest link doesn’t change over the finite time horizon.


Steps of the Game:
Notations:
k: possible threats or the vulnerabilities with expected cost lying below the reservation cost of the attacker.  
t = 0: initial round with proactive defense
t = 1,...,tmax: reactive rounds
c: cost of pentesting
p: probability that the pentest will succeed
xi: true cost of attack
a: value of the asset of the defender
z: fraction of the asset looted by the attacker


The interaction is modelled as a sequential game in which the players play turn-wise. The defender starts first and chooses his action and after that it is observed whether the attacker attacks or not. If she doesn’t attack then the secure state is reached . The game is a dynamic, finite horizon, and player-versus-nature game. The steps of the game are described below:


(t = 0): This is the initial round in which the defender decides to protect against a number of possible threats which are defined to be ‘k’. The defender has to decide the number of possible threats he wants to protect by investing in the information security. The cost of protection is taken to be 1 per protection.


(t = 1,...,tmax): for these reactive rounds the following four rounds will be iterated:

The defender decides whether to go for pentesting or not, at positive cost ‘c’.


As mentioned above, the probability that the pentest will be successful is p>0. If it is successful, then it reveals the next weakest link with true cost. The cost of defending this revealed weak link increases the overall cost of defender to 1 for this, and other subsequent rounds.

The attack occurs when at least one of the true costs is below the total revenue earned by attacker i.e. xi ≤ z.a. If there is no attack, it implies that there is no weakest link left. Hence, the secure state is reached.

If an attack occurs, the defender has to make a decision about healing it. If he decides to heal it then he will incur a cost of 1 for all the subsequent rounds.

Terminal Nodes:

T0 : This represents a situation where the game terminates. This solution is reached when the situation is indefensible and the defender decides to bear the loss due to attacks, and drops the idea of investing in the protection of the possible threats.

T1 : This denotes the solution corresponding to the secure state. The defender wants to reach this node as soon as possible.

T2 : A case in which the system is found to be indefensible after some rounds of pentesting and attacks. The defender will always prefer T0 over T2 because in T2 , he is incurring a cost of pentesting and then healing the threat before reaching the same outcome as in T0.

In figure 2, the dotted branches ending with asterisk are the decisions not to go for the pentest given there was at least one pentest performed in the earlier rounds.

Figure 2 represents the extensive form of the entire scenario under consideration. An extensive form game is to present each and every stage of the game in the form of nodes and possible strategies that the player can go for. The defender starts from the node ‘S’ and he has to make a decision about the number of  possible threats he wants to protect as a proactive defense strategy. One branch with security investment in k threat is shown in the figure.

Once he is done with the proactive defence, the reactive defense zone starts in which the four steps are repeated in every time period until any of the termination node is not reached. In t = 1 he has two choices: commission pentest or not.

Situation 1 (pentest not commissioned):
If he doesn’t go for pentest and the attack does not take place then he reaches the secure state T1 and the game terminates there.
If he goes for pentest and the attack happens, then again he is left with two actions: whether to heal the weakest link exploited in the attack or not. If he decides to not protect the exploited vulnerability, the game reaches the indefensible situation T2. In the other case when he decides to protect it then there is the end of t = 1 period and t = 2 starts. In t = 2 all the steps are repeated.

Situation 2 (pentest is commissioned):
When the pentest is commissioned then comes the role of nature. The pentest will be successful with a probability p>0. So there are two cases: pentest is successful or pentest fails. In the situation when pentest fails, either the attacker attacks or she doesn’t. There will be two situations:

If attack does not take place then defender reaches the secure state T1 and the game terminates there.

If attack happens then the again he is left with two actions: whether to heal the weakest link exploited in the attack or not. If he decides to not protect the exploited one the game reaches the indefensible situation T2. In the other case when he decides to protect it, there is the end of the t = 1 period and t = 2 starts. In t = 2, all the steps are repeated.

If the pentest is successful then there are the same two situations described above.

After analysing all the above sequences and the corresponding payoffs, the solution of the game is that once the defender starts pentesting, he will keep doing this until a secure state is not reached.

Return on Penetration Testing:
The normalised return on security investment can be defined as follows:

Where ALE is the annual loss expectation for two cases: ALE0 being the baseline case where no security investment is made, ALENPT depicting the case when security investment is made excluding the investment in pentesting, and ALEPT representing the loss expectation with security investment and pentesting. A Higher value of ROSINPT reflects a higher efficiency of the security investment.
The efficiency of investment in pentesting can be judged by computing the value of Return on Penetration Testing (ROPT ) which can be computed using the following formula:
ROPT = ROSIPT − ROSINPT
Where the corresponding values of ROSI can be calculated using ALEPT and ALENPT in equation (1). As described before, ROSI denotes the efficiency of dollar amount spent for investment in preventing loss whereas ROPT denotes the dollar amount of additionally prevented losses per dollar through investment in pentesting.

Where the corresponding values of ROSI can be calculated using ALEPT and ALENPT in equation (1). As described before, ROSI denotes the efficiency of dollar amount spent for investment in preventing loss whereas ROPT denotes the dollar amount of additionally prevented losses per dollar through investment in pentesting.

Conclusion:
Proactive and reactive defense are the two types of strategies generally employed. But the efficiency of each type of defense depends upon various factors such as uncertainty about the order of weakest link, etc. Pentesting serves as a very effective tool to gather information about the possible threats. If the right amount is invested in pentesting then the return on the unit amount invested will be higher. This way, proactive defense can be compensated by the reactive one through proper optimisation as depicted in the blog.


References:
1. Rainer B¨ohme and M´ark F´elegyh´azi: Optimal Information Security Investment with Penetration Testing: Decision and game theory for security, 1st international conference, 21-37(2010)
2. B¨ ohme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS),
4. Panjwani, S., Tan, S., Jarrin, K.M., Cukier, M.: An experimental evaluation to
University College, London, UK (2009) 3. B¨ ohme, R., Moore, T.W.: The iterated weakest link. IEEE Security & Privacy 8(1), 53–55 (2010)
5. Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6)
determine if port scans are precursors to an attack. In: Proc. of Int’l. Conf. on Dependable Systems and Networks (DSN 2005), Yokkohama, Japan (2005) (2003)
Transactions on Information and System Security 5(4), 438–457 (2002)
6. Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005) 7. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM
9. Barth, A., Rubinstein, B., Sundararajan, M., Mitchell, J., Song, D., Bartlett, P.L.:
8. Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005) A learning-based approach to reactive security. In: Radu, S. (ed.) FC 2010. LNCS,
Computer Security Applications Conference (ACSAC), Las Vegas, NV, USA (2002)
vol. 6052, pp. 192–206. Springer, Heidelberg (2010) 10. Ogut, H., Cavusoglu, H., Raghunathan, S.: Intrusion detection policies for it security breaches. INFORMS Journal on Computing 20(1), 112–123 (2008) 11. Geer, D., Harthorne, J.: Penetration testing: A duet. In: Proc. of the 18th Annual
scheme for computing infrastructures. In: IEEE International Conference on Communications (Proc. of ICC), pp. 1455–1460 (2007)
12. Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Security & Privacy 3(1), 84–87 (2005) 13. Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2007) 14. Miura-Ko, R.A., Bambos, N.: SecureRank: A risk-based vulnerability management
17. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V.,
15. B¨ ohme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176–187. Springer, Heidelberg (2008) 16. Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542–546 (2004)
Technical Report TR-CTIT-06-30, University of Twente (2006)
Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Conference on Computer and Communications Security (Proc. of ACM CCS), Alexandria, Virginia, pp. 3–14 (2008)
18. Su, X.: An overview of economic approaches to information security management.







Post a Comment

0 Comments