Quantitative penetration testing with item response theory

Report (2013)
Department
Engineering, Systems and Services (TPM) (TU Delft)
Copyright: Stoelinga, M.I.A.
More Info
expand_more

Published Date

04-11-2013

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Source:

TREsPASS: Technology-supported Risk Estimation By Predictive Assessement Of Socio-technical Security

Faculty

Technology, Policy and Management

Department

Engineering, Systems and Services

Abstract

Existing penetration testing approaches assess the vulnerability of a system by determining whether certain attack paths are possible in practice. Therefore, penetration testing has thus far been used as a qualitative research method. To enable quantitative approaches to security risk management, including decision support based on the cost-effectiveness of countermeasures, one needs quantitative measures of the feasibility of an attack. Also, when physical or social attack steps are involved, the binary view on whether a vulnerability is present or not is insucient, and one needs some viability metric. When penetration tests are performed anyway, it is very easy for the testers to keep track of, for example, the time they spend on each attack step. Therefore, this paper proposes the concept of quantitative penetration testing to determine the diculty rather than the possibility of attacks. We do this by step-wise updates of expected time and probability of success for all steps in an attack scenario. Also, the skill of the testers can be included to improve the accuracy of the metrics, based on the framework of Item Response Theory (Elo ratings). We show the feasibility of the approach by means of simulations, and discuss application possibilities.

Files

303393.pdf
(pdf | 0.536 Mb)