A formal approach to automatically assess and manage ICT risk

Risk has to be assessed and managed with no historical data anytime we adopt a new technology or a system that widely differs from the previous ones. Usually, this problem is solved by exploiting personal experience but the number of factors to be considered is so large that the output may be not objective and cannot be easily communicated. We propose a methodology that tackles the “risk with no data” problem by predicting the behavior of intelligent attackers against the system to be assessed. These attacker are intelligent and they minimize their efforts to control some predefined modules, their goal. It defines and executes the computer models of the system and those of the attackers to discover which agents reach their goals and how. The methodology handles randomness through a Monte Carlo method and it returns a sample it builds by collecting data in multiple executions. The target system is modeled as a set of interconnected modules. The operations that a module defines are invoked by the modules that own the corresponding privileges. The module vulnerabilities enable some attacks, e.g. an action that returns some privileges an agent is not entitled to. An attack succeeds with a probability that depends on both the agent and further system properties. The model of an attacker describes goals, legal privileges, available information on the system and how it selects attack chains. An attacker exploits attack chains because one cannot reach a goal. A detailed modeling of chain selection influences the model accuracy. The methodology is supported by the Haruspex suite, a set of tools to automate risk assessment and management. The suite tools build the models of interest, execute these models to produce a sample and use it to assess the risk and discover the most effective security investment. Besides describing the framework and suite, we will present some assessments that have adopted and validated the suite.