Introduction

Penetration testing is regarded as the gold-standard for understanding how well an organization can withstand sophisticated cyber-attacks. In a penetration test, a “red team” is hired to expose major flaws in the firm's security infrastructure. Recently, however, the market for exploit kits has continued to evolve and what was once a rather hard-to-penetrate and exclusive market—whose buyers were primarily western governments [95], has now become more accessible to a much wider population. In particular, 2015 saw the introduction of darknet markets specializing in zero-day exploit kits—exploits designed to leverage previously undiscovered vulnerabilities. These markets, which were discussed in Chapters 3–5, make exploits widely available to potential attackers. These exploit kits are difficult and time consuming to develop—and are often sold at premium prices. The cost associated with these sophisticated kits generally precludes penetration testers from simply obtaining such exploits, meaning an alternative approach is needed to understand what exploits an attacker will most likely purchase and how to defend against them. In this chapter, we introduce a data-driven security game framework to model an attacker and a defender of a specific system, providing system-specific policy recommendations to the defender. In addition to providing a formal framework and algorithms to develop strategies, we present experimental results from applying our framework, for various system configurations, on a subset of the real-world exploit data gathered from the system presented in Chapter 4. This game theoretic framework provides another example of rich cyber threat intelligence that can be derived from the darknet exploit data.

For this chapter, we surveyed 8 unique marketplaces and show some example exploit kits from the data set in Table 6.1. The widespread availability of zero-day exploits represents a potential game changer for penetration testers— specifically posing the following questions:

1. • What exploits will an attacker likely purchase if he targets my organization?

2. • What software used in the organization pose the biggest risk to new threats?

To address these challenging questions, we extend a data-driven security game framework, initially introduced in [90]. Given a system configuration (or a distribution of system configurations within an organization) we model an attacker who, given a budget, will purchase exploits to maximize his level of access to the target system. Likewise, a defender will look to adjust system configurations in an effort to minimize the effectiveness of an attacker while ensuring that necessary software dependencies are satisfied.