Just like your own organization may engage in Enterprise Risk Management - quantifying risks in order to prioritize and resource resolution - hackers also have a risk/reward calculus when planning and executing attacks. Hackers need to maximize successful attacks with the least time and effort possible.
The Unique BreachRisk™ Approach
BreachRisk™ Score describes what hackers believe about the viability, ease, and expected impact of a successful attack on a given organization. Every organization is different, and every hack can require a unique pathway to achieve.
BreachRisk™ Score allows you to communicate cyber risks for various purposes including your own Enterprise Risk Management (ERM) process. Quantification is made on a 10-point scale and considers hundreds to thousands of evidence points that have been carefully analyzed. BreachRisk™ a.i. analysis includes these activities:
attack surface discovery to know where the target exists in cyberspace
eliminate false positives (issues that might theoretically be a security "vulnerability" but are not practical)
consider the likelihood and impact of a pathway given the prevailing conditions of the target
prepare to conduct the attack using actual hacker tools and techniques, further eliminating false positives
(for our direct-to-enterprise customers and service providers) safely conduct the attack just like a real attacker to collect further evidence and test existing security controls
Scale and Risk Category
The 10-point scale ranges from 0.0 - 10.0, and divided equally into 5 risk categories.
Lower scores are better. A higher score indicates a higher risk of an initial access breach.
BreachRisk™ is dedicated to describing the hacker's perspective on risk. Therefore, each risk category characterizes the way attackers will tend to think about the target organization. Hackers are typically considering the following factors:
Is the attack pathway viable? Viable means that many false positives have been eliminated, and there appears to be a technically feasible way to attempt the attack. These pathways are realistic based on modern hacking tools and techniques.
How easily can the attack be attempted (without being caught), and how likely is it to succeed? (Likelihood)
How much time will I need to achieve a successful breach using this pathway? (Likelihood)
Should the attack succeed, how much damage or control can I achieve in pursuit of my goals (e.g. ransom, extortion, theft, destruction)? (Impact)
Range | Risk Category | Narrative | Notes |
|
| Hackers believe they have few to no viable attack pathways. Any pathways could take up to 1 year or longer to breach using modern hacking tools with small to no impact. | Hackers will tend to avoid spending resources attacking these.
Organizations that appear to have little to no presence in cyberspace tend to achieve this range.
BreachRisk™ a.i. does not currently assign scores below 1.0. |
|
| Hackers believe some viable attack pathways exist, but the pathways could take up to 1 year or longer to breach using modern automated hacking tools, and are expected to have a small impact on the target. | Hackers will tend to avoid spending resources attacking these.
Most organizations that prioritize security and have an effective and mature security process tend to achieve this range because there is evidence observable by hackers that they are a "hard target." |
|
| Hackers believe that one or more viable pathways exist, but these pathways could be difficult to attempt and could take up to 6 months or longer to breach using modern automated hacking tools and could have a wide range of possible impact on the target. | Hackers will consider spending some resources on these depending on the circumstances.
Organizations that are assigned this range tend to include those with basic security processes and controls, and those that aren't focused on being ahead of attackers. |
|
| Hackers believe that one or more viable attack pathways exist that are easy to exploit and expected to have a meaningful impact on the target. These pathways can typically be exploited within 3 months for a dedicated attacker with modern tools. | Hackers will likely be very attracted to these pathways.
Organizations should address a High Risk score quickly, because this range is only assigned when there is strong evidence of unmitigated attack pathways - or when the organization has a sophisticated, well deployed honey pot that fools BreachRisk™ a.i. (very rare). |
| Highest | Hackers believe that one or more viable attack pathways exist that are immediately exploitable and expected to have a significant impact on the target. These pathways can typically be exploited within days to weeks for a dedicated attacker with modern tools. | Hackers will likely be extremely attracted to these pathways.
Organizations should address a Highest Risk score immediately, because this range is only assigned when there is strong evidence of unmitigated attack pathways of the most dangerous nature - or when the organization has a sophisticated, well deployed honey pot that fools BreachRisk™ a.i. (very rare). |
Note: in some applications (such as BreachRisk™ for Insurance), "Lowest Risk" and "Low Risk" are combined into the "Low Risk" category for brevity.
How BreachRisk™ Score Is Determined
BreachRisk™ Score is based on dynamic and practical risk management principles used by best-in-class organizations from the Pentagon to Wall Street. It is based on evidence and is strictly tied to how hackers think about attacking organizations.
Although some popular cyber risk equations include terms such as threat and vulnerability, even these can be mathematically simplified into this classic equation.
Risk = Likelihood x Impact
By using this classic risk equation, BreachRisk™ Score can be easily integrated into any ERM program.
BreachRisk™ Score is risk - from The Hacker's Perspective
BreachRisk™ Score answers the following question about what a skilled hacker believes to be true: "How easily can I gain an initial access breach to the target organization without being caught, and how much control or damage could I achieve if successful?"
Important: Although cybersecurity hygiene and compliance factors can indirectly influence the practical security posture of an organization, compliance and hygiene factors are not considered in BreachRisk™ Score because hackers ultimately don't care about them. Hackers care about practical exploitability.
Every attack pathway (threat) can be described by how likely it is to occur (likelihood) and the impact to the target if it were to occur (impact). Risk is the product of the two.
In the security industry, a vulnerability is a computer flaw that can allow an attacker to make a computer do something unexpected. These are usually cataloged in the National Vulnerability Database and assigned a CVE serial number. Many automated security tools and legacy approaches to risk management focus on these types of threats and fail to focus on practical exploitability.
Hackers don't just consider vulnerabilities when planning attacks. They consider 4 types of threats:
vulnerability-based threats (trick the computer - think zero-day attacks)
misconfiguration-based threats (computer was told to let attacker in - think a server left open by the research & development team)
credential-based threats (attacker uses passwords to make system believe they are a legitimate user - think dark web stolen passwords or weak passwords with no MFA in place)
social-based threats (attacker tricks a human into helping them achieve a goal - think spearphishing)
Danger Rating
Each threat found is assigned a Danger Rating based on its attack success likelihood and impact. This describes how easily an attacker could exploit the threat, and the nominal damage that could be done.
Hackers calculate the likelihood that any given threat vector will succeed, along with the impact they would expect. Danger Rating is the quantification of Impact x Likelihood based on available information, including any ongoing testing.
Danger Rating = [likelihood of attack success] x [impact upon success]
Impact is rated from 1.0 to 5.0. Likelihood is rated from 1.0 to 5.0. (We currently do not assign values less than 1.0.) Because Danger Rating is actually a mathematical vector with two components, the calculation is based on the hypotenuse of a triangle formed by likelihood and impact, i.e. Pythagorean theorem, and normalized to a 10-point scale where:
a maximum likelihood (
5.0) and maximum impact (5.0) result in a Danger Rating of10.0a minimum likelihood (
1.0) and minimum impact (1.0) result in a Danger Rating of1.0
More precisely, Danger Rating is calculated using the following:
[Danger Rating]² = [likelihood rating]² + [impact rating]²
∴ [Danger Rating] = √([likelihood rating]² + [impact rating]²)
Danger Rating is normalized within a range from 1.0 - 10.0, rounded to the nearest 0.1.
Danger Rating evolves as risk evolves and evidence is collected
Threat vectors are tracked across "assessment cycles" (or "scans"). Upon the first identification of a unique threat vector in a specific location, the likelihood rating and impact rating assigned are based on:
context of the location. e.g. "does this appear to be an important server?"
do tools and TTPs exist that would allow an attacker to practically exploit the threat
how easily the threat vector can be exploited by experienced hackers with proper tools
default values for the threat vector type
other various factors in the judgement of our expert hackers on staff
Upon subsequent cycles/scans, if more evidence becomes available (especially results of BreachRisk™ active testing), likelihood rating and impact can adjust.
For our customers engaged in continuous BreachRisk™ testing, likelihood rating is evaluated for adjustment each cycle based on successful/unsuccessful penetration attempts.
Final Calculation
BreachRisk™ Score is simple and transparent. We take the attack pathway with the highest Danger Rating at each analysis cycle, and we consider these over a 60-90 day rolling average.
BreachRisk™ Score = 60-90 day average of [attack pathway with the highest Danger Rating]
This means that while addressing a threat will show immediately on the next score determination, score changes are gradual.
The frequency with which BreachRisk™ Score updates depends on the frequency of cycles, which is determined in part by the level of service.
What causes BreachRisk™ Score to go up or down?
BreachRisk™ a.i. keeps up with modern hacker threats and an organization's evolving attack surface. Organizations and hackers each have a part to play in factors that can affect BreachRisk™ Score over time.
The following activities by organizations can tend to affect BreachRisk™ Score
Eliminating attack pathways identified by BreachRisk™
Changes in security controls (intentional or unintentional)
Adding infrastructure that includes new viable attack pathways
Changes in IT infrastructure that exposes or conceals viable attack pathways (intentional or unintentional)
Organizations have enabled active BreachRisk™ testing, which authorizes BreachBits to collect further evidence that increases the accuracy and confidence interval of Danger Ratings, and therefore BreachRisk™ Score
The following activities by hackers can tend to affect BreachRisk™ Score:
Hackers develop new techniques
Hackers develop new tools
Hackers develop zero-day exploits that are then identified by the security community
BreachRisk™ active testing activity collects evidences supporting a conclusion that a threat vector cannot be breached with a given attack permutation
BreachRisk™ active testing activity is able to prove that a threat vector can be breached with a given attack permutation
Will active testing make my BreachRisk™ Score worse?
It depends. Historically, the answer is, "No."
Testing will improve the accuracy of your score based on the fact that more evidence is collected, and this could result in BreachRisk™ Score going up or down.
BreachBits does not offer customers an option to "pay to get a better score."
We do offer customers an option to "pay to test your defenses, thereby obtaining more evidence that proves you deserve a more favorable score. However, that same testing can also prove you deserve a less favorable score."
At all times, we show all customers factors that would prevent attacks from succeeding. This enables all organizations clear guidance on how to achieve a favorable score.
In practice, we see BreachRisk™ Score improving because customers engage in find, fix, verify practices. They constantly improve, which tends to result in BreachRisk™ Score improving in the long run. Also, when hackers get better (see previous section), customers with active testing enabled won't see BreachRisk™ Scores rise as sharply since those new vectors are being quickly identified and tested by BreachRisk™ a.i., collecting proof of security controls already in place.
Active BreachRisk™ testing can provide BreachBits the evidence needed to reduce BreachRisk™ Score (when attack attempts fail), or to increase BreachRisk™ Score (when attack attempts succeed).
When BreachRisk™ a.i. successfully achieves a breach, the BreachRisk™ Score tends to increase in the short term. However, because the customer is notified, the security flaw is quickly corrected by the customer, the threat vector is tested again and (upon successful find, fix, verify) subsequently results in an overall improvement (i.e. lower) in BreachRisk™ Score after a cycle or two.
This transparency during both passive scanning and active testing - with evidence-based conclusions with no option to "pay to get a better score" is why BreachBits is equally trusted by policyholders, brokers, and insurers to be a fair and accurate intermediary.
BreachRisk™ Score vs Overall Security Posture
Since 2020, we've noticed patterns in organizations. While BreachRisk™ Score does not directly measure or calculate based on the following factors, interviews with organizations reveal apparent correlations. Organizations with lower (more favorable) BreachRisk™ Scores tend to have/involve the following factors:
Little to no presence in cyberspace (attackers have nowhere to attack)
Sustained, effective patching practices (attackers can't exploit new vulnerabilities quickly enough)
Proper, best-practice IT configurations (attackers can't find doors that have been "left open")
Sustained, best-practice password practices including difficulty requirements, periodic change requirements, activity monitoring, and multi-factor authentication (attackers can't use the dark web or password crackers to easily guess, steal, or crack passwords, or when they do they are stopped by another control)
Properly configured email servers with modern security configurations (attackers can't easily impersonate employees or deliver attacks via email)
Sustained, effective attack surface management (attackers can't find pathways on systems that are unnecessarily being exposed to the public internet)
ERM practices that allow the organization to identify, resource, and verify fixing practical, high risk attack pathways (attackers are being outmaneuvered by defenders and can't find viable attack pathways long enough to exploit them without being caught)