Efficient attack countermeasure selection accounting for recovery and action costs
This addresses cost optimization in cybersecurity for networked systems, though it is incremental as it builds on existing cost-impact analysis methods.
The paper tackles the problem of selecting cost-effective cyber defense actions by modeling both attack impacts and recovery costs, finding that allowing some attacks to continue while focusing on service recovery can be more efficient than containment alone.
The losses arising from a system being hit by cyber attacks can be staggeringly high, but defending against such attacks can also be costly. This work proposes an attack countermeasure selection approach based on cost impact analysis that takes into account the impacts of actions by both the attacker and the defender. We consider a networked system providing services whose provision depends on other components in the network. We model the costs and losses to service availability from compromises and defensive actions to the components, and show that while containment of the attack can be an effective defensive strategy, it can be more cost-efficient to allow parts of the attack to continue further whilst focusing on recovering services to a functional state. Based on this insight, we build a countermeasure selection method that chooses the most cost-effective action based on its impact on expected losses and costs over a given time horizon. Our method is evaluated using simulations in synthetic graphs representing network dependencies and vulnerabilities, and found to perform well in comparison to alternatives.