Intro: Computer network defense has models for attacks and incidents comprised of multiple attacks after the fact. However, we lack an evidence-based model the likelihood and intensity of attacks and incidents. Purpose: We propose a model of global capability advancement, the adversarial capability chain (ACC), to fit this need. The model enables cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it. Method: The model is based on four historical studies of adversarial capabilities: capability to exploit Windows XP, to exploit the Android API, to exploit Apache, and to administer compromised industrial control systems. Result: We propose the ACC with five phases: Discovery, Validation, Escalation, Democratization, and Ubiquity. We use the four case studies as examples as to how the ACC can be applied and used to predict attack likelihood and intensity.
Jonathan Spring is a researcher and analyst at the CERT program at Carnegie Mellon University. He is the co-author of an information security textbook, “Introduction to Information Security: A Strategic-Based Approach,” and also serves as an adjunct professor at the University of Pittsburgh’s School of Information Sciences and as an ICANN research fellow. Publication list available from: url.sei.cmu.edu/jspring.