Software Engineering Institute

Computer network defense has models for attacks and incidents comprised of multiple attacks after the fact. However, we lack an evidence-based model of the likelihood and intensity of attacks and incidents. We propose a model of global capability advancement, the adversarial capability chain (ACC), to fit this need. The model enables cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it.  The model is based on four historical studies of adversarial capabilities: the capability to exploit Windows XP, to exploit the Android API, to exploit Apache, and to administer compromised industrial control systems. We propose the ACC with five phases: Discovery, Validation, Escalation, Democratization, and Ubiquity. We use the four case studies as examples as to how the ACC can be applied and used to predict attack likelihood and intensity.