Bespoke Event Catalog

Once we have all the data needed for the simulation consolidated, and after the consolidation step, we build a catalog of events to test likely attacks against the company. This event catalog is later used in a Monte Carlo simulation, in which we simulate cyber events, and for each event, we calculate the cost to the business.

‍

Types of Event Catalogs

‍

Cyber events can be divided into three groups - systemic events, targeted events, and attritional events. Since the modeling approach for the three types is different, Kovrr distinguishes between them in the model and creates a separate event catalog for each type.

‍

Systemic Events

‍

Systemic events represent attacks that are wide-reaching and are likely to affect a high number of companies in a particular region or industry sector. These events often have a high viral transmission between companies and an element of automation. That is to say, they are not targeting a specific company’s defenses but casting a wide net.

‍

Kovrr's Modeling Approach

‍

Kovrr produces a systemic event catalog of events that apply to all companies, and is updated regularly throughout the year. This catalog is presented to the modeled business to test the impact of each of these events as part of the Monte-Carlo modeling.

‍

Targeted Events

‍

Targeted events cover events where a specific company is a target, and typically an adversary would be able to try multiple approaches to achieve an objective. This type of attack often uses more sophisticated methods to achieve the intended attack and is more challenging to defend against.

‍

Kovrr's Modeling Approach

‍

Kovrr builds a catalog of events based on the specific profile of the company being modeled. The number of events modeled in each simulation year is set by the event frequency, which is adjusted based on the size, location, industry, technology profile, and security profile. Both the frequency of events and their details and parameterization are custom for a company, and based on its characteristics

‍

Attritional Events

‍

Attritional events are all the small cyber events that cause loss or disruption but are small in scale.

‍

Kovrr's Modeling Approach

‍

The attritional events are modeled in aggregate, with a single value selected from a statistical distribution. This attritional amount is calculated for each ‘simulation year’ as the total of all small events.

‍

Event Composition

‍

Each of the events in the catalogs is described using several parameters, some of which are shown in the results dashboard, and others are used internally as part of the cost calculations. These parameters include:

‍

• Technologies and services impacted are modeled based on the profile of the company
• Business impact CIA(E): Using the CIA(E) framework, the impact of each specific event in terms of the confidentiality, integrity and availability and extortion of data and services within the business is mapped.
• Impact Parameters are used to quantify the CIA(E) impact in terms of the duration of an outage, percentage of productivity/income affected or the number of data records impacted.
• Descriptors outline the way in which the incident unfolded, highlighting the initial attack vector and the likely cause/attacker, type of payload, lateral movement vectors, etc.
• Affected asset groups: which asset groups were affected by the event according to the simulated propagation of the event within the organization.

Examples of Event Descriptions

‍

Once the event catalogs are created, they are used in a Monte Carlo simulation, in which we simulate possible outcomes for the following year and for each year we simulate cyber events, and for each event, we calculate the cost to the business.

‍