From the Outside In

Abstract

It goes without saying that the Internet is far from secure. As the number of Internet-connected devices increases, so do the number of cyberattacks we have to deal with. Numerous industry reports reveal significant upswings in software vulnerabilities year after year. These are issues plaguing enterprises of all sizes, within the public and private sector. In light of these findings, it becomes imperative for businesses, regardless of size, to prioritize cybersecurity and re-evaluate their current defense mechanisms against this evolving threat landscape. The evolving cyber threat landscape has emphasized the importance of adopting proactive approaches to manage and mitigate cybersecurity risks. Organizations can take a great many steps to achieve this, but mainly choose security measures that revolve around compliance requirements and standardized methodologies and frameworks to improve overall security posture. However, it remains unclear to which extent such investments have their desired effect. This is mainly because security is a latent property that cannot be measured directly. Alternative approaches have recently emerged that aim to measure security in a more direct manner. Instead of relying on self-reported data, internal or otherwise, firms gather externally accessible data and subsequently train a classifier using this data, enabling it to predict, with a certain level of accuracy, which organizations are likely to experience (large-scale) breaches. Still, it is not clear how metrics derived from purely external measurements compare to the security level derived from internal measurements of an organization's network. This reveals the necessity of taking into account the internal state of networks when observing external security signals, instead of exclusively relying on externally observable or publicly reported data breaches. This dissertation studies the feasibility of security incident prediction and risk estimation. It examines how external network scan data can be leveraged to infer information about the internal state of security of an organization's network. Thus, we aim to answer the following research question: How can internal security incidents be predicted through the leverage of external network signals?