H-Predictive Platform (PAR) merges digital twins and adversary simulation to anticipate attacks and manage risk in an ICT infrastructure, thru a life long continuous process of assessment and remediation
H-PAR (Predict, Assess, Remediate) platform proactively manages cyber risk in all the life of an infrastructure, from design to actual working. The platform uses digital twins, one for the infrastructure and one for each threat actor, to simulate the adversary attacks while avoiding noise on the target infrastructure and support security by design. An attacker twin describes the attack surface, its goals and how it selects attacks and handles their failures. It is able to profile worms, insider and outsider attackers. The infrastructure twin is an intelligent inventory with information to compute attack paths, i.e. the escalations attackers implement to reach their goals. The inventory describes the infrastructure modules, their connections, vulnerabilities, and the resulting attacks. The infrastructure may include both OT modules and IT ones. Then, H-PAR uses a Monte Carlo adversary simulation engine that applies AI techniques to run multiple, twin based simulations of the adversary attacks to cover stochastic factors such as attack success or failure. In order to achieve an accurate discovery of attack paths, H-PAR runs more than one hundred thousand simulations. It is obvious that this number of simulations is possible only when adopting digital twins methodology that allows an unmatched level of automation in the process of cyber risk assessment and remediation. The platform prevents attackers from reaching a goal by interrupting all the paths the engine discovers, i.e. by deploying a countermeasure for at least one attack in each path. H-PAR selects countermeasures in an owner-defined catalog, and it minimizes the number or the cost of countermeasures by exploiting at best shared countermeasures, i.e. the countermeasures that target vulnerabilities enabling attacks in distinct paths. Data from real user/customer assessments confirm that the number of countermeasures to deploy to stop attackers is usually a small percentage of the total vulnerabilities affecting the infrastructure before H-PAR process starts. This strongly reduces the efforts and time needed to implement the remediations, and hence costs and feasibility to minimize cyber risk during all the infrastructure life. It must be carefully considered that 2019 WW survey on Cyber/IT Specialist/Managers major complaints reported the average mean time to patch a known vulnerability is about 75 days, being this the cause of the 80% of the fatal breaches, together with poor automation and lack of integration of cyber tools. More in detail H-PAR validates the countermeasures to deploy by repeating a procedure that simulates the attacks, selects countermeasures and updates the infrastructure twin to model their deployment. In this way, each iteration discovers how adaptive attackers react to countermeasures by implementing distinct paths. This validates countermeasures to deploy by updating the twin to model the deployment and repeating the simulations to discover the attacker reactions. Furthermore, H-PAR can anticipate the impact of suspected or unknown vulnerabilities by including these vulnerabilities in the infrastructure twins before simulating the attacks. Even better, a unique advantage of H-PAR is that it can stop paths that exploit suspected vulnerabilities or vulnerabilities for which no countermeasures exist. In fact, H-PAR can deploy countermeasures for attacks that appear in a path before or after those that have no known countermeasures.