Posted on by

From Theory to Practice: Building a Cyber Attack Path Model

Introduction

While KPMG’s 2020 cyber risk quantification paper presented interesting concepts, it left me asking “but how do we actually implement this?” I took their core attack path concept and built a working Monte Carlo simulation that hopefully anyone can use and understand. I focused on three interlinked components:

1. Threat Quantification (Contact Rate × Learning)

Rather than abstract threat levels, I model:

  • Annual attack attempts (base rate of 190)
  • Learning effect multiplier (2x) capturing attacker improvement This gives us ~380 effective attacks per year to feed into our path calculations.

2. Attack Path Success Rate

I built Boolean logic into five key stages:

  • Initial Compromise: MAX(phishing, watering hole, USB) ≈ 10%
  • Malware Deployment: AND(deploy, command & control) ≈ 13%
  • Lateral Movement: MAX(exploit, discover, connect) ≈ 20%
  • Evasion: MAX(response, logging, detection) ≈ 40%
  • Action: AND(compromise, ransomware) ≈ 70%

The use of MAX for OR nodes and multiplication for AND nodes lets us model real attack paths while keeping calculations manageable.

3. Foundation Controls

A 1.2x multiplier representing how basic security controls enhance overall effectiveness. This ties individual control assessments to systemic improvement.

Making It Real

I implemented this as a Monte Carlo simulation using:

  • Parameters capturing base capabilities
  • Assessments providing realistic ranges
  • Expressions handling Boolean logic

The results (37%) closely match KPMG’s predicted 33% likelihood while providing equal insight into contributing factors.

When Theory Meets Reality

Key lessons from this implementation:

  1. Assessment honesty matters more than mathematical precision
  2. AND/OR logic drastically affects which controls matter most
  3. Foundation multipliers capture often-overlooked basics
  4. Monte Carlo helps understand probability ranges, not just point estimates

Next Steps

This model demonstrates what’s possible with:

  • Clear attack path definition
  • Boolean probability logic
  • Foundation control effects
  • Practical assessment ranges

The challenge now is tuning it for specific environments while maintaining its simplicity and usability.

Privacy Policy Proudly powered by WordPress
Open to Work!
Curious about how scenario analysis can help your business? Share your email and let's have a chat.