Severity Analysis

The severity of an attack is a measurement for how severe an attack is. Not all attacks have the same impact on an organization. There are multiple factors which have an impact on how an attack potentially impacts the targeted machine. The formula defining the severity is the following:

The single elements making up the severity are:

Criticality

How critical is the target system to the organization. It is important to note that this factor has to be viewed from a business perspective. The more important the target is for the business, the higher this value should be. 5 indicates a very critical system.

Lethality

How likely is it that the attack will do harm to the target machine? This factor can potentially be used to reduce the impact of false positives generated by an IDS. Assume for example that an attack targets port 80. Assume further that the port is not open on the target machine. If the IDS does still generate an alarm for this attack, the lethality helps decrease the importance for this event. 5 indicates that an attacker could gain root access to the entire network and is therefore very lethal.

System Countermeasures

What countermeasures are in place on the target system? A patched and up to date system with extra hardening tasks performed will get a high number (5). A system which is missing some patches or runs an older operating system will get a lower number.

Network Countermeasures

What network countermeasures are deployed? Is there a firewall on the attack path? Is an IPS system in place? Are there multiple access paths to the target system? Do they all employ the same security standards? Again, a 5 illustrates good countermeasures.