The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Internal Report discusses ITL's research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Interagency Report 7788 # pages (August 2011) SECURITY RISK ANALYSIS OF ENTERPRISE NETWORKS USING PROBABILISTIC ATTACK GRAPHSiii AcknowledgementsThe authors Anoop Singhal and Ximming Ou would like to thank their colleagues who reviewed drafts of this document and contributed to its development. A special note of thanks goes to Peter Mell, Harold Booth, Ron Boisvert, Ramaswamy Chandramouli, and Kevin Stine of NIST for serving as reviewers for this document. The authors also acknowledge Elizabeth Lennon for her technical editing and administrative support. SECURITY RISK ANALYSIS OF ENTERPRISE NETWORKS USING PROBABILISTIC ATTACK GRAPHS iv Executive SummaryToday's information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities. To more accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks. AudienceThis document is intended for three primary audiences:Federal agencies seeking information on how to use probabilistic attack graphs for security risk analysi...