{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:19:43Z","timestamp":1754158783273,"version":"3.41.2"},"reference-count":25,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2017,3,13]],"date-time":"2017-03-13T00:00:00Z","timestamp":1489363200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,3,13]]},"abstract":"\nPurpose<\/jats:title>\nIt is often argued that the increased automation and availability of offensive cyber tools has decreased the skill and knowledge required by attackers. Some say that all it takes to succeed with an attack is to follow some instructions and push some buttons. This paper aims to tests this idea empirically through live exploits and vulnerable machines in a cyber range.<\/jats:p>\n<\/jats:sec>\n\nDesign\/methodology\/approach<\/jats:title>\nThe experiment involved 204 vulnerable machines in a cyber range. Exploits were chosen based on the results of automated vulnerability scanning. Each exploit was executed following a set of carefully planned actions that enabled reliable tests. A total of 1,223 exploitation attempts were performed.<\/jats:p>\n<\/jats:sec>\n\nFindings<\/jats:title>\nA mere eight exploitation attempts succeeded. All these involved the same exploit module (ms08_067_netapi). It is concluded that server-side attacks still are too complicated for novices who lack the skill or knowledge to tune their attacks.<\/jats:p>\n<\/jats:sec>\n\nOriginality\/value<\/jats:title>\nThis paper presents the largest conducted test of exploit effectiveness to date. It also presents a sound method for reliable tests of exploit effectiveness (or system vulnerability).<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-08-2016-0069","type":"journal-article","created":{"date-parts":[[2017,3,1]],"date-time":"2017-03-01T08:28:36Z","timestamp":1488356916000},"page":"47-61","source":"Crossref","is-referenced-by-count":6,"title":["So long, and thanks for only using readily available scripts"],"prefix":"10.1108","volume":"25","author":[{"given":"Hannes","family":"Holm","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Teodor","family":"Sommestad","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"first-page":"17","article-title":"A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets","year":"2012","key":"key2020120810525728700_ref001"},{"first-page":"165","article-title":"Quantitative assessment of risk reduction with cybercrime black market monitoring","year":"2013","key":"key2020120810525728700_ref002"},{"key":"key2020120810525728700_ref003","unstructured":"Balenson, D., Tinnel, L. and Benzel, T. (2015), \u201cCybersecurity experimentation of the future (CEF): catalyzing a new generation of experimental cybersecurity research\u201d, SRI International, Technical Report, available at: www.cyberexperimentation.org\/report\/"},{"key":"key2020120810525728700_ref004","unstructured":"Beardsley, T. (2013), \u201cMetasploit reliability ranking system\u201d, Github, available at: https:\/\/github.com\/rapid7\/metasploit-framework\/wiki\/Exploit-Ranking (accessed 9 June 2016)."},{"issue":"8","key":"key2020120810525728700_ref005","doi-asserted-by":"crossref","first-page":"719","DOI":"10.1016\/j.cose.2011.08.004","article-title":"The cyber threat landscape: challenges and future research directions","volume":"30","year":"2011","journal-title":"Computers & Security"},{"key":"key2020120810525728700_ref006","unstructured":"Dondo, M., Risto, J. and Sawilla, R. (2015), \u201cReliability of exploits and consequences for decision support\u201d, Technical Report, Defence Research and Development Canada, pp. 1-16, available at: http:\/\/pubs.drdc-rddc.gc.ca\/BASIS\/pcandid\/www\/engpub\/DDW?W%3DSYSNUM=801970"},{"key":"key2020120810525728700_ref007","doi-asserted-by":"crossref","unstructured":"Dumitras, T. and Shou, D. (2011), \u201cToward a standard benchmark for computer security research: the Worldwide Intelligence Network Environment (WINE)\u201d, Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, pp. 89-96, available at: http:\/\/dl.acm.org\/citation.cfm?id=1978683 (accessed 10 April 2011).","DOI":"10.1145\/1978672.1978683"},{"first-page":"57","article-title":"Visualization is better! a comparative evaluation","year":"2009","key":"key2020120810525728700_ref008"},{"first-page":"81","article-title":"An updated taxonomy for characterizing hackers according to their threat properties","year":"2012","key":"key2020120810525728700_ref009"},{"key":"key2020120810525728700_ref010","unstructured":"Holm, H. (2012), \u201cPerformance of automated network vulnerability scanning at remediating security issues\u201d, Computers & Security, available at: www.sciencedirect.com\/science\/article\/pii\/S0167404811001696 (accessed 21 November 2012)."},{"volume-title":"SVED: Scanning, Vulnerabilities, Exploits and Detection","year":"2016","key":"key2020120810525728700_ref013"},{"issue":"6","key":"key2020120810525728700_ref014","article-title":"Empirical analysis of system-level vulnerability metrics through actual attacks","volume":"9","year":"2012","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"issue":"6","key":"key2020120810525728700_ref012","doi-asserted-by":"crossref","first-page":"626","DOI":"10.1109\/TDSC.2014.2382574","article-title":"P CySeMoL: predictive, probabilistic cyber security modeling language","volume":"12","year":"2015","journal-title":"Dependable and Secure Computing, IEEE Transactions on"},{"issue":"4","key":"key2020120810525728700_ref011","article-title":"A quantitative evaluation of vulnerability scanning","volume":"19","year":"2011","journal-title":"Information Management & Computer Security"},{"volume-title":"Threat Landscape and Good Practice Guide for Internet Infrastructure","year":"2015","key":"key2020120810525728700_ref015"},{"issue":"3","key":"key2020120810525728700_ref016","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1109\/MITP.2009.46","article-title":"Cyberattacks: why, what, who, and how","volume":"11","year":"2009","journal-title":"IT Professional Magazine"},{"key":"key2020120810525728700_ref017","unstructured":"McQueen, M., Boyer, W.F., Flynn, M.A. and Beitel, G.A. (2006), \u201cTime-to-compromise model for cyber risk reduction estimation\u201d, Quality of Protection, available at: www.springerlink.com\/index\/JP46737M7466870N.pdf (accessed 23 June 2010)."},{"issue":"8","key":"key2020120810525728700_ref018","doi-asserted-by":"crossref","first-page":"1098","DOI":"10.1109\/TC.2008.42","article-title":"Testing a collaborative DDoS defense in a red Team\/Blue team exercise","volume":"57","year":"2008","journal-title":"IEEE Transactions on Computers"},{"first-page":"1","article-title":"The effects of vulnerability disclosure policy on the diffusion of security attacks","year":"2012","key":"key2020120810525728700_ref019"},{"issue":"1","key":"key2020120810525728700_ref020","doi-asserted-by":"crossref","first-page":"43","DOI":"10.2307\/41410405","article-title":"Are markets for vulnerabilities effective?","volume":"36","year":"2012","journal-title":"MIS Quarterly"},{"key":"key2020120810525728700_ref021","unstructured":"Robinson, N. (2016), \u201cNATO: changing gear on cyber defence\u201d, NATO, available at: www.nato.int\/docu\/review\/2016\/Also-in-2016\/cyber-defense-nato-security-role\/EN\/ (accessed 15 June 2016)."},{"issue":"2","key":"key2020120810525728700_ref022","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1016\/j.diin.2006.03.001","article-title":"A two-dimensional circumplex approach to the development of a hacker taxonomy","volume":"3","year":"2006","journal-title":"Digital investigation"},{"key":"key2020120810525728700_ref023","doi-asserted-by":"crossref","unstructured":"Simmonds, A., Sandilands, P. and van Ekert, L. (2004), \u201cAn ontology for network security attacks\u201d, Lecture Notes in Computer Science, pp. 317-323, available at: www.springerlink.com\/index\/1LQ24LD9UDHX9G8Q.pdf","DOI":"10.1007\/978-3-540-30176-9_41"},{"first-page":"7.1","article-title":"Experimentation on operational cyber security in CRATE","year":"2015","key":"key2020120810525728700_ref024"},{"issue":"5","key":"key2020120810525728700_ref025","doi-asserted-by":"crossref","first-page":"516","DOI":"10.1108\/ICS-06-2014-0036","article-title":"An empirical test of the accuracy of an attack graph analysis tool","volume":"23","year":"2015","journal-title":"Information and Computer Security"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-08-2016-0069\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-08-2016-0069\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:07Z","timestamp":1753406587000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/1\/47-61\/109739"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3,13]]},"references-count":25,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,3,13]]}},"alternative-id":["10.1108\/ICS-08-2016-0069"],"URL":"https:\/\/doi.org\/10.1108\/ics-08-2016-0069","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,3,13]]}}}