Presentation is loading. Please wait.

Presentation is loading. Please wait.

Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server.

Similar presentations


Presentation on theme: "Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server."— Presentation transcript:

1 Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server

2 Exploit pre-condition Exploit post-condition

3 Pre- and Post-conditions can be used in constructing an attack graph webServer is network-accessible to an attacker The web service is running The vulnerability exists This attack is possible The consequence is that webServer is compromised

4 This process is completely automated attackerLocated(internet). hacl( internet, webServer, httpProtocol, httpPort ). hacl( H, H, _, _). networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ). vulExists( webServer, cve_apache, httpd ). vulProperty( cve_apache, remoteExploit, privEscalation ). What are your threats? Firewall/netw ork analyzer Vulnerability scanner NVD

5 But you do need a knowledge base execCode(H, Perm) :- vulExists(H, VulID, Software, remoteExploit, privEscalation), networkServiceInfo(H, Software, Protocol, Port, Perm), netAccess(H, Protocol, Port) The knowledge is completely independent of any site-specific settings.

6 Combining attack graphs and CVSS Attack graph presents a qualitative view of security problems – It shows what attacks are possible, but does not tell you how bad the problem is. – It captures the interactions among all attack possibilities in your system. CVSS provides a quantitative property of individual vulnerabilities – It tells you how bad an individual vulnerability could be. – But it does not tell you how bad it may be in your system.

7 Our Approach Use CVSS to produce a component metric --- a numeric measure on the conditional probability of success of an attack step. Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means Pr[c2 = T|c1 = T] This measure does not consider any attacker behavior

8 High => 0.2 Medium=> 0.6 Low => 0.9 High => 0.2 Medium=> 0.6 Low => 0.9

9 Our Approach Aggregate the probabilities over the attack-graph structure to provide a cumulative metric --- the probability of attacker success in your system. Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.

10 Calculation of the cumulative metrics c1 c2 Pr[c2|c1]=0.2 Pr[c2]=? Pr[c1]=? Pr[c1]=1 Pr[c2]=0.2 Pr[execCode(webServer, apache)]=0.2

11 Example Two CVE was identified on web server Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the dbase server CVE was identified on db server

12 Exploit pre-condition Exploit post-condition Medium=> 0.6

13 1:execCode(dbServer,root) 2:remote exploit of a server program 3:netAccess(dbServer,dbProtocol,dbPort) 4:multi-hop access 5:hacl(webServer,dbServer,dbProtocol,dbPort) 6:execCode(webServer,apache) 7:remote exploit of a server program 8:netAccess(webServer,httpProtocol,httpPort) 9:direct network access 10:hacl(internet,webServer,httpProtocol,httpPort) 11:attackerLocated(internet) 12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache) 13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation) 14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root) 15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation) x0.6=0.12

14 Example Three Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the db server User workstations are allowed to access anywhere CVE was identified on web server CVE was identified on db server CVE was identified on user workstations

15 Exploit pre-condition Exploit post-condition Low=> 0.9

16 Possible attack paths

17

18 6:execCode(webServer,apache) 11:execCode(workStation,normalAccount) 12:remote exploit of a client program 13:hasAccount(secretary,workStation,norma lAccount) 14:canAccessMaliciousInput(workStation,se cretary,internetExplorer) 15:Browsing a malicious website 17:hacl(workStation,internet,httpProtocol,htt pPort) 21:Browsing a compromised website 24:isUserMachine(workStation) 25:isWebBrowser(internetExplorer) 26:inCompetent(secretary) 27:vulExists(workStation,cve_IE,internetExplorer, remoteExploit,privEscalation) 30:attackerLocated(internet) 34:hacl(workStation,dbServer,dbProtocol,dbPort)

19

20 Challenge How to calculate probabilities in an attack graph with shared dependencies and cycles. – Bayesian Network Frigault, et al., 2008, does not allow cycles – Assuming independence among attack paths Wang, et al., 2008 – Customized data-flow algorithm with dynamic programming Homer, et al., 2009

21 Result execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 Before: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2

22 Prioritization Given three hardening options: – Patching the web server – Patching the db server – Patching the workstation Which one would you patch first?

23 Suppose we patch the web server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72

24 Now let’s patch the db server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

25 What if we block network access from Group 2 to Internal? Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

26 Optimizing Security Hardening Let Pr[execCode(dbServer,root)]=p 1 Pr[execCode(webServer,apache)]=p 2 Pr[execCode(workStation,normalAccount)]=p 3 If C 1,C 2,C 3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be LE=C 1 *p 1 +C 2 *p 2 +C 3 *p 3 All the hardening measures H 1,H 2,…H n have costs as well. If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?

27 Challenges Scalability of metric calculation – Heavily depends on the connectivity of attack graphs – Exponential in the worst case Imprecise input problem – How sensitive is the outcome to the input component metrics? – Approximation algorithms to trade precision for scalability? Optimization techniques

28 Summary Quantitative security risk metrics are important in making sensible decisions in security hardening – People are already doing it in an ad-hoc way without any scientific basis – We want to transform it from a “black art” to a science

29 If you cannot measure it, you cannot improve it. ---Lord Kelvin


Download ppt "Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server."

Similar presentations


Ads by Google