Presentation on theme: "1 A PRM‐based Approach to Assessment of Network Security Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology Jonas."— Presentation transcript:
1 A PRM‐based Approach to Assessment of Network Security Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology Jonas Hallberg, Johan Bengtsson Swedish Defence Research Agency
2 Agenda Aim, Scope and Requirements Related works – Attack Graphs The Probabilistic Relational Model (PRM) approach in general The example from the paper
3 The control system is complex Advanced functionality Interconnected Heterogenous third-party components Actually, I don’t even know everything I have out there… Is my control system secure enough?
4 Vulnerabilities are potentially everywhere And how does all of this relate? How do vulnerabilites propagate?
5 Poor decision support for cyber security Plenty of reference material: o NIST SP 800-82, NERC CIP, ISO 27004, ISA-SP99, material from US-CERT, SCADA Procurement Language, CORAS, OCTAVE, CRAMM…, books, articles … Vulnerability databases, Wikipedia… But, how do they relate? Overlap. Different focus. Blank spots? Consequences. Priorities. No holistic scope that help the decsison maker see consequences of decisions Should I spend my budget on a staff training program, logging functionality, or new firewalls?
6 Requirements from the decision-maker Relevant predictions of security risk of solutions o Holistic scope of the assessment o High enough precision of assessment At least order different solution alternatives o The likelihood of security breaches/incidents (could be seen as part of the definition of ”risk”) Minimize work for the decision-maker o Low cost to perform analyses/assesments Practical availability of data needed for the analyses (I know I use DNP3, perhaps that it is encrypted, definitely not the encryption algorithm/strength) Reusability of analysis data (I can’t afford to start from scratch every time security is to be reviewed/considered) Compatiable to other types of analyses (security is one out of many properties…) o Theory should not need to be known in detial to decision-maker (I know what I have, not exactly how security works (compare to users of CAD programs) Support is needed now! Decisions are taken today no matter if relevant topics are researched or not…
7 Requirements Minimize work for industrial analyst/decision-maker o Low modeling cost Reusability of information Compatiable to other types of analyses Data that is available and know to the analyst (impossible to for the analyst to the encryption strength, because they dont know, o Theory should not need to be known in detial to analyst (compare to users of CAD programs) o Support is needed now! Decisions are taken today no matter if we have researched Make correct predictions o All encompassing theory We are not only focusing on exploits o High enough precision Problem with subjectivity Problem with simplifications –We simplify all the potential states in a computer and its software, but so does most attack graph approaches Problem with False negatives / 0-day (volatile theory) Compare different alterantives –Poor data on the world will always be present so theory does not need to be more precise than that… – Relevant predictions, useful to the analyst o Attackgrafer säger bara om saker går, inte hur svåra det är eller hur sannolikt det är att något händer
8 Related works There are more than 100 articles describing methods that try to quantify security (Verendel, 2009): o Does not always quantify things that are relevant to the decsision maker – HITTA EXEMPEL o While there are many methods, few of these have been validated to measure security So there is plenty of related works, the most commonly used methods appears to be o Qualiative modeling approaches, e.g. I-star, Secure tropos, misuse cases, attack trees etc o Risk assessments methods, e.g. CORAS, CRAMM, ISRAM These fail becuase the do not separate concerns Attack graphs provides a clear separation between what the decision maker should do and what can be captured in formalism
9 Attack graphs (our fundament) Picture from: Heberlein et al., A Taxonomy for Comparing Attack-Graph Approaches. Retrieved from http://www.netsq.com/Documents/AttackGraphPaper.pdf. The network’s state The attacker’s identity/identities Condition/state
10 Applying attack graphs Theory System model State X reachable? Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.
11 Identity: For all hosts, what access level does the adversary own? Network: For all hosts, what vulnerable services running? (what ports are open) Is there a physical connection between host X and host Y? Can service Z on host Y be called from host X? What paths do the IDS monitor? Service Accessible? Service 1... Service N Host 11o... Host N01 Attack stepsConditions
12 Identity: For all hosts, what access level does the adversary own? Network: For all hosts, what vulnerable services running? (what ports are open) Is there a physical connection between host X and host Y? Can service Z on host Y be called from host X? What paths do the IDS monitor? Service Accessible? Service 1... Service N Host 11o... Host N01 Attack stepsConditions Host Malicious code attack Admin level request
13 Others that suggest probabilistic attack graphs Sheyner, O., Scenario graphs and attack graphs, PhD thesis, Carnegie Mellon University, 2004 Liu, Y., & Hong, M., Network vulnerability assessment using Bayesian networks. In Proceedings of Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security (pp. 61-71). Orlando, Florida, USA, 2005. M. Frigault and L. Wang. Measuring network security using Bayesian network-based attack graphs. In Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA’08), 2008. M. Frigault, L.Wang, A. Singhal, and S. Jajodia. Measuring network security using dynamic Bayesian network. In Proceedings of the 4th ACM workshop on Quality of protection, 2008. Homer, J., Manhattan, K., Ou, X.,Schmidt, D.,A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks. Kansas State University, 2010 http://people.cis.ksu.edu/~xou/publications/tr_homer_0809.pdf.
14 Theory System model P(State X reachable) Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer. PRMs (Probabilistic relational models) General conditional probabilities Also includes humans, processes etc Manual
15 Probabilistic attack/defense graphs - theory Asset inventory TrueFalse Use unkown connection True0.020.08 False0.980.92
16 Probabilistic attack/defense graphs - data Possible Impossible Possible Impossible
17 Connecting attack/defense graphs and modeling languages More formally… Probabilistic Relational Models (http://dags.stanford.edu/PRMs/)
18 But, where do the conditional probabilities come from? Existing knowledge o Documeneted knowledge (Litterature / articles / reports / vulnerability DBs / …) Typically detailed knowledge that needs to be abstracted o Experts Not yet elicited knowledge o Experiments o Observations o Case studies Our principal strategy is not to discover new theory but to combine existing theory into a consistent, more holistic model o Sure, we know to little… o But, many practicioners also use to little of what we already know… Asset inventory TrueFalse Use unkown connection True0.020.08 False0.980.92
19 The example: a PRM for Network Security Firewall.MaliciousCodeAttack TF Firewall.ExploitRemoteAccess TFTF Firewall.BypassSpoofCountermeasure T 111 0.0 5 F 000 0.9 5
20 Indication of quality of the theory Classes and attributes QualitativeQuantitative Uncertainty Firewall Class Bypass Packet Filtering [10,13, 17, 18]**H Spoof Attack [10, 13,19] *L Bypass Spoof Countermeasure [10,13,19,11]**H Reconnaissance Attack [9,15,20,16,21]**L Bypass Content Filtering [10,17,19]**H Malicious Code Attack [18,19,22,17][23,24]H Exploit Remote Access [10,18] *L Authentication Service Class Bypass Authentication mechanism [17,22,19,25] *L False Certificate Attack [17,11]**H …
21 Combined Endeavor 07 NATO + Partners, yearly excersise
22 PRM‐based security risk assessment in summary Holistic Probabilistic/indicative System architecture model-based