290 likes | 317 Views
Combining attack graphs and CVSS provides a qualitative and quantitative approach to understanding system vulnerabilities and threat levels. Our method calculates success probabilities of attacks, considering component metrics and cumulative metrics in the attack graph structure. Explore our approach to assess threats systematically.
E N D
Example One CVE-2006-3747 was identified on web server • Internet is allowed to access the web server through HTTP protocol and port
Exploit post-condition Exploit pre-condition Exploit post-condition
Pre- and Post-conditions can be used in constructing an attack graph The vulnerability exists webServer is network-accessible to an attacker The web service is running This attack is possible The consequence is that webServer is compromised
This process is completely automated What are your threats? attackerLocated(internet). hacl( internet, webServer, httpProtocol, httpPort ). hacl( H, H, _, _). networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ). vulExists( webServer, cve_apache, httpd ). vulProperty( cve_apache, remoteExploit, privEscalation ). Firewall/network analyzer Vulnerability scanner NVD
But you do need a knowledge base execCode(H, Perm) :- vulExists(H, VulID, Software, remoteExploit, privEscalation), networkServiceInfo(H, Software, Protocol, Port, Perm), netAccess(H, Protocol, Port) The knowledge is completely independent of any site-specific settings.
Combining attack graphs and CVSS • Attack graph presents a qualitativeview of security problems • It shows what attacks are possible, but does not tell you how bad the problem is. • It captures the interactions among all attack possibilities in your system. • CVSS provides a quantitativeproperty of individual vulnerabilities • It tells you how bad an individual vulnerability could be. • But it does not tell you how bad it may be in your system.
Our Approach • Use CVSS to produce a component metric--- a numeric measure on the conditional probability of success of an attack step. Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means Pr[c2 = T|c1 = T] This measure does not consider any attacker behavior
High => 0.2 Medium=> 0.6 Low => 0.9
Our Approach • Aggregate the probabilities over the attack-graph structure to provide a cumulative metric--- the probability of attacker success in your system. Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.
Calculation of the cumulative metrics c1 c2 Pr[c1]=? Pr[c1]=1 Pr[c2]=? Pr[c2]=0.2 Pr[c2|c1]=0.2 Pr[execCode(webServer, apache)]=0.2
Example Two CVE-2006-3747 was identified on web server • Internet is allowed to access the web server through HTTP protocol and port • Web server is allowed to access the MySQL database service on the dbase server CVE-2009-2446 was identified on db server
Exploit pre-condition Exploit post-condition Medium=> 0.6
0.2x0.6=0.12 1:execCode(dbServer,root) 2:remote exploit of a server program 3:netAccess(dbServer,dbProtocol,dbPort) 4:multi-hop access 5:hacl(webServer,dbServer,dbProtocol,dbPort) 6:execCode(webServer,apache) 7:remote exploit of a server program 8:netAccess(webServer,httpProtocol,httpPort) 9:direct network access 10:hacl(internet,webServer,httpProtocol,httpPort) 11:attackerLocated(internet) 12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache) 13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation) 14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root) 15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation) 0.2
Example Three CVE-2006-3747 was identified on web server CVE-2009-2446 was identified on db server • Internet is allowed to access the web server through HTTP protocol and port • Web server is allowed to access the MySQL database service on the db server • User workstations are allowed to access anywhere CVE-2009-1918 was identified on user workstations
Exploit pre-condition Exploit post-condition Low=> 0.9
6:execCode(webServer,apache) 11:execCode(workStation,normalAccount) 12:remote exploit of a client program 13:hasAccount(secretary,workStation,normalAccount) 14:canAccessMaliciousInput(workStation,secretary,internetExplorer) 15:Browsing a malicious website 17:hacl(workStation,internet,httpProtocol,httpPort) 21:Browsing a compromised website 24:isUserMachine(workStation) 25:isWebBrowser(internetExplorer) 26:inCompetent(secretary) 27:vulExists(workStation,cve_IE,internetExplorer,remoteExploit,privEscalation) 30:attackerLocated(internet) 34:hacl(workStation,dbServer,dbProtocol,dbPort)
Challenge • How to calculate probabilities in an attack graph with shared dependencies and cycles. • Bayesian Network • Frigault, et al., 2008, does not allow cycles • Assuming independence among attack paths • Wang, et al., 2008 • Customized data-flow algorithm with dynamic programming • Homer, et al., 2009
Result execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 Before:execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2
Prioritization • Given three hardening options: • Patching the web server • Patching the db server • Patching the workstation • Which one would you patch first?
Suppose we patch the web server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After:execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72
Now let’s patch the db server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After:execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
What if we block network access from Group 2 to Internal? Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After:execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
Optimizing Security Hardening Let Pr[execCode(dbServer,root)]=p1 Pr[execCode(webServer,apache)]=p2 Pr[execCode(workStation,normalAccount)]=p3 If C1,C2,C3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be LE=C1*p1+C2*p2+C3*p3 All the hardening measures H1,H2,…Hn have costs as well. If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?
Challenges • Scalability of metric calculation • Heavily depends on the connectivity of attack graphs • Exponential in the worst case • Imprecise input problem • How sensitive is the outcome to the input component metrics? • Approximation algorithms to trade precision for scalability? • Optimization techniques
Summary • Quantitative security risk metrics are important in making sensible decisions in security hardening • People are already doing it in an ad-hoc way without any scientific basis • We want to transform it from a “black art” to a science
If you cannot measure it, you cannot improve it. ---Lord Kelvin