1 / 29

Example One

Example One. CVE-2006-3747 was identified on web server. Internet is allowed to access the web server through HTTP protocol and port. Exploit post-condition. Exploit pre-condition. Exploit post-condition. Pre- and Post-conditions can be used in constructing an attack graph.

cutter
Download Presentation

Example One

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Example One CVE-2006-3747 was identified on web server • Internet is allowed to access the web server through HTTP protocol and port

  2. Exploit post-condition Exploit pre-condition Exploit post-condition

  3. Pre- and Post-conditions can be used in constructing an attack graph The vulnerability exists webServer is network-accessible to an attacker The web service is running This attack is possible The consequence is that webServer is compromised

  4. This process is completely automated What are your threats? attackerLocated(internet). hacl( internet, webServer, httpProtocol, httpPort ). hacl( H, H, _, _). networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ). vulExists( webServer, cve_apache, httpd ). vulProperty( cve_apache, remoteExploit, privEscalation ). Firewall/network analyzer Vulnerability scanner NVD

  5. But you do need a knowledge base execCode(H, Perm) :- vulExists(H, VulID, Software, remoteExploit, privEscalation), networkServiceInfo(H, Software, Protocol, Port, Perm), netAccess(H, Protocol, Port) The knowledge is completely independent of any site-specific settings.

  6. Combining attack graphs and CVSS • Attack graph presents a qualitativeview of security problems • It shows what attacks are possible, but does not tell you how bad the problem is. • It captures the interactions among all attack possibilities in your system. • CVSS provides a quantitativeproperty of individual vulnerabilities • It tells you how bad an individual vulnerability could be. • But it does not tell you how bad it may be in your system.

  7. Our Approach • Use CVSS to produce a component metric--- a numeric measure on the conditional probability of success of an attack step. Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means Pr[c2 = T|c1 = T] This measure does not consider any attacker behavior

  8. High => 0.2 Medium=> 0.6 Low => 0.9

  9. Our Approach • Aggregate the probabilities over the attack-graph structure to provide a cumulative metric--- the probability of attacker success in your system. Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.

  10. Calculation of the cumulative metrics c1 c2 Pr[c1]=? Pr[c1]=1 Pr[c2]=? Pr[c2]=0.2 Pr[c2|c1]=0.2 Pr[execCode(webServer, apache)]=0.2

  11. Example Two CVE-2006-3747 was identified on web server • Internet is allowed to access the web server through HTTP protocol and port • Web server is allowed to access the MySQL database service on the dbase server CVE-2009-2446 was identified on db server

  12. Exploit pre-condition Exploit post-condition Medium=> 0.6

  13. 0.2x0.6=0.12 1:execCode(dbServer,root) 2:remote exploit of a server program 3:netAccess(dbServer,dbProtocol,dbPort) 4:multi-hop access 5:hacl(webServer,dbServer,dbProtocol,dbPort) 6:execCode(webServer,apache) 7:remote exploit of a server program 8:netAccess(webServer,httpProtocol,httpPort) 9:direct network access 10:hacl(internet,webServer,httpProtocol,httpPort) 11:attackerLocated(internet) 12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache) 13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation) 14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root) 15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation) 0.2

  14. Example Three CVE-2006-3747 was identified on web server CVE-2009-2446 was identified on db server • Internet is allowed to access the web server through HTTP protocol and port • Web server is allowed to access the MySQL database service on the db server • User workstations are allowed to access anywhere CVE-2009-1918 was identified on user workstations

  15. Exploit pre-condition Exploit post-condition Low=> 0.9

  16. Possible attack paths

  17. 6:execCode(webServer,apache) 11:execCode(workStation,normalAccount) 12:remote exploit of a client program 13:hasAccount(secretary,workStation,normalAccount) 14:canAccessMaliciousInput(workStation,secretary,internetExplorer) 15:Browsing a malicious website 17:hacl(workStation,internet,httpProtocol,httpPort) 21:Browsing a compromised website 24:isUserMachine(workStation) 25:isWebBrowser(internetExplorer) 26:inCompetent(secretary) 27:vulExists(workStation,cve_IE,internetExplorer,remoteExploit,privEscalation) 30:attackerLocated(internet) 34:hacl(workStation,dbServer,dbProtocol,dbPort)

  18. Challenge • How to calculate probabilities in an attack graph with shared dependencies and cycles. • Bayesian Network • Frigault, et al., 2008, does not allow cycles • Assuming independence among attack paths • Wang, et al., 2008 • Customized data-flow algorithm with dynamic programming • Homer, et al., 2009

  19. Result execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 Before:execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2

  20. Prioritization • Given three hardening options: • Patching the web server • Patching the db server • Patching the workstation • Which one would you patch first?

  21. Suppose we patch the web server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After:execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72

  22. Now let’s patch the db server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After:execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

  23. What if we block network access from Group 2 to Internal? Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After:execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

  24. Optimizing Security Hardening Let Pr[execCode(dbServer,root)]=p1 Pr[execCode(webServer,apache)]=p2 Pr[execCode(workStation,normalAccount)]=p3 If C1,C2,C3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be LE=C1*p1+C2*p2+C3*p3 All the hardening measures H1,H2,…Hn have costs as well. If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?

  25. Challenges • Scalability of metric calculation • Heavily depends on the connectivity of attack graphs • Exponential in the worst case • Imprecise input problem • How sensitive is the outcome to the input component metrics? • Approximation algorithms to trade precision for scalability? • Optimization techniques

  26. Summary • Quantitative security risk metrics are important in making sensible decisions in security hardening • People are already doing it in an ad-hoc way without any scientific basis • We want to transform it from a “black art” to a science

  27. If you cannot measure it, you cannot improve it. ---Lord Kelvin

More Related