720 likes | 808 Views
?. What is the scenario?. An enterprise and its IT system. ?. What are the players?. Attacker. Defender. ?. What is the game?. Diffusion of reserved information. Interruption of service. Loss of data. ?. What is the game?. Diffusion of reserved information. Interruption of service.
E N D
? What is the scenario? An enterprise and its IT system
? What are the players? Attacker Defender
? What is the game? Diffusion of reserved information Interruption of service Loss of data
? What is the game? Diffusion of reserved information Interruption of service Loss of data
agenda 1 1 Defence trees + indexes 2 2 Strategic games 3 3 Three novel indicators 4 4 ……
1 Risk Management process • Risk Assessmentidentification of the: • assets, • threats and vulnerabilities, • countermeasures • Risk Analysisdetermination of the acceptable risk threshold. • Risk Mitigationprioritize, evaluate and implement the countermeasure recommended. Defencetrees Economic Indexes
1 Defence tree Defence trees are an extension of attack trees [Schneier00]. • Attack tree: • the root is an asset of an IT system • the paths from the root to the leaf are the way to attack the root • the non-leaf nodes can be: • and-nodes • or-nodes root or-nodes and-nodes • Defence tree: • attack tree • a set of countermeasures
An enterprise server is used to store information about customers… An attacker wants to steal this server…
1 c1 c2 c4 c2 Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock c3 c3 Assumea securityguard Assumea securityguard An example: (1) Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved
1 Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved c1 c2 c4 c2 Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock c3 c3 Assumea securityguard Assumea securityguard Estimate the cost of investment • the annual loss produced by an attack • the effectiveness of a countermeasure in mitigating the risks • the cost of a countermeasure
1 Economic index: SLE The Single Loss Exposure (SLE) represents a measure of an enterprise's loss from a single threat event and can be computed by using the following formula: • where: • the Asset Value (AV) is the cost of creation, development, support, replacement and ownership values of an asset, • the Exposure Factor (EF) represents a measure of the magnitude of loss or impact on the value of an asset arising from a threat event.
1 Economic index: ALE The Annualized Loss Expectancy (ALE) is the annually expected financial loss of an enterprise that can be ascribed to a threat and can be computed by using the following formula: • where: • the Annualized Rate of Occurrence, (ARO) is a number that represents the estimated number of annual occurrences of a threat.
1 Economic index: ROI The Return on Investment (ROI) indicator can be computed by using the following formula: • where: • MR is the risk mitigated by a countermeasure and represents the effectiveness of a countermeasure in mitigating the risk of loss deriving from exploiting a vulnerability • CSI is the cost of security investment that an enterprise must face for implementing a given countermeasure.
1 Economic index: ROI
1 Break downthe door Go outunobserved Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock Assumea securityguard Assumea securityguard Economic index: ROI AV Asset Value EF Exposure Factor SLE Single Loss Exposure ARO Annualized Rate of Occurrence ALE Annualized Loss Expectancy RM Risk Mitigated CSI Cost Security Investment AV=100.000 € Steal theserver EF=90% SLE=93.000 € EF=93% SLE=90.000 € ARO=0,10 ALE=9.300 € ALE=9.000 € ARO=0,10 Have the keys Go outunobserved RM=10% RM=10% CSI=3.000€ CSI=3.000€ ROI= - 0,70 ROI= - 0,69 RM=20% RM=70% RM=50% RM=50% CSI=300€ CSI=1.500€ CSI=12.000€ CSI=12.000€ ROI=5,20 ROI=3,20 ROI= - 0,62 ROI= - 0,61
1 Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved c1 c2 c4 c2 Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock c3 c3 Assumea securityguard Assumea securityguard Estimate the cost of the attack • the expected gain from the successful attack on the target • the cost sustained by the attacker to succeed, • the additional cost brought by a possible countermeasure
1 Economic index: ROA Return On Attack (ROA) measures the gain that an attacker expects from a successful attack over the losses that he sustains due to the adoption of security measures by his target • GI is the expected gain from the successful attack on the specifiedtarget • costa is the cost sustained by the attacker to succeed, • costac is the additional cost brought by the countermeasure c adopted by the defender to mitigate the attack a.
1 Economic index: ROA
1 Steal theserver Have the keys Go outunobserved Break downthe door Go outunobserved Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock Assumea securityguard Assumea securityguard Economic index: ROA GI Asset Value RM Risk Mitigated costa Cost of the attack costac Additional cost produced by a countermeasure GI=30.000 € costa=4.000 € costa=4.200 € costac=1.000€ costac= 1.000 € ROA=6 ROA=5,77 costac= 2.000 € costac= 1.500 € costac= 1.500 € costac=200€ ROA=5,00 ROA=5,26 ROA=5,45 ROA=6,82
1 Evaluation Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved c1 c2 c4 c2 ROI=3.20 ROA=0.50 ROI=-0.70 ROA=4.40 ROI=5.20 ROA=4.45 ROI=-0.69 ROA=4.19 Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock c3 c3 Assumea securityguard Assumea securityguard ROI=-0.63 ROA=1.73 ROI=-0.61 ROA=1.63
Future Works: attack graphs Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved c3 c1 c2 c4 Assumea securityguard Install a videosurveillanceequipment Install asecurity door Install asafety lock
Future Works: journal version? Old ROI New version of ROI • 1 attack 1 countermeasure • 1 attack n countermeasures where f is fC=max(c) or fC=sum(c) and CRMc 1
Future Works: journal version? Old ROI New version of ROI • m attacks 1 countermeasure whereg is gA=sum(a) and gA AV • m attacks, n countermeasures
Future Works: journal version? Old ROA New version of ROA • 1 attack 1 countermeasure • 1 attack n countermeasures where f is fC=max(c) or fC=sum(c) and CRMc 1
Future Works: journal version? Old ROA New version of ROA • m attacks 1 countermeasure whereg is gA=sum(a) and • m attacks, n countermeasures
Future Works: min set cover c1 c1 a1 c2 a1 c2 a2 a2 c3 a3 c4 a3 c3 c4 RM=[max(c1,c2), min(1, c1+c2)]
Future Works: intervals Intervals to represent the possible values of the exposure factor (EF), and risk mitigated (RM) 20% 40% 20% 40% 30% 80% Devo ridefinire tutte le formule considerando adesso gli intervalli! Ad se x<EF<y AV ottengo che anche SLE è un intervallo! E quindi anche ALE e anche ROI
1 Paper Defense trees for economic evaluation of security investmentsS. Bistarelli, F. Fioravanti, P. Pamela In: 1st International Conference on Availability, Reliability and Security (ARES 2006). Vienna, Austria, April 20-22 2006.
2 Strategic game We consider a strategic game: • 2 players: the defender and the attacker of a system. • Sd: the set of defender's strategies (the countermeasures) • Sa: the set of attacker's strategies (the vulnerability) • ROI and ROA: payoff functions for the defender and the attacker
2 Strategic game: an example • Sa={a1, a2} • Sd={c1, c2, c3} • payoff: ud(ci,ai) and ua(ci,ai) a1 a2 Ud=1 Ua=1 c2 c3 Ud=0 Ua=2 c1 c3 Ud=1 Ua=2 Ud=1 Ua=0
2 Nash equilibrium Nash Equilibrium The combination of strategy (s1*,s2*) with s1* S1 and s2* S2 is a Nash Equilibrium if and only if, for each player i, the action si* is the best response to the other player: ! This game admits two different Nash Equilibrium: the couple of strategies {c1,a1}and {c3,a2}. Dip. Scienze, 2 settembre 2014
2 pa1 pa2 1 pc1 ½ pc2 ½ pc3 Mixed strategy: an example ? If a player does not know the behaviour of the other player? Mixed strategies
2 Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved c1 c2 c4 c2 Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock c3 c3 Assumea securityguard Assumea securityguard Our game • Selection of a single countermeasure/attack ! The set of strategies for the defender and the attacker is composed by a single action.
2 Our game • Selection of a single countermeasure/attack ! The set of strategies for the defender and the attacker is composed by a single action.
2 31 52 21 52 205 769 564 769 Our game • Selection of a single countermeasure/attack ! There is one Nash Equilibrium with mixed strategies.
2 Steal theserver a2 a1 Break downthe door Go outunobserved Have the keys Go outunobserved c1 c2 c4 c2 Install a videosurveillanceequipment Install a videosurveillanceequipment Install asecurity door Install asafety lock c3 c3 Assumea securityguard Assumea securityguard Our game • Selection of a set of countermeasures/attack ! Each player can play any set of countermeasuresattacks together.
2 Our game • Selection of a set of countermeasures/attack
2 5 21 16 21 39 55 16 55 Our game ! • Selection of a set of countermeasures/attack There is one Nash Equilibrium with mixed strategies.
Future Works Considerare giochi con 1 attaccante e n-1 difensori Cooperazione tra attaccanti Tipi di attaccanti (giochi bayesiani) Giochi dinamici, giochi ripetuti
2 Papers Strategic game on defense treesS. Bistarelli, M. Dall’Aglio, P. Pamela In: 4th International Workshop on Formal Aspects in Security and Trust (FAST2006).Hamilton, ON, Canada, August 26-27 2006.
3 Three novel indicators • Critical time • Retaliation • Collusion
3 Critical time
3 If CTF=0, then EFCT = EF If CTF=1, then EFCT = 1 If EF=0, then EFCT=CTF If EF=1, then EFCT=1 Critical time Exposure Factor duringCritical Time expresses the influence that the criticality of a specific time instance plays on the EF as follows: CTF being the Critical Time Factor that expresses the percentage of criticality of a specific time instance.
3 Critical time: the indicators • Annualized Rate of Occurrence, AROCT, is the rate of occurrence of an attack at a specific CTF per year. • Single Loss Exposure, SLECT, is the cost of a single attack at a specific CTF: • Annualized Loss Expectancy, ALECT, is the cost per year of an attack at a specific CTF: • Return On Investment, ROICT, is the economic return of an enterprise's investment against an attack mounted at a specific CTF:
3 Critical time: an example
3 Retaliation
3 If RF=0, then EFR = EF If RF=1, then EFR = 0 If EF=0, then EFR=0 If EF=1, then EFR=1-RF Retaliation Exposure Factor underRetaliation expresses the influence that the chance of retaliating an attack to an asset plays on the EF as follows: RF being the Retaliation Factor that expresses the percentage of retaliation that can be performed.
3 Retaliation: the indicators • Annualized Rate of Occurrence, AROR, is the rate of occurrence per year of an attack that can be retaliated. • Single Loss Exposure, SLER, is the cost of a single attack that can retaliated: • Annualized Loss Expectancy, ALER, is the cost per year of an attack that can be retaliated: • Return On Investment, ROIR, is the economic return of an enterprise's investment against an attack that can be retaliated:
3 Retaliation : an example
3 Collusion