Example One •Internet is allowed to access the web server through HTTP protocol and port CVE-2006- 3747 was identified on web server
Dec 14, 2015
Example One
•Internet is allowed to access the web server through HTTP protocol and port
CVE-2006-3747 was identified on
web server
CVE-2006-3747 was identified on
web server
Exploit pre-conditionExploit pre-condition
Exploit post-conditionExploit post-condition
Exploit post-conditionExploit post-condition
Pre- and Post-conditions can be used in constructing an attack graph
webServer is network-accessible
to an attacker
webServer is network-accessible
to an attacker
The web service is running
The web service is running
The vulnerability exists
The vulnerability exists
This attack is possible
This attack is possible
The consequence is that webServer is compromised
The consequence is that webServer is compromised
This process is completely automated
attackerLocated(internet).
hacl( internet, webServer, httpProtocol, httpPort ).hacl( H, H, _, _).
networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ).vulExists( webServer, cve_apache, httpd ).
vulProperty( cve_apache, remoteExploit, privEscalation ).
What are your threats?
What are your threats?
Firewall/network analyzer
Firewall/network analyzer
Vulnerability scanner
Vulnerability scanner
NVDNVD
But you do need a knowledge base
execCode(H, Perm) :-vulExists(H, VulID, Software, remoteExploit,
privEscalation),networkServiceInfo(H, Software, Protocol, Port, Perm),netAccess(H, Protocol, Port)
The knowledge is completely independent of any site-specific
settings.
Combining attack graphs and CVSS
• Attack graph presents a qualitative view of security problems– It shows what attacks are possible, but does not tell you
how bad the problem is.– It captures the interactions among all attack possibilities
in your system.
• CVSS provides a quantitative property of individual vulnerabilities– It tells you how bad an individual vulnerability could be.– But it does not tell you how bad it may be in your
system.
Our Approach
• Use CVSS to produce a component metric --- a numeric measure on the conditional probability of success of an attack step.
Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means
Pr[c2 = T|c1 = T] This measure does not
consider any attacker behavior
Our Approach
• Aggregate the probabilities over the attack-graph structure to provide a cumulative metric --- the probability of attacker success in your system.
Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.
Calculation of the cumulative metrics
c1c2
Pr[c2|c1]=0.2Pr[c2]=?Pr[c1]=?Pr[c1]=1
Pr[c2]=0.2
Pr[execCode(webServer, apache)]=0.2
Example TwoCVE-2006-3747
was identified on web server
CVE-2006-3747 was identified on
web server
•Internet is allowed to access the web server through HTTP protocol and port•Web server is allowed to access the MySQL database service on the dbase server
CVE-2009-2446 was identified on
db server
CVE-2009-2446 was identified on
db server
Exploit pre-conditionExploit pre-condition Exploit post-conditionExploit post-condition
Medium=> 0.6Medium=> 0.6
1:execCode(dbServer,root)2:remote exploit of a server program3:netAccess(dbServer,dbProtocol,dbPort)4:multi-hop access5:hacl(webServer,dbServer,dbProtocol,dbPort)6:execCode(webServer,apache)7:remote exploit of a server program8:netAccess(webServer,httpProtocol,httpPort)9:direct network access10:hacl(internet,webServer,httpProtocol,httpPort)11:attackerLocated(internet)12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache)13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation)14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root)15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation)
0.2
0.2x0.6=0.12
Example Three
•Internet is allowed to access the web server through HTTP protocol and port•Web server is allowed to access the MySQL database service on the db server•User workstations are allowed to access anywhere
CVE-2006-3747 was identified on
web server
CVE-2006-3747 was identified on
web server
CVE-2009-2446 was identified on
db server
CVE-2009-2446 was identified on
db server
CVE-2009-1918 was identified on user workstations
CVE-2009-1918 was identified on user workstations
Exploit pre-conditionExploit pre-condition Exploit post-conditionExploit post-condition
Low=> 0.9Low=> 0.9
6:execCode(webServer,apache)
11:execCode(workStation,normalAccount)
12:remote exploit of a client program
13:hasAccount(secretary,workStation,normalAccount)
14:canAccessMaliciousInput(workStation,secretary,internetExplorer)
15:Browsing a malicious website
17:hacl(workStation,internet,httpProtocol,httpPort)
21:Browsing a compromised website
24:isUserMachine(workStation)
25:isWebBrowser(internetExplorer)
26:inCompetent(secretary)
27:vulExists(workStation,cve_IE,internetExplorer,remoteExploit,privEscalation)
30:attackerLocated(internet)
34:hacl(workStation,dbServer,dbProtocol,dbPort)
Challenge
• How to calculate probabilities in an attack graph with shared dependencies and cycles.– Bayesian Network
• Frigault, et al., 2008, does not allow cycles
– Assuming independence among attack paths• Wang, et al., 2008
– Customized data-flow algorithm with dynamic programming
• Homer, et al., 2009
Result
execCode(dbServer,root): 0.47execCode(webServer,apache): 0.2execCode(workStation,normalAccount): 0.74
Before: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2
Prioritization
• Given three hardening options:– Patching the web server– Patching the db server– Patching the workstation
• Which one would you patch first?
Suppose we patch the web server
Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
After: execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72
Now let’s patch the db server
Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
After: execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
What if we block network access from Group 2 to Internal?
Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
After: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74
Optimizing Security Hardening
Let Pr[execCode(dbServer,root)]=p1
Pr[execCode(webServer,apache)]=p2
Pr[execCode(workStation,normalAccount)]=p3
If C1,C2,C3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be
LE=C1*p1+C2*p2+C3*p3
All the hardening measures H1,H2,…Hn have costs as well.
If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?
Challenges
• Scalability of metric calculation– Heavily depends on the connectivity of attack graphs– Exponential in the worst case
• Imprecise input problem– How sensitive is the outcome to the input component
metrics?– Approximation algorithms to trade precision for
scalability?
• Optimization techniques
Summary
• Quantitative security risk metrics are important in making sensible decisions in security hardening– People are already doing it in an ad-hoc way
without any scientific basis– We want to transform it from a “black art” to a
science