Metrics Suite for Network Attack Graphs

65th Meeting of IFIP Working Group 10.4 On Dependable Computing and Fault Tolerance

Sorrento, Italy, January 23-27, 2014

Steven Noel

Center for Secure Information Systems

George Mason University

csis.gmu.edu

Metrics Suite for Network Attack Graphs

Motivation • Impact of combined topology, policy, and

vulnerabilities on security posture

– Attack graphs show multi-step vulnerability paths through networks

– But they lack quantitative scores that capture overall security state at a point in time

• Show metric trends over time

• Compare security across organizations

• Complementary dimensions of network security

• Funded by DHS BAA 11-02 (12 months)

1 1/23/2014 65th IFIP Working Group 10.4 Meeting

Motivating Example

1/23/2014 65th IFIP Working Group 10.4 Meeting 2

Attack Graph Before Remediation

Top CVSS Vulnerabilities

1/23/2014 65th IFIP Working Group 10.4 Meeting 3

CVSS > 7

Remediated Attack Graph

Top Exposed Vulnerabilities

1/23/2014 65th IFIP Working Group 10.4 Meeting 4

Top 3 Exposed

Remediated Attack Graph

Attack Graph Metrics

5

Network Topology

Firewall Rules

Host Vulnerabilities

Attack Graph Analysis

Metrics Engine

Metrics Dashboard

1/23/2014 65th IFIP Working Group 10.4 Meeting

Nessus Retina nCircle

Core Impact Foundscan

Qualys SAINT nmap

Cisco ASA Cisco IOS

Juniper JUNOS Juniper ScreenOS

Fortinet McAfee FE

XML CSV

Graphical

1/23/2014 65th IFIP Working Group 10.4 Meeting 6

Cauldron Attack Graph

7

CVSS Base Metric

Exploitability

Access

Vector

Access

Complexity Authentication

Impact

Confidentiality Integrity Availability

Common Vulnerability Scoring System (CVSS)

1/23/2014 65th IFIP Working Group 10.4 Meeting

• Victimization: Individual vulnerabilities and exposed services each have elements of risk. We score the entire network across individual vulnerability victimization dimensions.

• Size: The size of attack graph (vectors and exposed machines) is a prime indication of risk. The larger the graph, the more ways you can be compromised.

• Containment: Networks are generally administered in pieces (subnets, domains, etc.). Risk mitigation should aim to reduce attacks across such boundaries, to contain attacks.

• Topology: The connectivity, cycles, and depth of the attack graph indicate how graph relationships enable network penetration.

8

Attack Graph Metrics Families

1/23/2014 65th IFIP Working Group 10.4 Meeting

Metrics Hierarchy

9

Overall

Victimization

Existence

Exploitability

Impact

Size

Vectors

Machines

Containment

Vectors

Machines

Vuln Types

Topology

Connectivity

Cycles

Depth

Network Score

Metrics Family

Individual Metrics

1/23/2014 65th IFIP Working Group 10.4 Meeting

0

min

1 xxxf

minmax

min2

xx

xxxf

minmax

min3 10xx

xxxf

maxmin , xxx

Best Worst

10

10 1/23/2014 65th IFIP Working Group 10.4 Meeting

Metrics Scaling

xf 3

0

min

1 xxxf

minmax

min2

xx

xxxf

maxmin , xxx

Worst Best

10

minmax

min3 1xx

xxxf

minmax

min4 1xx

xxxf

minmax

min5 110xx

xxxf

1/23/2014 65th IFIP Working Group 10.4 Meeting 11

Metrics Scaling (Reversal)

xf 5

Combining Metrics

12

10

10 0 11sw

101 w

102 w 22

2

1 1010 ww

Largest Possible

1/23/2014 65th IFIP Working Group 10.4 Meeting

22sw

10,01010

102

2

2

1

2

22

2

11

ww

swsw

Combining Metrics

13 1/23/2014 65th IFIP Working Group 10.4 Meeting

.ht with weig score individualFor

10,010

10

is score combined thescores, for general,In

2

2

ii

n

i i

n

i ii

ws

w

swS

Sn

Metrics Hierarchy

14

Overall

Victimization

Existence

Exploitability

Impact

Size

Vectors

Machines

Containment

Vectors

Machines

Vuln Types

Topology

Connectivity

Cycles

Depth

1/23/2014 65th IFIP Working Group 10.4 Meeting

Metrics Family: Victimization

15 1/23/2014 65th IFIP Working Group 10.4 Meeting

• Existence – relative number of ports that are vulnerable:

• Exploitability – average CVSS Exploitability:

• Impact – average CVSS Impact:

UueU

i ilityExploitabi

,Impact UumU

i i

nv

v

ss

s

10Existence

Metrics Hierarchy

16

Overall

Victimization

Existence

Exploitability

Impact

Size

Vectors

Machines

Containment

Vectors

Machines

Vuln Types

Topology

Connectivity

Cycles

Depth

1/23/2014 65th IFIP Working Group 10.4 Meeting

Size Family

Vectors Metric

17 1/23/2014 65th IFIP Working Group 10.4 Meeting

Within domain (implicit vectors)

Across domains: explicit vectors

jiv ,

im

j ji vm 1

d

ji ji

d

i

m

j jia vvmvi

, ,1 torsAttack vec

m

i ip smv 1 torsattack vec possible Total

p

a

v

v10Size Vectors

Size Family

Machines Metric

18 1/23/2014 65th IFIP Working Group 10.4 Meeting

Vulnerable machines

d

i irr

Non-vulnerable machines

d

j jmm

mr

r

10Size Machines

Metrics Hierarchy

19

Overall

Victimization

Existence

Exploitability

Impact

Size

Vectors

Machines

Containment

Vectors

Machines

Vuln Types

Topology

Connectivity

Cycles

Depth

1/23/2014 65th IFIP Working Group 10.4 Meeting

Containment Family

Vectors Metric

20 1/23/2014 65th IFIP Working Group 10.4 Meeting

Within domain (implicit vectors)

Across domains: explicit vectors

jiv ,

im

j ji vm 1

d

ji ji

d

i

m

j jia vvmvi

, ,1 torsAttack vec

d

ji jic vv, ,domainsacrossvectorsAttack

a

c

v

v10tContainmen Vectors

Containment Family

Machines Metric

21 1/23/2014 65th IFIP Working Group 10.4 Meeting

Victims across domains

Victims within domain only

d

i iiw Vmmmm ,

d

i iia Vmmmm ,

wa

a

mm

m

10tContainmen Machines

Containment Family

Vulnerability Types Metric

22 1/23/2014 65th IFIP Working Group 10.4 Meeting

Vulnerability types across domains

Vulnerability types within domain only

d

i iiiiw Vmtmmtt ,

d

i iiiia Vmtmmtt ,

wa

a

tt

t

10tContainmen Types Vuln

Metrics Hierarchy

23

Overall

Victimization

Existence

Exploitability

Impact

Size

Vectors

Machines

Containment

Vectors

Machines

Vuln Types

Topology

Connectivity

Cycles

Depth

1/23/2014 65th IFIP Working Group 10.4 Meeting

Attack Graph Connectivity

1/23/2014 65th IFIP Working Group 10.4 Meeting 24

One Component

Two Components

Three Components

Motivation: Better to have attack graph as disconnected parts versus connected whole

Less Secure

More Secure

Topology Family

Connectivity Metric

1/23/2014 65th IFIP Working Group 10.4 Meeting 25

1 component 4 components 5 components

10111

11110Metric

7

111

14110Metric

6

111

15110Metric

Attack Graph Cycles

1/23/2014 65th IFIP Working Group 10.4 Meeting 26

Motivation: For a connected attack graph, better to avoid cycles among subgraphs

Less Secure

More Secure

1/23/2014 65th IFIP Working Group 10.4 Meeting 27

4 components 5 components 10 components

7111

14110Metric

6

111

15110Metric

1

111

110110Metric

Topology Family

Cycles Metric

Attack Graph Depth

1/23/2014 65th IFIP Working Group 10.4 Meeting 28

One Step Deep

2 Steps Deep

3 Steps Deep

Less Secure

More Secure

Motivation: Better to have attack graph deeper versus shallower

1/23/2014 65th IFIP Working Group 10.4 Meeting 29

Shortest path 3/8 Shortest path 4/8 Shortests paths 2/3 and 1/5

7.518

3110Metric

3.4

18

4110Metric

3.2

15

115

13

213

82

10Metric

Topology Family

Depth Metric

Metrics Dashboard

30 1/23/2014 65th IFIP Working Group 10.4 Meeting

Family-Level Metrics

31 1/23/2014 65th IFIP Working Group 10.4 Meeting

Temporal Zoom

32 1/23/2014 65th IFIP Working Group 10.4 Meeting

Trend Summary

33 1/23/2014 65th IFIP Working Group 10.4 Meeting

Example Network Topology

34 1/23/2014 65th IFIP Working Group 10.4 Meeting

Attack Graph – No Hardening

1/23/2014 65th IFIP Working Group 10.4 Meeting 35

1/23/2014 65th IFIP Working Group 10.4 Meeting 36

Block Partners to Inside

1/23/2014 65th IFIP Working Group 10.4 Meeting 37

Block Partner 4 to DMZ

1/23/2014 65th IFIP Working Group 10.4 Meeting 38

Block DMZ to Inside 3

1/23/2014 65th IFIP Working Group 10.4 Meeting 39

Patch Host Vulnerabilities

1/23/2014 65th IFIP Working Group 10.4 Meeting 40

1/23/2014 65th IFIP Working Group 10.4 Meeting 41

1/23/2014 65th IFIP Working Group 10.4 Meeting 42

1/23/2014 65th IFIP Working Group 10.4 Meeting 43

1/23/2014 65th IFIP Working Group 10.4 Meeting 44

Contact

45

The MITRE Corporation McLean, Virginia

Steven Noel http://csis.gmu.edu/noel/

1/23/2014 65th IFIP Working Group 10.4 Meeting

[email protected]