Structured Intrusion Scenario Analysis Course 95-750: Security Architecture and Analysis Andrew Moore CERT Coordination Center Software Engineering Institute.

Structured IntrusionScenario Analysis

Course 95-750:

Security Architecture and Analysis

Andrew MooreCERT Coordination Center

Software Engineering InstituteCarnegie Mellon University

(412)[email protected]

5 December 2000

-2-

SNA Process

STEP 1: SYSTEM DEFINITION Mission, requirements, environment, and risks definition Architecture definition and elicitation

STEP 2: ESSENTIAL CAPABILITY DEFINITION

• Essential service/asset selection/scenarios• Essential component identification

STEP 3: COMPROMISABLE CAPABILITY DEFINITION

• Intrusion selection/scenarios• Compromisable component identification

STEP 4: SURVIVABILITY ANALYSIS Softspot component (essential & compromisable) identification Resistance, recognition, and recovery analysis Survivability Map development

-3-

Broad Goals of Research

• Develop systematic methods• Manage complexity• Integrate risk analysis techniques • Facilitate populating survivability map• Determine utility of automation• Improve repeatability of results

Identify, document, demonstrate techniques that lessen SNA’s dependence on experience, security expertise

-4-

Overview of Talk

• Attack Trees Introduction• Enterprise-Level Example• Reusing Patterns of Attack• Attack Tree Refinement• Conclusions

Focus on improving intrusion scenario analysis

-5-

Attack TreeIntroduction

-6-

Attack Trees

• Provides “formal, methodical way of describing the security of systems, based on varying attacks”

• Decomposes attacker goal– AND decomposition describes time-ordered sequence of sub-goals

graphical: textual: Goal G0

AND G1

G2

– OR decomposition describes alternative sub-goals graphical: textual: Goal G0

OR G1

G2

• Organizes intrusion scenarios G0

G1 G2G3

G5

G1 G2

G0

G3G4

G6G7

G6

G4 G5

G3 ,G5 ,G6

G4 ,G5 ,G6

G4 ,G5

G2

G6

G8 ,G9 G8 G9

G0

G1 G2

G0

G1 G2

-7-

Opening a Safe*

Open Safe

PickLock

LearnCombo

Cut OpenSafe

Listen toConversation

Get Targetto StateCombo

Find WrittenCombo

Get ComboFrom Target

OR

AND

Key

Threaten Blackmail Eavesdrop

PI

P

P

I

I

I

I

P = PossibleI = Impossible

I

I Bribe

InstallImproperly

P

P

P

* Taken from Bruce Schneier, Secrets and Lies, John Wiley & Sons, 2000

-8-

Special Equipment Required?*

Open Safe

PickLock

LearnCombo

Cut OpenSafe



Find WrittenCombo



SESE

NSE

SE

NSE

NSE

NSE

NSE

SE = Special EquipmentNSE = No Special Equipment

NSE

Bribe

InstallImproperly


-9-

Cost of Attack?*

Open Safe

PickLock

LearnCombo

Cut OpenSafe



Find WrittenCombo



$10K$30K

$20K

$20K

$60K

$75K

$100K

$100K

$40K

$60KBribe

InstallImproperly

$20K

$20K

$10K


-10-

Enterprise-LevelExample

-11-

ACME, Inc. Enterprise Structure

ACME HQ

Parking

Guard FrontGate

Dumpster

FencedPerimeter

Network Services

ACMEFirewall

ACME WebServer

Remote Dial-up Users

Internet Users

Backbone

-12-

High-Level Attack Tree for ACME, Inc.

Attacker Goal: Steal ACME proprietary secretsOR 1.Physically scavenge discarded items from ACME

OR 1. Inspect dumpsters content on-site 2. Inspect refuse after removal from site

2. Monitor emanations (e.g., electromagnetic, visual) from ACME machines AND 1. Survey physical perimeter to determine optimal monitoring position

2. Acquire necessary monitoring equipment3. Setup monitoring site4. Monitor emanations from site

3. Recruit help of trusted ACME insider OR 1. Plant spy as trusted insider

2. Use existing trusted insider4. Physically access ACME networks or machines

OR 1. Get physical, on-site access to Intranet 2. Get physical access to external machines

5. Attack ACME Intranet using its connections with InternetOR 1. Monitor communications over Internet for leakage

2. Get trusted process to send sensitive information to attacker over Internet3. Gain privileged access to ACME Web Server

6. Attack ACME Intranet using its connections with PTNOR 1. Monitor communications over PTN for leakage of sensitive information

2. Gain privileged access to machines on Intranet connected via Internet

-13-

Web Server Attack Refinement

Goal 5.3. Gain privileged access to ACME Web ServerAND 1.Identify ACME domain name

2.Identify ACME firewall IP addressOR 1. Interrogate Domain Name Server

2. Scan for firewall identification3. Trace route through firewall to web server

3.Determine ACME firewall access controlOR 1. Search for specific default listening ports

2. Scan ports broadly for any listening port4.Identify ACME web server operating system and type

OR 1. Scan OS services’ banners for OS identification2. Probe TCP/IP stack for OS characteristic information

5.Exploit ACME Web Server vulnerabilitiesOR 1. Access sensitive shared intranet resources directly

2. Access sensitive data from protected account on Web Server

ImpliedIntrusionScenarios

(1, 2.1, 3.1, 4.1, 5.1)(1, 2.2, 3.1, 4.1, 5.1)(1, 2.3, 3.1, 4.1, 5.1)

(1, 2.1, 3.2, 4.1, 5.1)(1, 2.2, 3.2, 4.1, 5.1)(1, 2.3, 3.2, 4.1, 5.1)

(1, 2.1, 3.1, 4.2, 5.1)(1, 2.2, 3.1, 4.2, 5.1)(1, 2.3, 3.1, 4.2, 5.1)

(1, 2.1, 3.2, 4.2, 5.1)(1, 2.2, 3.2, 4.2, 5.1)(1, 2.3, 3.2, 4.2, 5.1)

. . .

-14-

Populating the Survivability Map

• Ask resist, recognize, recover questions at attack tree nodes– Resist: blocking branch eliminates scenarios that traverse it– Recognize: detecting actions at node help recognize intrusion– Recover: once detected steps to continuing mission

• Prioritize branches (Threat X Vulnerability X Impact)

Attacker Goal: Steal ACME proprietary secretsOR 1. Physically scavenge discarded items from ACME

OR 1. Inspect dumpsters content on-site 2. Inspect refuse after removal from site

2. Monitor emanations (e.g., electromagnetic, visual) from ACME machines AND 1. Survey physical perimeter to determine optimal monitoring position

2. Acquire necessary monitoring equipment3. Setup monitoring site4. Monitor emanations from site

3. Recruit help of trusted ACME insider OR 1. Plant spy as trusted insider

2. Use existing trusted insider4. Physically access ACME networks or machines

OR 1. Get physical, on-site access to Intranet 2. Get physical access to external machines

5. Attack ACME Intranet using its connections with InternetOR 1. Monitor communications over Internet for leakage

2. Get trusted process to send sensitive information to attacker over Internet3. Gain privileged access to ACME Web Server

...

-15-

Reusing Patterns of Attack

-16-

Reuse via Attack Patterns

attack pattern - an abstract description of a specific attack, containing

– attacker goal– precondition for use– attack tree segment– postcondition

attack profiles - a collection of related attack patterns, each containing

– common reference model– variation points permit instantiation/extension– set of attack patterns– glossary

-17-

Buffer Overflow Attack

Buffer Overflow Attack Pattern:Goal: Exploit buffer overflow vulnerability to perform malicious functionPreCondition: Attacker can execute certain programs on the target systemAttack:

AND 1. Identify program on the target system susceptible to buffer overflow vulnerability

2. Identify code that will perform malicious function when it executes with the program’s privilege

3. Construct input value that will force code to be in the program’s address space

4. Execute program in way that makes it jump to address where code resides

PostCondition: The target system performs malicious function

programcode

...

returnpointer

localvariable

s

buffer...

programinvocation stack

growth

act

iva

tion

re

cord

exe

cutio

n s

tack

overflowprogram

bufferwith

maliciousinput

maliciouscode

...

modified pointer

overwritten values

buffer...

buffergrowth

-18-

Internet-Based Enclave Attack Profile

Buffer Overflow Attack Pattern:Goal: Exploit buffer overflow vulnerability to perform malicious functionPreCondition: Attacker can execute certain programs on SystemAttack:

AND 1. Identify program on System susceptible to buffer overflow vulnerability2. Identify code that will perform malicious function when it executes with the program’s privilege

3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address where code resides

PostCondition: System performs malicious function…

Intranet

Fir

ewal

l

Internet

Attacker

User

The Org Enclave

System

Reference Model :

Attack Patterns :

Glossary :

buffer overflow vulnerability – a flaw in a program that, when executed with excessively long input values, causes the input to overflow into another portion of the execution stack....

-19-

Attack TreeRefinement

-20-

Attack Tree Refinement Process

Enterprise - Mission - Threats - Architecture

yes

no

no

no

no

yes

yes

yes

Attack tree refinedsufficiently to construct survivability map?

Attack tree morerepresentativeof likely attacks?

Extendattack treemanually

Done?

SearchAttack Pattern

Library

KeepSearching?

Instantiateand Apply

Pattern

Undo PatternApplication

Acceptable?

Is there a node of the tree that is an instance of the pattern’s goal?

Applicable?

Consider attack profiles whose reference model represents the enterprise architecture.

Instantiate pattern based on enterprise architecture and goal node; incorporate pattern tree at node.

Use attack treeto constructsurvivability

map.

-21-

Aligning Attack Profile to Architecture

• Requires instantiating variation points– ACME for Org, ACME Firewall for Firewall, ...– Instantiated attack patterns can then be used to refine enterprise-specific attack

tree

Intranet

Fir

ewal

l

Internet

Attacker

User

The Org Enclave

System

ACME HQ

Parking

GuardFrontGate

Dumpster

FencedPerimeter

Network Services

ACME Firewall

ACME Web Server

Remote Dial-up Users

Internet Users

Backbone

-22-

Instantiation and Application

Buffer Overflow Attack Pattern: (instantiated for ACME)Goal: Exploit buffer overflow vulnerability to access privileged accountPreCondition: Attacker can execute certain programs on ACME Web ServerAttack:

AND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability

2. Identify code that would provide access to privileged account when executed with the program’s privilege

3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address at which code resides

PostCondition: Attacker can access privileged account

5.3.5.2 Access sensitive data from privileged account on ACME Web ServerAND 1. Get access to privileged account on ACME Web Server

AND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability

2. Identify code that would provide access to privileged account when executed with the program’s privilege

3. Construct input value that will force code to be in the program’s address space

4. Execute program in way that makes it jump to address where code resides2. Scan files for sensitive data

-23-

Applying Attack Patterns

GJ

GKGK+nGK+i

...

iGS iGS+m

...

...GJ

GKGK+nGK+i

......

GR

GS GS+m

...+ =

Leaf NodeApplication:

+ iGR achieves GK+i

GJ

GK GK+n

...GJ

GK GK+n

...

GR

GS GS+m

...+ =

Non-Leaf Node Application to OR Decomp:

+ iGR achieves GJ

EnterpriseAttack Tree

AttackPattern

Instantiation (i)Differentiation (d)

ResultingAttack Tree

iGR

iGSiGS+m

...

GJGJ

GK GK+n

...

GR

GS GS+m

...+ =

Non-Leaf Node Application to AND Decomp:

+ iGR achieves GJ

dGJ achieves GJ

iGR

iGSiGS+m

...

dGJ

GK GK+n

...

-24-

Unexpected Operator Attack Pattern

Unexpected Operator Attack Pattern:Goal: Exploit unexpected operator vulnerability to perform malicious functionPreCondition: Attacker can execute certain programs on SystemAttack:

AND 1. Identify program on System susceptible to unexpected operator vulnerability

2. Identify (unexpected) operator that permits composing system calls3. Identify system call that would perform malicious function when

executed with program’s privilege4. Construct unexpected input by composing legal input value with system call

using the unexpected operator 5. Execute program on System with unexpected input

PostCondition: System performs malicious function

program p (fname : string) = … cmd = append (‘‘Open ’’, fname) execute (cmd) ...

expected call: p(“data.txt”)

malicious call: p(“data.txt ; rm -rf *”)

-25-

Instantiating Unexpected Operator Attack Pattern

Unexpected Operator Attack Pattern: (instantiated for ACME)Goal: Exploit unexpected operator vulnerability to access privileged accountPreCondition: Attacker can execute certain programs on ACME Web ServerAttack:

AND 1. Identify program on ACME Web Server susceptible to unexpected operator vulnerability

2. Identify (unexpected) operator that permits composing system calls3. Identify system call that would provide access to privileged account

when executed with program’s privilege4. Construct unexpected input by composing legal input value with system call

using the unexpected operator 5. Execute program on ACME Web Server with unexpected input

PostCondition: Attacker can access privileged account

-26-

Application at a Non-Leaf Node


OR 1. Exploit buffer overflow vulnerability to get access to privileged accountAND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability

2. Identify code that would provide access to privileged account when executed with program’s privilege

3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address where code resides

2. Exploit unexpected operator vulnerability to get access to privileged accountAND 1. Identify program on ACME Web Server susceptible to unexpected operator vulnerability

2. Identify (unexpected) operator that permits composing system calls3. Identify system call that would provide access to privileged account when executed with

program’s privilege4. Construct unexpected input by composing legal input value with system call using the

unexpected operator 5. Execute program on ACME Web Server with unexpected input

2. Scan files for sensitive data


AND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability2. Identify code that would provide access to privileged account when executed with

program’s privilege3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address where code resides

2. Scan files for sensitive data

Apply Unexpected Operator Attack Pattern

point of application

-27-

Auxiliary Attack Patterns

Access Control Discovery Attack Pattern:Goal: Identify Firewall access controlsPreCondition: 1. Attacker knows Firewall IP addressAttack:

OR 1. Search for specific default listening ports2. Scan ports broadly for any listening ports3. Scan ports stealthily for listening ports

OR 1. Randomize target of scan2. Randomize source of scan3. Scan without touching target host

PostCondition: Attacker knows Firewall access controls

IP Address Discovery Attack Pattern:Goal: Identify Org’s Firewall IP addressPreCondition: 1. Attacker knows Org’s domain nameAttack:

OR 1. Interrogate Domain Name Server2. Trace route through Firewall to Org’s web server3. Scan for Firewall IP address

PostCondition: Attacker knows Firewall IP address

-28-

Conclusions

-29-

What We Can Do

• Generate enterprise-specific attack trees• Organize SNA intrusion scenarios• Help populate enterprise survivability map• Reuse previously developed attack patterns• Classify attack patterns to promote discovery/instantiation

-30-

Future Work

• Validate practicality/scalability of approach• Develop/refine broad range of attack profiles• Assess particular attacker’s ability to traverse attack tree• Prioritize branches based on enterprise mission/vulnerability• Formalize model of attack tree refinement/analysis• Determine role of automation

Measure of Success :

Will we use this approach in our next

full-scale SNA application?

Structured Intrusion Scenario Analysis Course 95-750: Security Architecture and Analysis Andrew Moore CERT Coordination Center Software Engineering Institute.

Documents

goal g

state combo

written combo

attack tree introduction

open safe listen

security expertise slide

open safe pick lock

cost of attack