Attack Simulations for Defense
Assessing the security of ICT systems, from small embedded systems to defense IT infrastructures, is difficult. To identify vulnerabilities, one must understand a vast range of security-relevant features of the system, and then consider all potential attacks.
This presents a number of challenges. First, it is difficult to know what information about the system to collect. What exactly are all security properties? Second, it is often hard to actually collect that information. Third, it is difficult and often time-consuming to analyze the collected information to find all exploitable security weaknesses. Fourth, even if all security weaknesses are identified, the complex task of understanding how single weaknesses can be combined or depend on one another still remains.
To support these challenging tasks, we have proposed the use of attack simulations based on system architecture models. In this scheme, a digital model of the system is subjected to simulated cyber attacks to identify the greatest weaknesses. Conceptually, this can be considered a virtual thought experiment replicating many parallel penetration tests.
The attack simulations considered here are based on attack graphs representing the dependencies between the steps that may be performed by the attacker. For instance, an attacker might (i) compromise a host, (ii) find stored credentials, and (iii) use the credentials to compromise a second host. The simulation results similarly map out what attacks are possible, the sequences of steps required to conduct them, and how much time is required to succeed.
The Meta Attack Language (MAL) will be employed to perform the aforementioned attack simulations. MAL is a programmatic language for creating domain-specific modeling languages. These specific languages, in turn, have two primary abilities. The first is to describe the systems and environments under assessment. The second is to use those descriptions to automatically assemble the attack graphs used in the attack simulations. In the presence of such an attack simulation tool, the security assessor is relieved from knowing what security-relevant information to collect and, especially, performing the time-consuming analyses. Therefore, the assessor can focus on collecting the system information required to run the attack simulations instead.
V. Engström and R. Lagerström, "Two decades of cyberattack simulations: A systematic literature review," Computers & security, vol. 116, s. 102681-102681, doi: 10.1016/j.cose.2022.102681
M. Grenfeldt, A. Olofsson, V. Engström and R. Lagerström, "Attacking Websites Using HTTP Request Smuggling: Empirical Testing of Servers and Proxies," 2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC), 2021, pp. 173-181, doi: 10.1109/EDOC52215.2021.00028 .