ICT systems have become an integral part of business and life. At the same time, these systems have become extremely complex, often hosting thousands of software applications, databases, operating systems, servers, processes, data, and more. In these complex systems-of-systems exist numerous vulnerabilities waiting to be exploited by potential threat actors. Examples include power grids being shut down, cars taken over, and financial institutions being hit by server side and denial of service attacks.
In individual organizations, there are many stakeholders which are interested in management of the IT landscape and its security. For some of the stakeholders, a system overview is just about enough, while others require details. So far this is also mirrored in commonly employed tools, e.g. Visio and PowerPoint for C-level management and vulnerability scanners for network administrators. These solutions tend to focus either on providing a holistic view of the system without any connection to the actual details, or on a small part of the system, thus neglecting the bigger picture. Hence, there is a need for holistic approaches that also consider technological details. However, most approaches available are driven by manual labor and require a high level of expertise, which in information security is both expensive and hard to come by.
This project focuses on attacker-centric threat modeling and attack simulation techniques for automated threats identification and quantification based on network and system modeling. Instead of relying on human expertise to analyze a model and decide whether it is secure or not, and where the key flaws in the architecture are located, this approach automatically performs the analysis. That is, the security expertise is built into the model. In its analysis, probability distributions over the Time To Compromise (TTC) for each asset in the system are generated.
Thus, the approach proposed focuses on both the technical component level vulnerabilities and the structural (architectural / system level) vulnerabilities.
In general terms a vulnerability is a weakness that allows a malicious actor to decrease a system’s confidentiality, integrity and/or availability.
A one component vulnerability is a weakness in one single entity of a system. This can for instance be a software vulnerability, a non-security aware person, or a poorly configured firewall. Typically tools such as vulnerability scanners would find known component vulnerabilities.
A structural vulnerability is a weakness in a system comprised of a set of component vulnerabilities creating a critical path for an attack or a weakness that arises due to poor system architecture. An example is when a non-security aware person is working in a critical part of a system, not patching the software when needed, and with a high risk of giving away critical information in a phishing attack.
Studies have shown that attackers not always exploit the most critical known vulnerability when hacking into a system, but rather a combination of less critical vulnerabilities. Since, most don’t have the time, money or competence to fix all their known vulnerabilities there is a need to prioritize, both where to start and in what order to proceed. Relying barely on a criticality score or looking at each vulnerability in isolation is thus not a good strategy.
Also, today’s systems are becoming exceedingly large with thousands of components all dependent on each other in a complex network. No person or team can overview and handle this system-of-systems without proper support. There are often parts that are neglected, missed or forgotten. Thus, a connection between two components that is not supposed to be there can break the whole system. This holistic view on a system is important in order to find structural vulnerabilities. As soon as you make a simplification of the system you put yourself at risk of missing architectural misconfiguration or bad design, thus introducing structural vulnerabilities.
Pontus Johnson, Alexandre Vernotte, Dan Gorton, Mathias Ekstedt, and Robert Lagerström, ”Quantitative Information Security Risk Estimation using Probabilistic Attack Graphs,” in Proc. of the 4th International Workshop on Risk Assessment and Risk-driven Quality Assurance (RISK), in conjunction with the 28th International Conference on Testing Software and Systems (ICTSS), Oct. 2016.
Pontus Johnson, Alexandre Vernotte, Mathias Ekstedt, and Robert Lagerström, “pwnPr3d: an Attack Graph Driven Probabilistic Threat Modeling Approach,” in Proc. of the International Conference on Availability, Reliability and Security (ARES), Sept. 2016.
Alexandre Vernotte, Pontus Johnson, Mathias Ekstedt, and Robert Lagerström, “In-Depth Modeling of the UNIX Operating System for Architectural Cyber Security Analysis,” in Proc. of the 9thInternational Workshop on Vocabularies, Ontologies and Rules for the Enterprise, co-located with the 21stIEEE International EDOC Conference, 2017.