Systematic Network Vulnerability Analysis

based on Attack Graphs

Roland Rieke
Fraunhofer-Institut Sichere Telekooperation
Rheinstrasse 75, D-64295 Darmstadt, Germany
E-Mail: rieke@sit.fraunhofer.de
http://private.sit.fraunhofer.de/˜rol
http://www.sit.fraunhofer.de/meta

CELTIC Information Day 2004

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Challenge: Protect Critical Information Infrastructures

Process to guide the systematic protection

1 identify the organization’s critical infrastructures
2 determine the threats against those infrastructures
3 analyse the vulnerabilities of threatened infrastructures
4 assess the risks of degradation/loss of a critical infrastructure
5 apply countermeasures where risk is unacceptable

Objective of proposed Project

support this analytical process
develop tool based methods for a systematic evaluation
assist with finally determining exactly what really needs
protection & which strategy and means to apply

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Challenge: Protect Critical Information Infrastructures

Process to guide the systematic protection

1 identify the organization’s critical infrastructures
2 determine the threats against those infrastructures
3 analyse the vulnerabilities of threatened infrastructures
4 assess the risks of degradation/loss of a critical infrastructure
5 apply countermeasures where risk is unacceptable

Objective of proposed Project

support this analytical process
develop tool based methods for a systematic evaluation
assist with finally determining exactly what really needs
protection & which strategy and means to apply

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Example Scenario

Attacker telework
Vulnerability DB CVE_xxxx_yyyy CAN_2003_0715
CVE_xxxx_yyyy CAN_xxxx_yyyy
CAN_xxxx_yyyy
Internet
nix_host portal
CAN_2003_0620 CAN_2003_0693
CAN_2003_0693 CAN_2003_0694
CVE_1999_0035
CVE/CAN =
Enterprise Network common vulnerabilities
and exposures
IDS = intrusion detection
db_server system
CAN_2002_0649 IDS_type1 detects
CAN_2003_0715 CAN_2003_0693_ssh_exploit
& rsh_login

ms_host IDS_type2 detects

CAN_2002_1262 CAN_2002_0649_sql_exploit
CAN_2003_0715

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Example Scenario

Attacker telework
Vulnerability DB CVE_xxxx_yyyy CAN_2003_0715
CVE_xxxx_yyyy CAN_xxxx_yyyy
CAN_xxxx_yyyy
Internet
IDS_type1
nix_host portal
CAN_2003_0620 CAN_2003_0693
CAN_2003_0693 CAN_2003_0694
CVE_1999_0035
CVE/CAN =
Enterprise Network common vulnerabilities
and exposures

db_server IDS_type1 IDS = intrusion detection

system
CAN_2002_0649 IDS_type1 detects
CAN_2003_0715 CAN_2003_0693_ssh_exploit
& rsh_login

IDS_type2 ms_host IDS_type2 detects

CAN_2002_1262 CAN_2002_0649_sql_exploit
CAN_2003_0715

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Approach: Attack Graph Computation & Analysis

Exploits
Attacker
Vulnerabilities - select Exploit
- Identifier - select Source + Target
- Preconditions - apply Exploit
- Impact

state components

Enterprise Network
- Hosts (Products, Services)
- Topology (Firewalls)
- Intrusion Detection Systems

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Approach: Attack Graph Computation & Analysis

Exploits initial state

Attacker
Vulnerabilities - select Exploit
- Identifier - select Source + Target
- Preconditions - apply Exploit Attack Graph
- Impact
M-1

state transition
state components
M-4 M-3 M-8

Enterprise Network
- Hosts (Products, Services)
- Topology (Firewalls)
- Intrusion Detection Systems

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Approach: Attack Graph Computation & Analysis

Exploits initial state

Attacker
Vulnerabilities - select Exploit
- Identifier - select Source + Target
- Preconditions - apply Exploit Attack Graph
- Impact
M-1

state transition
state components
M-4 M-3 M-9 M-8 M-2

Enterprise Network
- Hosts (Products, Services) Counteraction
- Topology (Firewalls) or Service possible global states
- Intrusion Detection Systems

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Attack Graph Analysis: Questions
Check security properties
What security goals can be broken
by a combination of exploits ?
Quick check "am I affected"
by a newly found vulnerability ?
Cost/Benefit analysis
Find least cost attack breaking
a given security property ?
How much impact can an attacker
produce given a set of exploits ?
Roland Rieke
Survivability
Can a client get answers from a DB-server
when the network is under attack ?
Attack graph
M-1
Intrusion detection
What attacks are detected ?
M-4 M-3 M-9 M-8 M-2 What are the effects of changes
to intrusion detection systems ?
Abstraction
How does the attack graph look like
when only attacks that affect
mission critical resources are shown ?
Network Vulnerability Analysis based on Attack Graphs
Attack Graph Analysis: Questions
Check security properties
What security goals can be broken
by a combination of exploits ?
Quick check "am I affected"
by a newly found vulnerability ?
Cost/Benefit analysis
Find least cost attack breaking
a given security property ?
How much impact can an attacker
produce given a set of exploits ?
Roland Rieke
Survivability
Can a client get answers from a DB-server
when the network is under attack ?
Attack graph
M-1
Intrusion detection
What attacks are detected ?
M-4 M-3 M-9 M-8 M-2 What are the effects of changes
to intrusion detection systems ?
Abstraction
How does the attack graph look like
when only attacks that affect
mission critical resources are shown ?
Network Vulnerability Analysis based on Attack Graphs
Attack Graph Analysis: Questions
Check security properties
What security goals can be broken
by a combination of exploits ?
Quick check "am I affected"
by a newly found vulnerability ?
Cost/Benefit analysis
Find least cost attack breaking
a given security property ?
How much impact can an attacker
produce given a set of exploits ?
Roland Rieke
Survivability
Can a client get answers from a DB-server
when the network is under attack ?
Attack graph
M-1
Intrusion detection
What attacks are detected ?
M-4 M-3 M-9 M-8 M-2 What are the effects of changes
to intrusion detection systems ?
Abstraction
How does the attack graph look like
when only attacks that affect
mission critical resources are shown ?
Network Vulnerability Analysis based on Attack Graphs
Attack Graph Analysis: Questions
Check security properties
What security goals can be broken
by a combination of exploits ?
Quick check "am I affected"
by a newly found vulnerability ?
Cost/Benefit analysis
Find least cost attack breaking
a given security property ?
How much impact can an attacker
produce given a set of exploits ?
Roland Rieke
Survivability
Can a client get answers from a DB-server
when the network is under attack ?
Attack graph
M-1
Intrusion detection
What attacks are detected ?
M-4 M-3 M-9 M-8 M-2 What are the effects of changes
to intrusion detection systems ?
Abstraction
How does the attack graph look like
when only attacks that affect
mission critical resources are shown ?
Network Vulnerability Analysis based on Attack Graphs
Attack Graph Analysis: Questions
Check security properties
What security goals can be broken
by a combination of exploits ?
Quick check "am I affected"
by a newly found vulnerability ?
Cost/Benefit analysis
Find least cost attack breaking
a given security property ?
How much impact can an attacker
produce given a set of exploits ?
Roland Rieke
Survivability
Can a client get answers from a DB-server
when the network is under attack ?
Attack graph
M-1
Intrusion detection
What attacks are detected ?
M-4 M-3 M-9 M-8 M-2 What are the effects of changes
to intrusion detection systems ?
Abstraction
How does the attack graph look like
when only attacks that affect
mission critical resources are shown ?
Network Vulnerability Analysis based on Attack Graphs
Attack Graph Analysis: Questions
Check security properties
What security goals can be broken
by a combination of exploits ?
Quick check "am I affected"
by a newly found vulnerability ?
Cost/Benefit analysis
Find least cost attack breaking
a given security property ?
How much impact can an attacker
produce given a set of exploits ?
Roland Rieke
Survivability
Can a client get answers from a DB-server
when the network is under attack ?
Attack graph
M-1
Intrusion detection
What attacks are detected ?
M-4 M-3 M-9 M-8 M-2 What are the effects of changes
to intrusion detection systems ?
Abstraction
How does the attack graph look like
when only attacks that affect
mission critical resources are shown ?
Network Vulnerability Analysis based on Attack Graphs
Scope of proposed Project

Develop Methodology & Tool support

1 specification of critical network infrastructures
2 specification of known threats against network
3 analyse the vulnerabilities & verify security properties
4 cost-benefit analysis using risks assessments
5 survivability & countermeasure evaluation

Current Status
some research work on methodology and prototype tool done
presentation at Eicar Conference (May 2004)
(industrial) partners needed for potential CELTIC consortium
proposed work could be part of CELTIC Security Laboratory

Roland Rieke Network Vulnerability Analysis based on Attack Graphs

Scope of proposed Project

Develop Methodology & Tool support

1 specification of critical network infrastructures
2 specification of known threats against network
3 analyse the vulnerabilities & verify security properties
4 cost-benefit analysis using risks assessments
5 survivability & countermeasure evaluation

Current Status
some research work on methodology and prototype tool done
presentation at Eicar Conference (May 2004)
(industrial) partners needed for potential CELTIC consortium
proposed work could be part of CELTIC Security Laboratory

Roland Rieke Network Vulnerability Analysis based on Attack Graphs