A Holistic Approach to Evaluate Cyber Threatstids.c4i.gmu.edu/papers/STIDSPresentations/STIDS... · Step #5.1: Assemble the P matrix Semantic Technology for Intelligence, Defense,

A HOLISTIC APPROACH TO EVALUATE CYBER THREAT

Márcio Conte Monteiro (ICEA)Thalysson Sarmento (ICEA)Alexandre Barreto (ICEA)Paulo Costa (GMU)

Agenda

11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)

2

¨ Motivation¨ Background¨ The Proposed Metric¨ Results¨ Final Remarks

Bottom Line Up Front!


3

¨ Several vulnerability databases and standards are currently available for infrastructure security assessment

¨ Focus is on specificities, mostly failing to provide support holistic analyses

¨ We address this gap by proposing an ontology-supported holistic approach for evaluating infrastructure security that leverages:¤ Current security standards and databases¤ Human factors to build a broader and interconnected view

Common Vulnerabilities and Exposures


4

¨ CVE is a standard for cataloging vulnerabilities of

computer systems (ITU-T standard)

¨ The de facto standard to report and communicate

software vulnerabilities between organizations and

entities

¨ Heavily used by automatic security assessment tools

(e.g., Nessus and OpenVAS)

CVE Attributes


5

¨ CVE identifier¨ Vulnerability type (e.g., buffer overflow)¨ Vendor¨ List of vulnerable products¨ Attack type (e.g., remote)¨ Impact (e.g., code execution, DoS, information

disclosure)

Case in Point


6

Although those standards are very efficient in cataloging and prioritizing software

vulnerabilities, system administrators are usually interested in knowing how vulnerable their

network is a whole, not only that of individual hosts.

Common Vulnerability Scoring System


7

¨ CVSS is a framework for further describing software vulnerabilities,

as well as providing quantification assessment

¨ Built on top of CVS

¨ Scores the vulnerabilities with respect to their severity, impact and

exploitation capacity

¨ One of the most important CVSS databases is hosted and managed

by the National Vulnerability Database (NVD), which provides the

scores for most known vulnerabilities.

CVSS Metric Groups


8

¨ Base: represents the intrinsic qualities of vulnerabilities

¨ Temporal: reflects the features that changes over time

¨ Environmental: represents features that are unique to the user’s environment

CVSS Attributes


9

¨ Attack vector¨ Attack complexity¨ Privileges required¨ User interaction¨ Scope¨ Confidentiality impact¨ Integrity impact¨ Availability impact

• Impact Score

• Exploitability Score

Human Factors


10

¨ Play an important role in whole security

¨ Users can be used as attack vectors

¨ We propose to rate users in a CVSS-like fashion:¤ Impact score¤ Exploitability score

The Proposed Metric

11/15/2016

11

Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)


12

WHAT (Activity)WHY (Goal and Desire Effect)HOW (Resource and Guidance)WHO (Performer)WHERE (Location)WHEN (Timestamp and Event)

Sample Network


13

Step #1: Complete Inventory


14

¨ Obtain a complete and detailed asset inventory of your target network

Step #1: Complete Inventory


15

¨ (1): Apache/2.4.7 (Ubuntu)¨ (2): pfSense 2.3.2-p1 RELEASE¨ (3): Cisco Nexus 7700 Sup. 2E¨ (4-6): Win. 7 Home Basic (SP1)¨ (7): Internet¨ (8): Employee #1¨ (9): Employee #2¨ (10): System administrator

Step #2: Communications


16

¨ Map the communication between assets, including the users.



17

MATRIX AUTOMATICALLY BUILT VIA A SPARQL QUERY AGAINST THE ONTOLOGY



18



19

¨ There are different approaches for building such

graph and defining the underlying metrics

¨ Ontologies and Semantic Techniques can be used

to refine the interdependencies between the nodes,

assets, and users.

Step #3: Vulnerabilities Assessment


20

¨ Obtain CVE and CVSS for all hosts¨ Estimate users’ “CVSS-like” metric (not discussed in

this work)

Step #3: Vulnerabilities Assessment


21

¨ Example for a host¨ CVE #1:

¤ CVSS: “CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H”

¨ CVE #2: ...

Version 3.0

Attack vector: network

Attack complexity:

low

Privileges required:

low

User Interaction: required

Scope: changed

Confidentiality Impact: low

Integrity Impact:

low

Availability impact: high

Step #4: Calculating Scores


22

¨ Based on CVSS, calculate the impact score and

exploitability score.

¨ For hosts and system, use the standard metric

¨ For users, it must be defined (not discussed in this

work).

Step #4: Calculating Scores


23

CVE

CVSS

Impact ScoreExploitability

Score

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

5.3 2.3

CVE-2014-0160

Step #5: Computing the proposed metric


24

¨ Step 5.1: Assemble the P matrix

¨ Step 5.2: Compute the convex hull

¨ Step 5.3: Compute the area of the convex hull

Step #5.1: Assemble the P matrix


25

¨ Organize all scores (from all assets) in matrix form:

Impact Score Exploitability Score

Vulnerability #1

Vulnerability #N

Lower boundaries

Steps #5.2 and #5.3: Convex Hull


26

¨ Quickhull algorithm: computes the convex hull of a finite set of points in the plane using divide and conquer approach.

Highly Insecure Network


27

Convex Hull

Area

More Secure Network


28

Convex Hull

Area

Final Remarks


29

¨ Presented an ontology-based approach for

analyzing the vulnerability of a network

¨ Multiple-criteria analysis

¨ Admits modeling of human factors in CVSS-like

metric

Thanks for your Attention

30

Documents

A Holistic Approach to Evaluate Cyber Threatstids.c4i.gmu.edu/papers/STIDSPresentations/STIDS... · Step #5.1: Assemble the P matrix Semantic Technology for Intelligence, Defense,