Upload
bela
View
37
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A PRM‐based Approach to Assessment of Network Security. Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology Jonas Hallberg, Johan Bengtsson Swedish Defence Research Agency. Agenda. Aim, Scope and Requirements Related works – Attack Graphs - PowerPoint PPT Presentation
Citation preview
1
A PRM based Approach to ‐Assessment of Network Security
Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology
Jonas Hallberg, Johan BengtssonSwedish Defence Research Agency
2
Agenda
• Aim, Scope and Requirements • Related works – Attack Graphs• The Probabilistic Relational Model
(PRM) approach in general• The example from the paper
3
The control system is complex• Advanced functionality• Interconnected• Heterogenous third-party components
Actually, I don’t even know everything I have out there…
Is my control system secure
enough?
4
Vulnerabilities are potentially everywhere
Geographica l ly d is tr ibuted process
SCADA LAN
B
Workstation for operators
SCADA Server(Online/Standby)
ACommunication Equipment (Front-End)
Communication Networks
Application Servers Modem
System Vendors
Advanced Workstations
CL AR ii ON
RTU / PLC
CLA R ii ON
RTU / PLC
CL AR iiON
RTU / PLC
Automation Systems for Substations INTERNET WAN
DMZ LAN
Firewall
Office LAN
WebserverHistoric
Firewall
Firewall
ICCP
OtherControl Centers
FirewallAnd how does all of this
relate? How do vulnerabilites propagate?
5
Poor decision support for cyber security• Plenty of reference material:
o NIST SP 800-82, NERC CIP, ISO 27004, ISA-SP99, material from US-CERT, SCADA Procurement Language, CORAS, OCTAVE, CRAMM…, books, articles … Vulnerability databases, Wikipedia…
• But, how do they relate? Overlap. Different focus.• Blank spots? Consequences. Priorities. No holistic scope that help the decsison maker see
consequences of decisions
Should I spend my budget on a staff training program,
logging functionality, or new firewalls?
6
Requirements from the decision-maker• Relevant predictions of security risk of solutions
o Holistic scope of the assessmento High enough precision of assessment
• At least order different solution alternativeso The likelihood of security breaches/incidents (could be seen as part of the
definition of ”risk”)• Minimize work for the decision-maker
o Low cost to perform analyses/assesments • Practical availability of data needed for the analyses
(I know I use DNP3, perhaps that it is encrypted, definitely not the encryption algorithm/strength)• Reusability of analysis data
(I can’t afford to start from scratch every time security is to be reviewed/considered)• Compatiable to other types of analyses
(security is one out of many properties…)
o Theory should not need to be known in detial to decision-maker(I know what I have , not exactly how security works (compare to users of CAD programs)
• Support is needed now! Decisions are taken today no matter if relevant topics are researched or not…
9
Attack graphs(our fundament)
Picture from:Heberlein et al., A Taxonomy for Comparing Attack-Graph Approaches. Retrieved from http://www.netsq.com/Documents/AttackGraphPaper.pdf.
The network’s state
The attacker’s identity/identities
Condition/state
10
Applying attack graphs
Theory
System model
State X reachable?
Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.
11
•Identity: For all hosts, what access level does the adversary own?•Network:•For all hosts, what vulnerable services running? (what ports are open)•Is there a physical connection between host X and host Y?•Can service Z on host Y be called from host X?
•What paths do the IDS monitor?
ServiceAccessible?
Service
1
. . . Service N
Host 1 1 o...Host N 0 1
Attack stepsConditions
12
•Identity: For all hosts, what access level does the adversary own?•Network:•For all hosts, what vulnerable services running? (what ports are open)•Is there a physical connection between host X and host Y?•Can service Z on host Y be called from host X?
•What paths do the IDS monitor?
ServiceAccessible?
Service
1
. . . Service N
Host 1 1 o...Host N 0 1
Attack stepsConditions
Host
Malicious code attack
Admin level request
13
Others that suggest probabilistic attack graphs• Sheyner, O. , Scenario graphs and attack graphs, PhD thesis, Carnegie
Mellon University, 2004• Liu, Y., & Hong, M., Network vulnerability assessment using Bayesian
networks. In Proceedings of Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security (pp. 61-71). Orlando, Florida, USA, 2005.
• M. Frigault and L. Wang. Measuring network security using Bayesian network-based attack graphs. In Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA’08), 2008.
• M. Frigault, L.Wang, A. Singhal, and S. Jajodia. Measuring network security using dynamic Bayesian network. In Proceedings of the 4th ACM workshop on Quality of protection, 2008.
• Homer, J., Manhattan, K., Ou, X.,Schmidt, D.,A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks. Kansas State University, 2010 http://people.cis.ksu.edu/~xou/publications/tr_homer_0809.pdf.
14
Theory
System model
P(State X reachable)
Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.
PRMs(Probabilistic relational models)
General conditional probabilities
Also includes humans, processes etc
Manual
15
Probabilistic attack/defense graphs - theoryAsset inventory True False
Use unkown connection
True 0.02 0.08False 0.98 0.92
16
Probabilistic attack/defense graphs - data
Possible
Impossible
Possible
Impossible
17
Connecting attack/defense graphs and modeling languages
More formally…Probabilistic Relational Models (http://dags.stanford.edu/PRMs/)
18
But, where do the conditional probabilities come from? • Existing knowledge
o Documeneted knowledge (Litterature / articles / reports / vulnerability DBs / …)
• Typically detailed knowledge that needs to be abstractedo Experts
• Not yet elicited knowledgeo Experimentso Observations o Case studies
• Our principal strategy is not to discover new theory but to combine existing theory into a consistent, more holistic modelo Sure, we know to little…o But, many practicioners also use to little of what we already know…
Asset inventory True False
Use unkown connection
True 0.02 0.08False 0.98 0.92
19
The example: a PRM for Network Security
Firewall.MaliciousCodeAttack T FFirewall.ExploitRemoteAccess T F T F
Firewall.BypassSpoofCountermeasure
T 1 1 1 0.05
F 0 0 0 0.95
20
Indication of quality of the theory
Classes and attributes Qualitative Quantitative Uncertainty
Firewall ClassBypass Packet Filtering [10,13, 17, 18] ** HSpoof Attack [10, 13,19] * LBypass Spoof Countermeasure [10,13,19,11] ** H
Reconnaissance Attack [9,15,20,16,21] ** LBypass Content Filtering [10,17,19] ** HMalicious Code Attack [18,19,22,17] [23,24] HExploit Remote Access [10,18] * LAuthentication Service ClassBypass Authentication mechanism [17,22,19,25] * L
False Certificate Attack [17,11] ** H…
21
Combined Endeavor 07• NATO + Partners, yearly excersise
22
PRM based security risk ‐assessment in summary• Holistic• Probabilistic/indicative• System architecture model-based