1

A PRM based Approach to ‐Assessment of Network Security

Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology

Jonas Hallberg, Johan BengtssonSwedish Defence Research Agency

2

Agenda

• Aim, Scope and Requirements • Related works – Attack Graphs• The Probabilistic Relational Model

(PRM) approach in general• The example from the paper

3

The control system is complex• Advanced functionality• Interconnected• Heterogenous third-party components

Actually, I don’t even know everything I have out there…

Is my control system secure

enough?

4

Vulnerabilities are potentially everywhere

Geographica l ly d is tr ibuted process

SCADA LAN

B

Workstation for operators

SCADA Server(Online/Standby)

ACommunication Equipment (Front-End)

Communication Networks

Application Servers Modem

System Vendors

Advanced Workstations

CL AR ii ON

RTU / PLC

CLA R ii ON

RTU / PLC

CL AR iiON

RTU / PLC

Automation Systems for Substations INTERNET WAN

DMZ LAN

Firewall

Office LAN

WebserverHistoric

Firewall

Firewall

ICCP

OtherControl Centers

FirewallAnd how does all of this

relate? How do vulnerabilites propagate?

5

Poor decision support for cyber security• Plenty of reference material:

o NIST SP 800-82, NERC CIP, ISO 27004, ISA-SP99, material from US-CERT, SCADA Procurement Language, CORAS, OCTAVE, CRAMM…, books, articles … Vulnerability databases, Wikipedia…

• But, how do they relate? Overlap. Different focus.• Blank spots? Consequences. Priorities. No holistic scope that help the decsison maker see

consequences of decisions

Should I spend my budget on a staff training program,

logging functionality, or new firewalls?

6

Requirements from the decision-maker• Relevant predictions of security risk of solutions

o Holistic scope of the assessmento High enough precision of assessment

• At least order different solution alternativeso The likelihood of security breaches/incidents (could be seen as part of the

definition of ”risk”)• Minimize work for the decision-maker

o Low cost to perform analyses/assesments • Practical availability of data needed for the analyses

(I know I use DNP3, perhaps that it is encrypted, definitely not the encryption algorithm/strength)• Reusability of analysis data

(I can’t afford to start from scratch every time security is to be reviewed/considered)• Compatiable to other types of analyses

(security is one out of many properties…)

o Theory should not need to be known in detial to decision-maker(I know what I have , not exactly how security works (compare to users of CAD programs)

• Support is needed now! Decisions are taken today no matter if relevant topics are researched or not…

9

Attack graphs(our fundament)

Picture from:Heberlein et al., A Taxonomy for Comparing Attack-Graph Approaches. Retrieved from http://www.netsq.com/Documents/AttackGraphPaper.pdf.

The network’s state

The attacker’s identity/identities

Condition/state

10

Applying attack graphs

Theory

System model

State X reachable?

Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.

11

•Identity: For all hosts, what access level does the adversary own?•Network:•For all hosts, what vulnerable services running? (what ports are open)•Is there a physical connection between host X and host Y?•Can service Z on host Y be called from host X?

•What paths do the IDS monitor?

ServiceAccessible?

Service

1

. . . Service N

Host 1 1 o...Host N 0 1

Attack stepsConditions

12

•Identity: For all hosts, what access level does the adversary own?•Network:•For all hosts, what vulnerable services running? (what ports are open)•Is there a physical connection between host X and host Y?•Can service Z on host Y be called from host X?

•What paths do the IDS monitor?

ServiceAccessible?

Service

1

. . . Service N

Host 1 1 o...Host N 0 1

Attack stepsConditions

Host

Malicious code attack

Admin level request

13

Others that suggest probabilistic attack graphs• Sheyner, O. , Scenario graphs and attack graphs, PhD thesis, Carnegie

Mellon University, 2004• Liu, Y., & Hong, M., Network vulnerability assessment using Bayesian

networks. In Proceedings of Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security (pp. 61-71). Orlando, Florida, USA, 2005.

• M. Frigault and L. Wang. Measuring network security using Bayesian network-based attack graphs. In Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA’08), 2008.

• M. Frigault, L.Wang, A. Singhal, and S. Jajodia. Measuring network security using dynamic Bayesian network. In Proceedings of the 4th ACM workshop on Quality of protection, 2008.

• Homer, J., Manhattan, K., Ou, X.,Schmidt, D.,A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks. Kansas State University, 2010 http://people.cis.ksu.edu/~xou/publications/tr_homer_0809.pdf.

14

Theory

System model

P(State X reachable)

Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.

PRMs(Probabilistic relational models)

General conditional probabilities

Also includes humans, processes etc

Manual

15

Probabilistic attack/defense graphs - theoryAsset inventory True False

Use unkown connection

True 0.02 0.08False 0.98 0.92

16

Probabilistic attack/defense graphs - data

Possible

Impossible

Possible

Impossible

17

Connecting attack/defense graphs and modeling languages

More formally…Probabilistic Relational Models (http://dags.stanford.edu/PRMs/)

18

But, where do the conditional probabilities come from? • Existing knowledge

o Documeneted knowledge (Litterature / articles / reports / vulnerability DBs / …)

• Typically detailed knowledge that needs to be abstractedo Experts

• Not yet elicited knowledgeo Experimentso Observations o Case studies

• Our principal strategy is not to discover new theory but to combine existing theory into a consistent, more holistic modelo Sure, we know to little…o But, many practicioners also use to little of what we already know…

Asset inventory True False

Use unkown connection

True 0.02 0.08False 0.98 0.92

19

The example: a PRM for Network Security

Firewall.MaliciousCodeAttack   T FFirewall.ExploitRemoteAccess   T F T F

Firewall.BypassSpoofCountermeasure

T 1 1 1 0.05

F 0 0 0 0.95

20

Indication of quality of the theory

Classes and attributes Qualitative Quantitative Uncertainty

Firewall ClassBypass Packet Filtering [10,13, 17, 18] ** HSpoof Attack [10, 13,19]  * LBypass Spoof Countermeasure [10,13,19,11] ** H

Reconnaissance Attack [9,15,20,16,21] ** LBypass Content Filtering [10,17,19] ** HMalicious Code Attack [18,19,22,17] [23,24] HExploit Remote Access [10,18]  * LAuthentication Service ClassBypass Authentication mechanism [17,22,19,25]  * L

False Certificate Attack [17,11] ** H…

21

Combined Endeavor 07• NATO + Partners, yearly excersise

22

PRM based security risk ‐assessment in summary• Holistic• Probabilistic/indicative• System architecture model-based