Example One

•Internet is allowed to access the web server through HTTP protocol and port

CVE-2006-3747 was identified on

web server

CVE-2006-3747 was identified on

web server

Exploit pre-conditionExploit pre-condition

Exploit post-conditionExploit post-condition

Exploit post-conditionExploit post-condition

Pre- and Post-conditions can be used in constructing an attack graph

webServer is network-accessible

to an attacker

webServer is network-accessible

to an attacker

The web service is running

The web service is running

The vulnerability exists

The vulnerability exists

This attack is possible

This attack is possible

The consequence is that webServer is compromised

The consequence is that webServer is compromised

This process is completely automated

attackerLocated(internet).

hacl( internet, webServer, httpProtocol, httpPort ).hacl( H, H, _, _).

networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ).vulExists( webServer, cve_apache, httpd ).

vulProperty( cve_apache, remoteExploit, privEscalation ).

What are your threats?

What are your threats?

Firewall/network analyzer

Firewall/network analyzer

Vulnerability scanner

Vulnerability scanner

NVDNVD

But you do need a knowledge base

execCode(H, Perm) :-vulExists(H, VulID, Software, remoteExploit,

privEscalation),networkServiceInfo(H, Software, Protocol, Port, Perm),netAccess(H, Protocol, Port)

The knowledge is completely independent of any site-specific

settings.

Combining attack graphs and CVSS

• Attack graph presents a qualitative view of security problems– It shows what attacks are possible, but does not tell you

how bad the problem is.– It captures the interactions among all attack possibilities

in your system.

• CVSS provides a quantitative property of individual vulnerabilities– It tells you how bad an individual vulnerability could be.– But it does not tell you how bad it may be in your

system.

Our Approach

• Use CVSS to produce a component metric --- a numeric measure on the conditional probability of success of an attack step.

Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means

Pr[c2 = T|c1 = T] This measure does not

consider any attacker behavior

High => 0.2Medium=> 0.6Low => 0.9

High => 0.2Medium=> 0.6Low => 0.9

Our Approach

• Aggregate the probabilities over the attack-graph structure to provide a cumulative metric --- the probability of attacker success in your system.

Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.

Calculation of the cumulative metrics

c1c2

Pr[c2|c1]=0.2Pr[c2]=?Pr[c1]=?Pr[c1]=1

Pr[c2]=0.2

Pr[execCode(webServer, apache)]=0.2

Example TwoCVE-2006-3747

was identified on web server

CVE-2006-3747 was identified on

web server

•Internet is allowed to access the web server through HTTP protocol and port•Web server is allowed to access the MySQL database service on the dbase server

CVE-2009-2446 was identified on

db server

CVE-2009-2446 was identified on

db server

Exploit pre-conditionExploit pre-condition Exploit post-conditionExploit post-condition

Medium=> 0.6Medium=> 0.6

1:execCode(dbServer,root)2:remote exploit of a server program3:netAccess(dbServer,dbProtocol,dbPort)4:multi-hop access5:hacl(webServer,dbServer,dbProtocol,dbPort)6:execCode(webServer,apache)7:remote exploit of a server program8:netAccess(webServer,httpProtocol,httpPort)9:direct network access10:hacl(internet,webServer,httpProtocol,httpPort)11:attackerLocated(internet)12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache)13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation)14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root)15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation)

0.2

0.2x0.6=0.12

Example Three

•Internet is allowed to access the web server through HTTP protocol and port•Web server is allowed to access the MySQL database service on the db server•User workstations are allowed to access anywhere

CVE-2006-3747 was identified on

web server

CVE-2006-3747 was identified on

web server

CVE-2009-2446 was identified on

db server

CVE-2009-2446 was identified on

db server

CVE-2009-1918 was identified on user workstations

CVE-2009-1918 was identified on user workstations

Exploit pre-conditionExploit pre-condition Exploit post-conditionExploit post-condition

Low=> 0.9Low=> 0.9

Possible attack paths

6:execCode(webServer,apache)

11:execCode(workStation,normalAccount)

12:remote exploit of a client program

13:hasAccount(secretary,workStation,normalAccount)

14:canAccessMaliciousInput(workStation,secretary,internetExplorer)

15:Browsing a malicious website

17:hacl(workStation,internet,httpProtocol,httpPort)

21:Browsing a compromised website

24:isUserMachine(workStation)

25:isWebBrowser(internetExplorer)

26:inCompetent(secretary)

27:vulExists(workStation,cve_IE,internetExplorer,remoteExploit,privEscalation)

30:attackerLocated(internet)

34:hacl(workStation,dbServer,dbProtocol,dbPort)

Challenge

• How to calculate probabilities in an attack graph with shared dependencies and cycles.– Bayesian Network

• Frigault, et al., 2008, does not allow cycles

– Assuming independence among attack paths• Wang, et al., 2008

– Customized data-flow algorithm with dynamic programming

• Homer, et al., 2009

Result

execCode(dbServer,root): 0.47execCode(webServer,apache): 0.2execCode(workStation,normalAccount): 0.74

Before: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2

Prioritization

• Given three hardening options:– Patching the web server– Patching the db server– Patching the workstation

• Which one would you patch first?

Suppose we patch the web server

Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

After: execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72

Now let’s patch the db server

Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

After: execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

What if we block network access from Group 2 to Internal?

Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

After: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

Optimizing Security Hardening

Let Pr[execCode(dbServer,root)]=p1

Pr[execCode(webServer,apache)]=p2

Pr[execCode(workStation,normalAccount)]=p3

If C1,C2,C3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be

LE=C1*p1+C2*p2+C3*p3

All the hardening measures H1,H2,…Hn have costs as well.

If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?

Challenges

• Scalability of metric calculation– Heavily depends on the connectivity of attack graphs– Exponential in the worst case

• Imprecise input problem– How sensitive is the outcome to the input component

metrics?– Approximation algorithms to trade precision for

scalability?

• Optimization techniques

Summary

• Quantitative security risk metrics are important in making sensible decisions in security hardening– People are already doing it in an ad-hoc way

without any scientific basis– We want to transform it from a “black art” to a

science

If you cannot measure it, you cannot improve it. ---Lord Kelvin