User tGuide

GMU Proprietary CAULDRON User Guide

1

COMBINATORIAL ANALYSIS UTILIZING LOGICAL DEPENDENCIES

RESIDING ON NETWORKS (CAULDRON)

CAULDRON USER GUIDE

BY

CENTER FOR SECURE INFORMATION SYSTEMS

LAST MODIFIED JULY 28, 2008

The Center for Secure Information Systems Research I Building, 4th Floor

George Mason University Fairfax, VA 22030-4444


2

TABLE OF CONTENTS

1. INTRODUCTION 5

2. CAULDRON MODELING CONCEPTS 5

2.1 Vulnerability Scans ............................................................................................7

2.2 Firewall Data ......................................................................................................8

3. CAULDRON GUI 9

4. IMPORTING SCAN DATA 10

4.1 Subnets and Firewalls ......................................................................................10

4.2 Importing Nessus Data ....................................................................................11

4.3 Importing FoundScan Data ............................................................................15

4.4 Importing Symantec Discovery Data .............................................................18

4.5 Importing Firewall Rules ................................................................................18

5. CAULDRON ANALYSIS 20

5.1 Running CAULDRON.....................................................................................20

5.1.1 Input and Output Files .......................................................................................22

5.1.2 Start and Goal Machines ....................................................................................22

5.1.3 Direct Attack Paths ............................................................................................25

5.1.4 Cycles through Start and Goal ...........................................................................27

5.1.5 Applying Mitigation Solutions ..........................................................................31

5.1.6 Finalizing CAULDRON Scenario .....................................................................34

5.2 Visualizing CAULDRON Results ...................................................................35

5.2.1 Visualization Overview .....................................................................................35

5.2.2 Viewing the Attack Graph .................................................................................36

5.2.3 The Exploit Table ..............................................................................................43

5.2.4 Toolbar Functions ..............................................................................................45

5.3 Network Hardening Recommendations .........................................................50


3

TABLE OF FIGURES

Figure 1. Nessus Connectivity ............................................................................. 6

Figure 2. Connectivity Graph from Nessus Scan Data ......................................... 6

Figure 3. Nessus Scans for Two Subnets ............................................................ 7

Figure 4. Nessus Scans for Three Subnets ......................................................... 8

Figure 5. Initial view of CAULDRON GUI ............................................................. 9

Figure 6. Vulnerability Scan Sample Network .................................................... 11

Figure 7. Vulnerability Scanner Import Tool using Nessus ................................ 12

Figure 8. Select ScanResults Directory Dialog for Nessus ................................ 13

Figure 9. After Selecting a ScanResults Directory for Nessus ........................... 14

Figure 10. Vulnerability Scanner Import Tool for FoundScan ............................ 15

Figure 11. Select ScanResults Directory Dialog for FoundScan ........................ 16

Figure 12. After Selecting a ScanResults Directory for FoundScan ................... 17

Figure 13. Enabling Import of Firewall Rule Data............................................... 19

Figure 14. Creating CAULDRON scenario ......................................................... 20

Figure 15. Property Dialog ................................................................................. 21

Figure 16. CAULDRON Scenario Panel ............................................................ 22

Figure 17. Unconstrained (Any) Start and Goal Machine ................................... 24

Figure 18. Selecting a Start Machine ................................................................. 24

Figure 19. Selecting a Goal Machine ................................................................. 25

Figure 20. Direct Attack Paths Checkbox .......................................................... 25

Figure 21. Attack Graph with Indirect Attacks .................................................... 26

Figure 22. Attack Graph with Direct Attacks Only .............................................. 27

Figure 23. Attack Graph with No Cycles Containing Start or Goal ..................... 28

Figure 24. Allowing Cycles Back into Start Machine .......................................... 28

Figure 25. Attack Graph Allowing Cycles through Start ..................................... 29

Figure 26. Allowing Cycles Away from Goal Machine ........................................ 29

Figure 27. Attack Graph Allowing Cycles through Goal ..................................... 30

Figure 28. Allowing Cycles through Start and Goal............................................ 30

Figure 29. Attack Graph Allowing Cycles through Start and Goal ...................... 31

Figure 30. No Mitigation Solutions Applied ........................................................ 32

Figure 31. Applying Known Vulnerability Mitigation Solutions ............................ 32

Figure 32. List of Vulnerability Mitigation Solutions ............................................ 32

Figure 33. Details for Vulnerability Mitigation ..................................................... 33

Figure 34. Applying Unknown Vulnerability Mitigation Solutions ........................ 33

Figure 35. Before Starting CAULDRON Scenario .............................................. 34

Figure 36. Major Components of Attack Graph Visualization ............................. 35

Figure 37. A Sample Attack Graph View ............................................................ 38

Figure 38. Exploits in the Graph View ................................................................ 39

Figure 39. Exploit Table ..................................................................................... 45

Figure 40. Toolbar Functions ............................................................................. 46

Figure 41. Print Options ..................................................................................... 47


4

Figure 42. The Magnify Zoom Tool .................................................................... 48

Figure 43. Graph Rearrangement via Hierarchical Layout ................................. 50

Figure 44. Network Hardening Button ................................................................ 51

Figure 45. Attack Graph for Network Hardening Recommendations ................. 51

Figure 46. List of Hardening Recommendations ................................................ 51

Figure 47. Recommended Hardening between a Pair of Protection Domains ... 52

Figure 48. Exploit Details for a Hardening Recommendation ............................ 52


5

1. INTRODUCTION

Researchers at George Mason University’s Center for Secure Information Systems

(CSIS) have extended traditional vulnerability analysis through the Combinatorial

Analysis Utilizing Logical Dependencies Residing on Networks (CAULDRON) tool.

CAULDRON searches for sequences of interdependent vulnerabilities distributed among

the various network machines. The result is the discovery of attack paths within the

network with respect to pre-defined attack goals. This provides insight into the hardening

measures needed for eliminating the attack paths. It also supports inexpensive “what-if”

analysis, alleviating the need to build actual test networks for penetration testing and

vulnerability analysis.

In CAULDRON, network modeling captures the configuration of the network under

analysis. The network model can be populated either manually or from network scans.

CAULDRON also relies on exploit modeling, in which attacker exploits are modeled in

terms of their preconditions and postconditions.

CAULDRON automatically explores the total security ramifications of vulnerabilities

accessible to an attacker. The approach follows actual attack patterns, in which a series

of exploits incrementally diminishes network security. The attack paths discovered in

CAULDRON show the exact steps that attackers can take to reach their goals, giving a

full picture of network vulnerability. Such complete analysis promotes the development

of well-informed security policies. Moreover, the analysis is performed off-line, leaving

operational networks undisturbed.

The next section gives an overview of network attack modeling with the CAULDRON

tool. Section 3 describes the operation of the CAULDRON user interface. Section 4

shows how to create input models for CAULDRON. Section 5 describes the details of

CAULDRON network attack graph analysis.

2. CAULDRON MODELING CONCEPTS

CAULDRON requires vulnerability connections between machines in a network. A

vulnerability connection consists of the existence of vulnerability on a machine and the

fact that another machine can connect to that vulnerability (services) over the network.

The CAULDRON Graphical User Interface (GUI) provides mechanisms for building a

network description and loading network scans into CAULDRON for execution.

A vulnerability scanner such as Nessus provides a list of vulnerabilities for each machine,

with the implication that those vulnerabilities are reachable over the network from the

scanning machine. This concept is illustrated in Figure 1.


6

Scan Machine

Server 1

Vulnerability 11003:DDI_IIS_Compromised

Server 2

Server 3

Vulnerability 11092:apache_win32_dir_trav

Vulnerability 10951cachefsd_overflow

Figure 1. Nessus Connectivity

Multiple scans from points in the network allow CAULDRON to build a comprehensive

model of connections to vulnerable services. CAULDRON includes the capability for

merging these multiple scan results into a single network model, e.g., the one shown in

Figure 2. CAULDRON can also import firewall data directly (for the Sidewinder

firewall), and add any additional connections to vulnerable services.

Server 1Vulnerability 11003:

DDI_IIS_Compromised

Server 2

Server 3:



Vulnerability 10951:cachefsd_overflow

Figure 2. Connectivity Graph from Nessus Scan Data

When you run a network scan (e.g., with Nessus), you specify what targets to scan. To

give CAULDRON a complete view of the entire network, your scanner must be

configured to scan all relevant parts of the network to be included in the analysis.


7

Common practice is to scan a target once, from a scanner that has unrestricted access

(e.g., not blocked by firewalls) to the targets. But that does not capture the network as

seen by a potential attacker.

2.1 Vulnerability Scans

To capture the network model for CAULDRON scans should be done from each subnet,

and configured to scan all machines within the subnet and all machines in neighboring

subnets. The idea is to capture the visibility of all machines to all other machines across

all subnets. One scan per subnet, correctly configured, provides adequate detail for

CAULDRON. In other words, if multiple subnets will be included in the analysis, the

scans need to include not only intra-subnet, but also inter-subnet.

As an example, Figure 3 shows two subnets connected by a firewall. For this network,

perform these Nessus scans:

1. Scan 10.10.1.1-254 and 10.10.2.1-254 from machine 10.10.1.1

2. Scan 10.10.1.1-254 and 10.10.2.1-254 from machine 10.10.2.1

CAULDRON can then merge the resulting Nessus XML files, and build a network model

that includes connectivity (to vulnerable services) among all machines. Each of the items

(1) and (2) above represent a single Nessus scan (with multiple targets), resulting in a

single Nessus XML file per scan. We recommend naming the resulting XML files

according to subnet, e.g., subnet_10_10_1.xml for scan item (1) and subnet_10_10_2.xml

for scan item (2) above.

Figure 3. Nessus Scans for Two Subnets


8

Figure 4 shows a similar example, this time with three subnets connected by firewalls.

For this network, one would perform these Nessus scans:

1. Scan 10.10.1.1-254, 10.10.2.1-254, and 10.10.3.1-254 from machine 10.10.1.1



Figure 4. Nessus Scans for Three Subnets

Again, CAULDRON will merge the three resulting Nessus XML files. As before, each

of the items (1), (2), and (3) above represent a single Nessus scan (with multiple targets),

resulting in a single Nessus XML file per scan, with corresponding filenames

subnet_10_10_1.xml, subnet_10_10_2.xml, and subnet_10_10_3.xml.

IP addresses in a set of XML files for a network must be unique, e.g., 10.10.1.1 must not

appear in two different subnets as different machines. In particular, care must be taken if

one changes the IP addresses in the Nessus XML files, e.g., to provide anonymity.

CAULDRON can handle arbitrary identifiers for machines, but the identifiers must

remain unique.

2.2 Firewall Data

CAULDRON also has the capability for importing firewall data directly. In this case, any

connections to vulnerable services in the firewall data will be added to any vulnerable

connections created from vulnerability scans to remote subnets (as described in

Section 2.1). CAULDRON currently supports the Sidewinder firewall.

You could rely entirely on firewall data for capturing vulnerable connectivity across

subnets. In this case, you would scan locally in individual subnets, and use the scan

results for detecting vulnerable services on hosts in each local subnet. The firewall data


9

would then determine connections to vulnerable services across subnets. Or, you could

scan locally and remotely, as described in Section 2.1, and use firewall data to discover

any additional vulnerable connectivity, e.g., for modeling host-specific firewall rules.

3. CAULDRON GUI

The Graphical User Interface (GUI) provides the ability to define and run CAULDRON

scenarios. Figure 5 shows the initial view of the CAULDRON GUI.

Figure 5. Initial view of CAULDRON GUI

The general design of the GUI is to treat everything, including a CAULDRON scenario

itself, as a document backed by a file. The Window menu permits different layout

options for viewer windows in the GUI panel.

When a file is opened, the GUI determines the file type and opens it in the appropriate

viewer. Files changed by a viewer will have a ‘*’ next to their name (in their

corresponding tab) to indicate that the file requires saving. In a viewer, you can ignore

changes and revert to the saved disk file by either selecting “File>Revert To

Saved” or pressing the button in the tool bar.

For a given scenario, CAULDRON generates a graph of all possible attacks.

CAULDRON also provides sophisticated capabilities for visualizing attack graphs, with

high-level overview and detail drilldown.


10

4. IMPORTING SCAN DATA

Vulnerability scanners are the most efficient way to capture vulnerabilities in an existing

network. This section describes the CAULDRON capability for importing scanner

results for building input network models.

CAULDRON uses the output of scans through firewalls from/to various subnets to model

the effects of firewall filtering. It merges the information in the scan files, and creates a

file of network connectivity to vulnerable services. The resulting file serves as an input

model of initial network conditions for CAULDRON attack graph analysis. Section 4.1

describes this in more detail.

CAULDRON can import scans from these tools:

• Nessus (Section 4.2)

• FoundScan (Section 4.3)

• Symantec Discovery (Section 4.4)

• Sidewinder (Section 4.5)

4.1 Subnets and Firewalls

When you run a vulnerability scanner, you specify what machines and subnets to scan.

To build a comprehensive view of the entire network, configure the scanners to scan all

machines within a subnet and all machines in neighboring subnets. The idea is to capture

the visibility of all machines within subnets and across subnets. One scan from each

subnet, correctly configured, provides sufficient information for CAULDRON.

For example, Figure 6 shows two subnets connected by a firewall. For this network, you

would perform these scans:

• Scan 10.10.1.0/24 and 10.10.10.0/24 from machine 10.10.1.1

• Scan 10.10.1.0/24 and 10.10.10.0/24 from machine 10.10.2.1

The IP addresses must be unique, e.g., 10.10.1.1 must not appear in two different subnets

as different machines.


11

10.10.2.2

10.10.2.1

10.10.2.3

10.10.1.2

10.10.1.1

10.10.1.3

Firewall

Figure 6. Vulnerability Scan Sample Network

CAULDRON uses subnet masks for creating connections to vulnerable services based on

subnets. It creates connections for each vulnerability detected by the scanning machine.

Then, each machine within the scanning machine’s subnet (per the subnet mask) is

connected to those vulnerable services. The default subnet mask is 255.255.255.0 (CIDR

24), i.e., 256 hosts per subnet.

4.2 Importing Nessus Data

To load Nessus output files into CAULDRON, begin by placing all the Nessus output

XML files in a single directory, isolated from all other files. CAULDRON supports

XML only as the Nessus format for import. Other formats generated by the Nessus

client (e.g., HTML) are not supported.

To use the scanner import tool to import the output of the Nessus vulnerability scanner,

begin by creating a new CAULDRON scenario, i.e., File>New>Scenario. Launch

the scanner import tool via “Tools>Import Nessus Scans” from the menu bar. A

new dialog box appears (Figure 7).


12

Figure 7. Vulnerability Scanner Import Tool using Nessus

Inform the tool about you Nessus scan file directory by pressing the “Select dir

w/ScanResults” button (see Figure 7). This launches the directory selection dialog

box in Figure 8. A set of sample Nessus scans is in the samples\nessus_win

directory of CAULDRON.


13

Figure 8. Select ScanResults Directory Dialog for Nessus

From Figure 8, select the directory then press the “Select ScanResults

directory” button. After the dialog closes, the new directory will appear in the text

area next to the “Select dir w/ScanResults” button, as shown in Figure 9.

Also, the list of files appears in the “Input Files” table.


14

Figure 9. After Selecting a ScanResults Directory for Nessus

In Figure 9, the subnet mask and scanning machine IP address are editable within the

“Input Files” table. Thus, for example, if the scanning machine is not a valid IP

address, you can update the cell. Or, you could edit the subnet mask to change the

number of subnets (and corresponding IP address ranges). When editing a table cell,

make sure to press ‘Enter’ before leaving the cell. A message indicating the cell entry

change will appear in the Status text area.

In Figure 9, note that the files are named according to the machine from which the scan

was done. By using this convention when saving a scan result, you can immediately use

that machine (IP address) in the Scan Machine field.

Next, set the output file. The output file will be created containing a merge of all Nessus

scan data into a CAULDRON network model. The “Set Output File” button

opens another file-choosing dialog to select an output file location and name. Do not

save the results in the same directory as the vulnerability scanner output files.

Press the OK button to start the import. The Status text area contains the status of the

import.

Upon completion, the dialog box closes and the resulting CAULDRON network

description is placed in the input files list for the CAULDRON configuration. You are

now ready for running this scenario, as described in Section 5.


15

4.3 Importing FoundScan Data

To load FoundScan output files into CAULDRON, begin by placing all the FoundScan

output XML files in a single directory, isolated from all other files. CAULDRON

supports XML only as the FoundScan format for import. Other formats generated by

FoundScan are not supported.

To use the scanner import tool to import the output of the FoundScan vulnerability

scanner, begin by creating a new CAULDRON scenario, i.e., File>New>Scenario.

Launch the scanner import tool via “Tools>Import FoundScan Scans” from the

menu bar. A new dialog box appears (Figure 10).

Figure 10. Vulnerability Scanner Import Tool for FoundScan

Inform the tool about you FoundScan scan file directory by pressing the “Select dir

w/ScanResults” button (see Figure 10). This launches the directory selection dialog

box in Figure 11. A set of sample FoundScan scans is in the samples\foundscan

directory of CAULDRON.


16

Figure 11. Select ScanResults Directory Dialog for FoundScan

From Figure 11, select the directory then press the “Select ScanResults

directory” button. After the dialog closes, the new directory will appear in the text

area next to the “Select dir w/ScanResults” button, as shown in Figure 12.

Also, the list of files appears in the “Input Files” table.


17

Figure 12. After Selecting a ScanResults Directory for FoundScan

In Figure 12, the subnet mask and scanning machine IP address are editable within the

“Input Files” table. Thus, for example, if the scanning machine is not a valid IP

address, you can update the cell. Or, you could edit the subnet mask to change the

number of subnets (and corresponding IP address ranges). When editing a table cell,

make sure to press ‘Enter’ before leaving the cell. A message indicating the cell entry

change will appear in the Status text area.

In Figure 12, note that the files are named according to the machine from which the scan

was done. By using this convention when saving a scan result, you can immediately use

that machine (IP address) in the Scan Machine field.

Next, set the output file. The output file will be created containing a merge of all

FoundScan scan data into a CAULDRON network model. The “Set Output File”

button opens another file-choosing dialog to select an output file location and name. Do

not save the results in the same directory as the vulnerability scanner output files.

Press the OK button to start the import. The Status text area contains the status of the

import.

Upon completion, the dialog box closes and the resulting CAULDRON network

description is placed in the input files list for the CAULDRON configuration. You are

now ready for running this scenario, as described in Section 5.


18

4.4 Importing Symantec Discovery Data

CAULDRON has the capability for importing scan data from Symantec Discovery. This

involves a custom export tool developed by Symantec, not a regular part of the Discovery

product. Once you have this Symantec Discovery add-on, you can use it to create scan

output for CAULDRON import. Contact CSIS for details.

4.5 Importing Firewall Rules

CAULDRON has the capability for importing data from the Sidewinder firewall. To

enable this data import, check the “Apply Firewall Rules” checkbox during the

Nessus import, as shown in Figure 13. When CAULDRON processes firewall rules, and

connections to vulnerable services will be added to any such connections created from

vulnerability scans to remote subnets.

For example, you could run your Nessus scans against host in local subnets only, and rely

on firewall rule data for defining vulnerable connections across subnets. Or, you could

target local as well as remote hosts in your scans, and augment those scan results with

any additional vulnerable connections contained in the firewall data.

The firewall rule file is defined in the file lib/tva.properties. In this file, the

property SIDEWINDER_RULESET_FILE defines the particular filename containing

Sidewinder firewall export data. All firewall export data must be included in this file,

i.e., this is the only source of Sidewinder firewall data used by CAULDRON.


19

Figure 13. Enabling Import of Firewall Rule Data


20

5. CAULDRON ANALYSIS

This section describes the various attack graph analysis capabilities available in

CAULDRON.

5.1 Running CAULDRON

A CAULDRON scenario is configured via a file that maintains the input network

connectivity files, the analysis output file, the attacker machine, and the attack goal

machine. If desired, CAULDRON will constrain the attack graph according to the given

start and goal.

To create a new CAULDRON scenario, select File>New>CAULDRON Scenario

from the menu bar, as shown in Figure 14.

Figure 14. Creating CAULDRON scenario

You can change the CAULDRON configuration (scenario) name using

File>Properties or the property button on the button bar, as shown in Figure

15.


21

Figure 15. Property Dialog

Figure 16 shows the resulting CAULDRON scenario panel. The tab name ‘New

Scenario’ will remain unchanged until the scenario is saved as a file.


22

Figure 16. CAULDRON Scenario Panel

5.1.1 Input and Output Files

The CAULDRON configuration viewer supports multiple input files. The connectivity

data from the input files is combined into one comprehensive model of network

connectivity via vulnerabilities.

To add an input file, select the Add File button the input files sub panel (Figure 16).

A file-choosing dialog will appear to allow selection of input files. Be sure to select only

those files applicable to CAULDRON. When a file is added, the machine identifiers in

the files are added to the lists for selecting goals and attacker machines.

A file from the input files list can be removed by selecting it and then clicking the

Remove Button in Figure 16. Removing a file may also remove knowledge of certain

machines, e.g., for attack start and goal.

The output file will contain the results of a CAULDRON analysis engine execution, i.e.,

the attack graph. In the GUI, the output XML file is set via a file-choosing dialog by

selecting the “Set File” button in Figure 16. The resulting XML is a dump of the full

graph, e.g., for post-analysis or debugging.

5.1.2 Start and Goal Machines

If desired, you can constrain CAULDRON attack graphs based on an assumed attacker

starting machine and/or attacker goal machine. A starting machine represents the initial


23

starting point in the network for a simulated attacker. A goal machine represents the end

state of the attack, in which that machine is compromised.

All 4 possible combinations of constrained/unconstrained start/goal are possible:

• Start and goal unconstrained (any): All possible paths are computed,

independent of any particular start and goal. This might be a good option

to start with, to see the full scope of attacks. Unconstrained graphs show

all possible attacks, from all possible starting and ending machines. This

may include cycles that are possible for the attacker. It is important to

include all paths (even cycles) when considering network defense. For

example, an exploit that is part of a cycle may also be part of a separate

path of attack, and removing it would give a false sense of security, i.e.,

that there is no need to protect against it.

• Start constrained, goal unconstrained (any): Start at a particular machine,

and find all possible paths from there. This shows the total extent of

network compromise from a particular attack threat source. As for

unconstrained graphs, this may include cycles (even cycles involving the

start), which are important when considering network defense.

• Start unconstrained (any), goal constrained: Find all possible paths

leading to a particular machine. This shows the total extent of attacker

reachability to a particular network host (e.g., critical server). As for

unconstrained graphs, this may include cycles (even cycles involving the

goal), which are important when considering network defense.

• Start and goal constrained: Find all possible paths that start from a

particular machine and end at (another) particular machine. This shows

the total extent of network compromise from a particular threat source,

which leads to compromise of a particular host (e.g., critical server). As

for unconstrained graphs, this may include cycles (even cycles involving

the start and/or goal), which are important when considering network

defense.

By default (i.e., if not specified in the scenario configuration file), CAULDRON

computes an unconstrained attack graph, i.e., no particular start and goal machines are

applied. This is shown in Figure 17, in which both the start and goal are initially “any” in

the CAULDRON scenario panel.


24

Figure 17. Unconstrained (Any) Start and Goal Machine

5.1.2.1 Attack Start

In CAULDRON, an attack machine represents the initial starting point in the network for

a simulated attacker. The attack graph is then generated with this as a starting point,

showing all possible paths leading from this point.

To define a starting machine, select a machine user interface dropdown box as shown in

Figure 18. This dropdown box lists all machines in the CAULDRON network model.

Once a start machine is selected, CAULDRON will use it as the starting point of the

attack.

Figure 18. Selecting a Start Machine

5.1.2.2 Attack Goal

A CAULDRON attack goal represents then end state of the attack. The resulting attack

graph will contain all possible paths to the goal (independent of the starting point).

To define a goal machine, select a machine user interface dropdown box as shown in

Figure 19. This dropdown box lists all machines in the CAULDRON network model.

Once a goal machine is selected, CAULDRON will use it as end point of the attack.


25

Figure 19. Selecting a Goal Machine

5.1.3 Direct Attack Paths

By default, CAULDRON finds all possible attack paths through a network (with the

exception of cycles away from goal and cycles into start, as described in Section 5.1.4).

Optionally, you can limit the analysis to direct paths only, i.e., the most direct path from

start to goal. This option is enabled by checking the Direct Attack Paths box, as

in Figure 20.

Figure 20. Direct Attack Paths Checkbox

In particular, if you specify a start machine and enable direct paths, CAULDRON will

find all paths from the start, via the most direct possible paths. Similarly, if you specify a

goal machine and enable direct paths, CAULDRON will find all paths to the goal, via the

most direct possible paths. Or, if you enable direct paths and specify both a start and goal

machine, CAULDRON will find all direct paths from start to goal.

As an example of direct paths in CAULDRON, Figure 21 shows an attack graph for the

default behavior, i.e., all paths. In this case, the start machine is 1.1.52.244 and the goal

machine is 1.1.219.100. There are indirect attacks, e.g., from 1.1.4.176 to 1.1.219.100

via 1.1.105.244, including a cycle back into 1.1.4.176.


26

Figure 21. Attack Graph with Indirect Attacks

Figure 22 shows the attack graph for the same scenario as Figure 23, with direct paths

enabled. In particular, the graph now includes only direct paths from start (1.1.52.244) to

goal (1.1.219.100). The indirect attack via 1.1.105.244 is excluded from the graph.


27

Figure 22. Attack Graph with Direct Attacks Only

5.1.4 Cycles through Start and Goal

By default, CAULDRON avoids attacks away from the goal (protection domain), under

the assumption that once the goal is reached, no further attacks are needed. Similarly,

attacks back into the start (protection domain) are avoided by default, under the

assumption that the attacker need not attack back where he started. Such attacks (away

from goal or into start) necessarily involve cycles through start or goal.

You can relax the default behavior and specify that CAULDRON include any such cycles

through the start and/or goal. As an example, Figure 23 shows an attack graph with the

default behavior (avoiding attacks away from goal and back into start), with start machine

1.1.4.176 and goal machine 1.1.219.100.


28

Figure 23. Attack Graph with No Cycles Containing Start or Goal

To specify that CAULDRON include attack cycles through the start, check the Cycles

Containing Start box, as shown in Figure 24.

Figure 24. Allowing Cycles Back into Start Machine

The resulting attack graph is shown in Figure 25. There is now an attack (7 exploits)

back into the start domain, i.e., from 1.1.4.176 to 1.1.105.244.


29

Figure 25. Attack Graph Allowing Cycles through Start

To specify that CAULDRON include attack cycles away from the goal, check the

Cycles Containing Goal box, as shown in Figure 26.

Figure 26. Allowing Cycles Away from Goal Machine

The resulting attack graph is shown in Figure 27. There is now an attack (7 exploits)

away from the goal domain, i.e., from 1.1.219.10 to 1.1.105.244.


30

Figure 27. Attack Graph Allowing Cycles through Goal

To specify that CAULDRON include attack cycles through both start and goal, check

boxes Cycles Containing Start and Cycles Containing Goal, as shown

in Figure 28.

Figure 28. Allowing Cycles through Start and Goal

The resulting attack graph is shown in Figure 29. There are now attacks (7 exploits) into

the start domain (1.1.4.176 to 1.1.105.244) and away from the goal domain (1.1.219.10 to

1.1.105.244).


31

Figure 29. Attack Graph Allowing Cycles through Start and Goal

5.1.5 Applying Mitigation Solutions

CAULDRON has the ability to model mitigation solutions for network vulnerabilities. It

first reports all vulnerabilities across the network (over all hosts), categorized by (1)

vulnerabilities with known mitigation solutions, and (2) vulnerabilities with no known

mitigation solutions. It then allows you to review these two lists, and to accept or reject

each recommended solution.

The mitigation solutions are approaches for addressing vulnerabilities, such as upgrading

to new versions of software, applying manufacturer patches, changing server

configuration settings, removing vulnerable server scripts, running anti-virus tools to

remove backdoors, etc.

If you select mitigation solutions, these will automatically be applied to the CAULDRON

attack graph. In particular, if there are vulnerabilities with known solutions (and you

accept each solution), then those vulnerabilities will be removed across the network, for

all machines that have them. If there are vulnerabilities with no known solutions (and

you accept that fact for each vulnerability), then those vulnerabilities will be included

across the network, for all machines that have them.


32

For example, in an extreme case where there are known mitigation solutions for every

vulnerability in the network, the resulting attack graph would be empty (no attack paths).

Or in the other extreme, where no vulnerability in the network has a known mitigation

solution, the resulting attack graph would be unchanged.

By default, CAULDRON will apply no mitigation solutions. This is shown in Figure 30,

in which the effects of both known (Mitigated) solutions and unknown

(Non Mitigated) solutions are ignored, i.e., both categories are unchecked.

Figure 30. No Mitigation Solutions Applied

5.1.5.1 Known Mitigation Solutions

To review vulnerabilities with known mitigation solutions, and apply them to the

CAULDRON model, check the Mitigated checkbox, as shown in Figure 31.

Figure 31. Applying Known Vulnerability Mitigation Solutions

CAULDRON will then display the list of network vulnerabilities with known mitigation

solutions, as shown in Figure 32. Navigate the list by clicking on a vulnerability to select

it.

Figure 32. List of Vulnerability Mitigation Solutions


33

For a selected vulnerability, CAULDRON then gives the detailed information about it, as

shown in Figure 33. This includes the numMachines field, which is the total number

of machines in the network that have the vulnerability.

Figure 33. Details for Vulnerability Mitigation

After you have reviewed a vulnerability with a known mitigation solution, you can either

accept or reject the solution. To accept the solution, simply leave the vulnerability

unaltered. To reject the solution, delete the vulnerability by selecting it in the left panel

and clicking the node delete button (trash can icon for Node).

Once you have finished reviewing the vulnerabilities with known mitigation solutions,

click the save file button (diskette icon). This will commit the selected vulnerabilities to

the CAULDRON input model and close the vulnerability list. For each accepted

(unaltered) solution, the vulnerability will be excluded in the model, i.e., assumed that it

has been mitigated. For each rejected (removed) solution, the vulnerability will be

included in the model, i.e., assumed that no mitigation has been applied.

5.1.5.2 Unknown Mitigation Solutions

To review vulnerabilities that have no known mitigation solutions, and apply them to the

CAULDRON model, check the check the Non Mitigated checkbox, as shown in

Figure 34.

Figure 34. Applying Unknown Vulnerability Mitigation Solutions

CAULDRON will then display the list of network vulnerabilities with no known

mitigation solutions. This list will display just as shown in Figure 32 and Figure 33. The


34

difference is that the list will be for vulnerabilities with no known mitigation solutions,

versus vulnerabilities with known mitigated solutions.

Once you have finished reviewing the vulnerabilities with no known mitigation solutions,

click the save file button (diskette icon). This will commit the selected vulnerabilities to

the CAULDRON input model and close the vulnerability list. For each accepted

(unaltered) unknown solution, the vulnerability will be included in the model, i.e.,

assumed that there is no mitigation for it. For each rejected (removed) solution, the

vulnerability will be excluded from the model, i.e., assumed that a mitigation has in fact

been applied.

5.1.6 Finalizing CAULDRON Scenario

Before executing the CAULDRON scenario, make sure that the input file(s), output file,

attacker, and goal configurations are completed in the configuration viewer, and that the

configuration file is saved. Also, if desired, make sure that the boxes for vulnerability

mitigation, direct attack paths, and cycles containing start or goal are checked. The

screen should look something like Figure 35.

Figure 35. Before Starting CAULDRON Scenario

When you have specified all the inputs, you are ready to generate an attack graph. Do

this by clicking the View Full button at the bottom of the panel. CAULDRON will

then begin generating an attack graph for this scenario.


35

When CAULDRON completes, the Status box gives the total analysis run time, then

displays “CAULDRON Run Finished”. It then opens a visualization of the resulting

attack graph. Section 5.2 describes the attack graph visualization capabilities.

If either the start machine, goal machine, or both are selected, then CAULDRON can

provide network hardening recommendations. This is described in Section 5.3.

5.2 Visualizing CAULDRON Results

The CAULDRON tool generates all attack paths, i.e., it generates all possible executable

exploits that lead to the specified attack goal, along with the precondition/postcondition

dependencies among the exploits. The output of CAULDRON analysis is a set of attack

paths organized as an attack graph. An attack graphs is made up of exploits and

conditions, and represents all the possible ways an attacker could reach a given network

goal.

CAULDRON visualization creates a user-friendly display of an attack graph, and allows

it to be manipulated in ways that support visual analysis.

5.2.1 Visualization Overview

Figure 36 shows the main components of CAULDRON attack graph visualization.

Toolbar

Fig. 1 - TVA Visualization Tool – Major Components

Overview

Pane

Tree View

Pane

Harden List

Pane

Graph View Pane

Exploit Table

Pane

Figure 36. Major Components of Attack Graph Visualization


36

In Figure 36, an attack graph is visible in the Graph View pane. The Overview pane

shows a reduced size image of the main view. The Exploit table lists Exploits associated

with a machine (in this case, machine v1.8) that has been selected in the Graph View.

Major components of attack graph visualization are as follows:

• Toolbar – Contains a suite of tools for manipulating the display and performing

image I/O. Resting the cursor on any one of these tools shows a brief tooltip

describing its function. Toolbar tools are listed and described in greater detail

below.

• Overview pane – shows a reduced size image of the Attack Graph, with the

section displayed by the Graph View highlighted as a grey rectangle. Clicking at

any point in the overview pane will center the larger Graph View in current scale

at the corresponding point. Nodes and edges selected in the Graph view will be

shown as selected in the Overview.

• Tree View pane – Displays the folder hierarchy (Protection Domains and

Machines) in Tree format corresponding to the current Graph view. Folders that

are open in the Graph view are open in the Tree view. Machines that are visible

in the Graph view are also visible in the Tree view. Nodes and edges selected in

the Graph view will be shown as selected in the Tree view; they can also be

selected from the tree view.

• Harden List Pane – This is a special pane for listing Machines and Exploits that

have been designated as “hardened” by the user. Hardening is discussed in

Section 5.2.2.4.2.

• Graph View pane – this is the primary viewing and functional area for Attack

Graph Visualization. It supports opening and closing of Protection Domains,

viewing and traversal of exploits, hardening and deletion of machines and

exploits, plus many other functions that are described in greater detail in

Section 5.2.2. It also allows manual movement and adjustment of graph objects

by the user to support visualization.

• Exploit Table pane – This pane contains a spreadsheet-style table for displaying

groups of exploits associated with a given Machine, Protection Domain, or

specific source/destination pair. For example, selecting a machine lists all

exploits either originating or terminating at that machine. For each exploit, a

number of fields of data are shown. For fields containing large amounts of text,

you can mouse-over the field to see the entire text content.

5.2.2 Viewing the Attack Graph

5.2.2.1 Machines and Protection Domains

Here are the capabilities for viewing machines and protection domains in CAULDRON:

• Individual machines are represented as machine icons and labeled with the

machine name. Machines are visible only if the Protection Domain node


37

containing them has been expanded. This is generally done by clicking the small

+/- icon in the upper left corner. There are two particular Machines that are

specially designated as the Initial and Goal machines. Machine icons look like

small computer terminals, and the screens of these icons are colored according to

the following convention: Blue – default, Green – Initial Machine, Red – Goal

Machine, Purple – Hardened Machine (see Section 5.2.2.4.2).

• Protection domains are represented as either Folder or Group nodes, which are

rectangular nodes that can contain machines or other folders. These nodes are

labeled with the name of the Protection Domain they represent. A Folder node is

closed – it displays none of the machines it contains, but has a ‘+’ button on the

upper left corner by means of which it can be expanded. Once it is expanded, it is

called a Group node and the underlying machines it contains are visible. A Group

node has a ‘-‘ sign in the upper left hand corner by which it may be closed,

usually to simplify the view and conserve space. NOTE: When an Attack Graph

is initially displayed, all its Protection Domains are displayed in closed form.

This allows for an initial display that is easy to understand, and which can be

expanded incrementally as desired. It also allows for near-realtime loading of

extremely large Attack Graphs.

• The tiny “machine-like” icons shown inside a closed protection domain are for

labeling purposes only, and do not necessarily correspond to the contents or

members of the protection domain, except for the purpose of identifying initial

(green) and goal (red) machines. That is, if the Initial node lies within a closed

Protection domain, one of the tiny machines in the label will display a green

screen; the others will be blue. Similarly, if the Initial node lies within a closed

Protection domain, one of the tiny machines in the label will display a red screen.

The attack graph in Figure 37 illustrates some of these capabilities. There are two

expanded protection domains (Groups) with names aSubDom and vSubDom1, and a

third “closed” protection domain (Folder) named vSubDom2.


38

Figure 37. A Sample Attack Graph View

A final note on label coloring: if the closed Protection Domain has been hardened, all the

screens of the label will be colored purple, except ones that are already colored green or

red. This is not illustrated in Figure 37.

5.2.2.2 Exploits

The display of exploits within the Graph View is governed by the following rules:

• Exploits are represented by arrows (edges) in the graph. Multiple exploits

connecting the same pair of nodes in the same direction are aggregated into a

single arrow; that is, there will be at most a single arrow in each direction

connecting any pair of nodes. When exploits are aggregated into a single arrow,

the number of individual exploits represented by the arrow appears as its label.

For example, in Figure 37, the arrow labeled ‘2’ represents two individual

exploits whose originating machine is the “attack” machine, and whose target

machine is machine v1.1. (The individual exploits represented by this arrow

will appear in the Exploit Table when the arrow is selected – see below.)

• Intra-domain exploits, that is, exploits originating and terminating within the same

protection domain, are not represented as arrows in the graph view. Intra-domain

exploits can be viewed by utilizing the Exploit Table display (see below). All

machine nodes within a protection domain that are involved only with intra-

domain exploits are aggregated into a single subfolder of the protection domain,

labeled Unconnected. The Unconnected folder label also indicates the number of

nodes it contains – for example, the Unconnected folder of protection domain


39

vSubDom1 in Figure 37 contains 17 machine nodes (and can be expanded to

display them).

• An exploit arrow will originate and terminate on machine nodes if and only if the

protection nodes containing the source and destination machines are both

expanded. Otherwise, the arrow will be shown connecting the protection domains

themselves. This helps to simplify the display. An Exploit arrow connecting two

protection domains in a single direction represents all exploits originating from

machines in the source domain that terminate at machines in the destination

protection domain, and is numbered accordingly.

The following example illustrates this behavior: In Figure 38(a), we see two closed

protection domains, and an exploit arrow representing three individual exploits

originating in the Internet domain and targeting the DMZ. In Figure 38(b), the DMZ

domain has been expanded, but the exploit arrow remains aggregated, and points to the

DMZ node rather than to its individual machines. It is only when both protection domains

are expanded, in Figure 38(c), that the exploits are shown connecting the actual source

and target machines. Note that the exploits targeting machine dmz_mail remain

aggregated, even at this level. To view these exploits individually it is necessary to use

the Exploit Table.

(a) (b) (c)

Figure 38. Exploits in the Graph View


40

5.2.2.3 Edit Mode functions in the Graph View

Edit Mode is the default operating mode inside the Graph View. It is denoted by the

cursor. Functions available within Edit Mode include the following:

• Selection – In Edit Mode, the cursor may be used to select (L-click) individual

machines, protection domains, and exploit arrows. When these items are selected,

exploits associated with them are listed in the Exploit Table (see below). Multiple

machines and Protection Domains can also be selected by clicking and dragging a

selection rectangle over them (multiple Exploit arrows cannot be selected in this

way – or any other).

• Deletion – Items selected in Edit Mode may be deleted by means of the delete

key. The same function is also available by R-clicking the selected items and

selecting “Remove (Delete)” from the Context menu (see below). Note that,

when machines and protection domains are deleted, the Exploits associated with

them are deleted also. If these Exploits are included in an aggregated Exploit (see

above), the count label for the aggregated Exploit arrow is reduced accordingly.

• Relocation – Machines, Protection Domains, and Exploits can all be relocated in

the Graph View using the Edit Mode cursor. For machines and PDs, this is

generally just a matter of clicking and dragging a object to a desired location. But

the exact result varies somewhat depending upon the object(s) selected.

o Protection Domains: A protection domain can be dragged in the view as-

is, whether open or closed. It will retain its shape and interior layout.

Exploit arrows originating or terminating within the Protection Domain

will automatically track its movement and do not need to be redrawn.

o Machines: A machine can be relocated (“dragged around”) within its

Protection Domain if it is visible – that is, if the PD is open (a Group

node). The enclosing PD node will automatically resize to accommodate

the relocated machine. Additionally, any exploit arrows attached to the

machine will automatically track its movement and will not need to be

redrawn. A similar situation holds for Unconnected machines (see above):

the Unconnected group node will automatically resize to enclose the

moved machine’s new location. Machines cannot be dragged outside their

enclosing nodes.

o Exploits: To “relocate” an exploit arrow, first select it. Then its endpoints

become highlighted and can be moved around using the cursor. These

endpoints must remain attached to their original nodes, but there are

usually numerous locations on the border of the node to which an arrow’s

endpoint can be relocated. In many cases this can improve readability of

the display.

o Multiple Selections: Multiple machines and protection domains can be

selected at one time, by clicking and dragging a rectangle over them.


41

Once this is done, the selection can be left-clicked and dragged within the

Graph View. Protection domains will relocate as-is, while isolated

selected machines will be relocated within their (unselected) protection

domains as described above. As before, exploit arrows will track relocated

objects wherever necessary.

• Resizing – Selected Protection Domains (and Unconnected nodes) can be resized

by clicking the small black square object handles that define the object’s

enclosing rectangle and dragging them in the usual manner. This applies to nodes

that are either open or closed. When open, the interior layout of machines will be

preserved: In particular, a parent node (PD or Unconnected group node) cannot

be reduced to a size smaller the interior layout of its machines.

5.2.2.4 Other Graph View Functions

5.2.2.4.1 Context Menu

A Context Menu displays whenever the right mouse button is clicked in the Graph View

pane. As suggested by the name, contents of the Context menu vary depending on where

the right-click occurs:

• When a white area of the display is right-clicked, the context menu displays four

items: Zoom, Close All Folders, View Parent, and Copy to Clipboard:

o Zoom: Selecting this displays a submenu containing the Zoom In, Zoom

Out, and Fit Content functions, one of which can then be selected. These

functions resize the display and are also available on the Toolbar; they are

described in Section 5.2.3.

o Close All Folders: Clicking this will cause all Protection Domains to be

closed, so that the machines they contain will be hidden. This is a handy

way to simplify the display. Note: if all protection domains are already

closed, this function is greyed-out in the Context menu (unavailable).

o View Parent: This menu item is always greyed out (unavailable), as is the

corresponding Toolbar icon (Section 5.2.3).

o Copy to Clipboard: This function also exists on the toolbar; it causes the

entire Attack Graph to become visible in the Graph View.

• When an Exploit arrow is right-clicked, its Context menu displays two functions:

Harden and Remove (Delete). The Harden function is discussed separately in this

section, while Remove (Delete) is basically equivalent to hitting the Delete key

with that Exploit selected; that is, all exploits represented by this arrow will be

removed from the Graph.

• When a Machine node is right-clicked, it is selected and the Context menu

contains three functions: Harden, Delete (Remove), and Traverse Exploits

(Alt+Left Click). Selecting Harden hardens the node (see next section), while


42

Remove (Delete) performs the same function as the Delete key: that is, the node

is deleted, along with its associated edges. The Traverse Exploits function gives

an animated view of the Attack Graph relative to the selected node, and is also

described in more detail later in this section.

• When an open Protection Domain is selected, available functions are the same as

for a machine node, and perform in much the same way. Additionally, the Close

Folder function is available, which closes the Protection Domain and hides the

Machines it contains. (This function can also be performed by clicking the ‘-‘

symbol in the upper left hand corner of the node.)

• When a closed Protection Domain node is right-clicked, the Context menu

displays the Harden, Delete (Remove), and Traverse Exploits (Alt+Left Click)

functions, which we have already seen. However, the Open Folder and Open

Folder Isolated functions are also displayed. Open Folder simply expands the

Domain to display the machines within it, but Open Folder Isolated displays the

contents of the domain in an isolated view mode, without the parent node or any

exploits. Even the Exploit Table remains blank when items in this view are

selected. To exit the Open Folder Isolated mode, double-click the Root folder in

the Tree View.

5.2.2.4.2 Hardening

Hardening is a function that allows the user to select items, and then view the graph as

though these items were no longer targets or originators of any exploits. When an item is

hardened, it is not necessarily deleted from the graph, but all exploits associated with that

item are removed. Additionally, hardened items are recorded in the Harden List, which is

the Visualization Tool pane located in the lower left corner.

Hardening is performed by right-clicking an item, then selecting Harden from the

Context menu. If an individual Machine is hardened, all exploits associated with that

machine disappear, and the name of the machine is appended to the Harden List.

Additionally, the screen color of the Machine icon is changed to purple to indicate its

new status.

If a Protection Domain is hardened, all exploits originating or terminating in that domain

disappear, and the names of all Machines in the Protection Domain (except Unconnected)

appear in the Harden List. (Note also that the Protection Domain name does not appear in

the list). The screens of all machines in the domain, if and when they are visible, are

colored purple. Likewise the screens of machines that make up the closed folder label for

that domain will be purple if the domain is closed.

Exploits can also be hardened, or rather groups of exploits represented by Exploit arrows

can be. When an Exploit group is hardened, all individual exploits in the group are

deleted, and the “names” of the individual exploits are added to the Harden list. The

listed Exploit names are actually a bit more informative than the Machine names which

appear here: they contain the Exploit name itself as well as the names of its source and

target Machines.


43

5.2.2.4.3 Traverse Exploits

Traverse Exploits is an option that can be selected from the Context menu for either a

Machine or closed Protection Domain. It displays a brief animation in which Exploit

arrows associated with the selected node are progressively colored red, beginning with

their source nodes and ending with their target nodes. That is, the red color grows along

the Exploit arrows in the direction of the attack, and once the target node is reached the

process is reversed and the color “retreats” back to its original node. This is a handy tool

for conceptualizing attack paths originating or terminating in a given area.

5.2.2.4.4 Miscellaneous Functions

Mouse Wheel Zooming: - Whenever the cursor is positioned in the Graph View, the

display can be “zoomed” in and out by rotating the mouse wheel in the appropriate

direction. Zooming in magnifies objects visible in the display, but reduces the overall

scope of view relative to the entire Attack Graph. Zooming out reduces the size of visible

objects, but increases the scope of the display. The central point of the display is always

preserved. Note that other zooming functions are available in both the Visualization

Toolbar, and in the Context menus.

Machine and Protection Domain tooltips: - Tooltips are visible when the cursor hovers

over either a Machine node or a closed Protection Domain node in the Graph View. In

the case of a Machine node, the tooltip shows the machine name and also the term

“Initial” or “Goal” where appropriate, if the Machine in question is one of those specific

nodes. In the case of a closed Protection Domain, the Tooltip displays the name and the

total number of Machines it contains (including any “Unconnected” machines). If either

the Initial or Goal machine is contained in the Protection Domain, that fact is also

indicated in the tooltip, along with the machine name.

5.2.3 The Exploit Table

The Exploit Table is an Excel-like spreadsheet table that provides the list of exploits and

associated details for a selected entity: a Machine, group of Machines, Protection

Domain, Exploit arrow, etc. This mechanism avoids layout overhead and visual

confusion associated with a nodal representation for Exploits. When an item or group of

items is selected, all Exploits associated with that item are listed in the table. A scroll bar

appears when this Exploit list is too long for the display, and the Exploit Table itself can

be resized by clicking and dragging its top edge.

For each listed Exploit, the Name, Source Machine, Target Machine, Preconditions and

Postconditions are listed in the table, as provided by the Attack Graph model. Clicking on

a column header causes the Exploit list to be sorted by that specific parameter; either

ascending or descending order can be chosen. Column headers may also be rearranged

and resized by clicking and dragging in the table header.


44

The Exploit Table is automatically populated when a machine, protection domain, or

edge is selected. Specific behavior is as follows:

• Select Single Machine – All exploits originating or terminating at a selected

Machine are displayed in the table. This includes all intra-domain exploits

associated with that Machine. Intra-domain exploits are listed differently in the

table: the machine name is in the “To” field (target machine), while the “From”

field (source machine) is blank. This makes intra-domain exploits in the list very

easy to identify.

• Select Protection Domain – All exploits originating or terminating at machines

inside the selected protection domain are displayed in the table, whether the

selected protection domain is open or closed. Actual source and target machine

names are listed. Intra-domain exploits are not displayed.

• Select Edge - All individual exploits represented by the edge are displayed. The

number of exploits in the display list will agree with the edge label. Actual source

and target machine names are listed, whether or not they are actually visible.

• Multiple Select – Multiple nodes and protection domains can be selected by

clicking the mouse and dragging a rectangle over the desired items. This will

NOT result in display of associated exploits; in fact, it usually results in clearing

the Exploit Table display.

Figure 39 shows a simple attack graph view in which a single machine dmz_mail has

been selected. The accompanying Exploit Table has been sorted on the “From” column in

descending order, so that intra-domain exploits associated with dmz_mail appear at the

bottom. There are four inter-domain (or “normal”) exploits associated with dmz_mail:

two originate from the outsideAttacker machine, and two originate with

dmz_mail itself and terminate at the srvr_mail machine. The srvr_mail machine

is not visible in the display – to see it, it is necessary to expand the ServerLAN

protection domain.


45

Figure 39. Exploit Table

5.2.4 Toolbar Functions

The Toolbar contains a number of tools that can be useful in visualizing and analyzing

attack graphs. Figure 40 shows the Toolbar and each of its tools, together with the

Tooltip description that can be obtained by hovering the mouse cursor over the tool. This

section also briefly describes the capabilities of each tool.


46

Navigation Mode (Ctrl+N)

Edit Mode (Ctrl+E)

Print (Ctrl+P)

Export (Ctrl+SHIFT+E)

Magnify Zoom (Ctrl+M)

Zoom Area (Ctrl+B)

View Parent (Page Up)

Hierarchical Layout

Zoom In (+)

Copy to Clipboard (Ctrl+C)

Zoom Out (-)

Fit Content (Alt+Enter)

Circular Layour

Orthogonal Layout

Organic Layout

Incremental Layout

Figure 40. Toolbar Functions

Edit Mode (Ctrl+E) – Edit Mode is the normal operating mode inside the Graph View. In

this mode, one can perform selection, deletion, resizing, and relocation operations on

Attack Graph objects that are displayed. Edit Mode functions and capabilities are

described in Section 5.2.2.3.

Navigation Mode (Ctrl+N) – Navigation Mode has most of the functionality of Edit

Mode, but with one significant difference: Left-clicking and dragging anywhere within

the Graph View will cause the entire display to be dragged/relocated along with the

mouse cursor. In Edit Mode, Left-clicking and dragging creates a selection rectangle used

to select multiple objects.

Print (Ctrl+P) – The print function allows the Attack Graph display to be printed in one

of several modes specified by the user. Prior to displaying the usual Microsoft priner

selection window, a small Print Options dialog appears (Figure 41) with the following

options:

• Print Area: Specifies the portion of the Graph View to be printed. Selecting

“Entire Graph” prints the whole Attack Graph, regardless of what is currently

visible in the Graph View. “Current View” will only print that portion of the

Attack Graph which is visible.

• Sheet(s) Across: Specifies how many print sheets are to be spanned by the

horizontal dimension of the printed image.

• Sheet(s) Down: Specifies how many print sheets are to be spanned by the vertical

dimension of the printed image.


47

Figure 41. Print Options

The Sheet(s) Across/Down options allow the printed image to be printed onto a

rectangular array of 8.5”x11” sheets, which can then be assembled to produce the full

size printed display.

Export (Ctrl+SHIFT+E) – This function brings up a file save dialog allowing the Graph

View image to by exported as a graphics file. Saved image is precisely the image

appearing in the Graph View display. User navigates to the desired folder location, and

also supplies a name for the image file. Formats are selected by clicking the dropdown

arrow next to the “Files of type” field in the save dialog and selecting one of the

supported graphics format options. Supported formats at this time are *.JPG, *.GIF, and

*.SVG.

Zoom In (+) – Clicking this icon in the Toolbar (or typing ‘+’) causes the Graph View to

“zoom in” by a fixed amount, that is, objects in the display will become larger and less of

the total image will be visible. Center point of the view remains the same. Note that at

any time the Graph View can be zoomed in or out using the mouse wheel.

Zoom Out (-) - Clicking this icon in the Toolbar (or typing ‘-’) causes the Graph View to

“zoom out” by a fixed amount, that is, objects in the display will become smaller and

more of the total image will be visible. Center point of the view remains the same. Note

that at any time the Graph View can be zoomed in or out using the mouse wheel.

Fit Content (Alt+Enter) – Clicking this icon in the Toolbar (or typing Alt+Enter) causes

the entire Attack Graph to become visible in the Graph View, regardless of current

magnification factor or what portion of the Attack Graph is currently displayed.

Zoom Area (Ctrl+B) - Clicking this icon in the Toolbar (or typing Alt+B) allows the user

to select a rectangular area of the current Graph View display for closer viewing. The

Cursor becomes a magnifying glass with a small plus sign, and this cursor is clicked and

dragged in the Graph View to create the magnification rectangle. When the left mouse

button is released the rectangle is expanded to fill the entire display.


48

Magnify Zoom (Ctrl+M) – Selecting the Magnify Zoom tool puts the cursor at the center

of a 2” diameter circle that functions as virtual magnifying glass when dragged around

the Graph View (Figure 42). The degree of magnification inside the circle can be

adjusted by rotating the mouse wheel. Additionally, most of the Edit Mode functions

remain active in this mode, for example, one can select, delete, resize and relocate graph

objects. One especially useful application occurs in very large, complicated graphs when

it is necessary to locate and click the open/close (+/-) button in the upper left corner of a

Protection Domain.

Figure 42. The Magnify Zoom Tool

You can exit Magnify Zoom mode by re-clicking the Magnify Zoom tool button, by re-

keying the Ctrl+M key sequence, or by typing the ESC key.

Layout tools: The remaining items in the Toolbar are Layout Tools – clicking a Layout

Tool will cause a reorganization or layout of visual elements of the Attack Graph view,

based on some underlying layout algorithm. Applying a new layout is frequently useful

for organizing a graph view that has become messy, or for viewing the graph in a new

way, But it is not generally possible to predict the precise effect that any given layout

algorithm will have. There are five layout tools in the toolbar, each named according to

the layout algorithm it employs:

• Hierarchical Layout

• Orthogonal Layout


49

• Circular Layout

• Organic Layout

• Incremental Layout

The first four of these tools implements what is known as a from-scratch layout

algorithm, meaning that node locations, edge routing, etc. are all completely recalculated

for the entire Attack Graph. The final algorithm is called Incremental – it can be viewed

as a layout algorithm that attempts to optimize the display based on recent changes. Try

this algorithm after moving a few Machines or Protection Domain elements around,

relocating Exploit endpoints, or deleting a few items. You are encouraged to experiment

with these layouts and find the ones best suited to your analytical style, or to make

particular graph patterns more explicit.

Note that an incremental layout algorithm similar (but not necessarily identical) to this

one is implicitly invoked whenever hierarchical changes occur to the display: in

particular, opening and closing Protection Domain or Unconnected Group/Folder nodes.

Additionally, it should be mentioned that when a new Attack Graph is loaded, the initial

layout algorithm is Hierarchical.

Figure 43(a) shows an attack graph with an initial layout. Figure 43(b) the same attack

graph, rearranged by applying the Hierarchical layout tool from the Toolbar. This gives

you an idea of what this might be expected to produce. Starting from a fixed initial

graph, it is a good idea to see what the individual layout tools will do; this can give a

good intuitive idea of expected effects for each of the available algorithms.


50

(a) (b)

Figure 43. Graph Rearrangement via Hierarchical Layout

5.3 Network Hardening Recommendations

CAULDRON makes recommendations for hardening the network, based on the attack

graph. These recommendations are generated as XML (e.g., for subsequent reporting),

and rendered in CAULDRON. Recommendations are also saved in an XML file, with

the filename postfix .hardened (based on the attack graph filename). To compute

network hardening recommendations, you must constrain the attack graph with specific

attack start and/or goal machines (as described in Section 5.1.2).

CAULDRON makes 3 kinds of recommendations:

1. Optimal (minimum-effort) hardening requires the minimum number of changes

(e.g., firewall rules) to the network, while preventing the attacker from reaching

the goal. This option requires both start and goal machines to be defined.

2. First-level hardening gives the network changes that stop the attack as soon as

possible, i.e., immediately after the attack start. This option requires the start

machine to be defined.

3. Last-level hardening gives the network changes that protect the goal from all

attack sources, i.e., immediately preceding the attack goal. This option requires

the goal machine to be defined.


51

Once you have defined the attack scenario, e.g., to the point that you would generate the

attack graph via View Full as described in Section 5.1.6, you are ready to compute

hardening recommendations. Just click the Network Hardening button, as shown in

Figure 44.

Figure 44. Network Hardening Button

As an example, consider the attack graph in Figure 45, which has starting machine

1.1.52.244 and goal machine 1.1.1.244.

Figure 45. Attack Graph for Network Hardening Recommendations

Figure 46 is a list of the CAULDRON recommendations, i.e., minimum-effort, first-

layer, and last-layer. With the minimum-effort recommendation selected, CAULDRON

shows there are a grand total 2 exploits as the minimum number of hardened (e.g.,

blocked) exploits to prevent the attack from reaching 1.1.1.244 from 1.1.52.244.

Figure 46. List of Hardening Recommendations


52

You can drill down to see the details of each hardening recommendation. In this

example, the minimum-effort solution is one exploit from 1.1.219.100 to 1.1.1.244

(highlighted in Figure 47), and one exploit from 1.1.105.244. Here, attackerDom and

victimDom under DomToDom are the specific attacker and victim domains

(respectively), and numExploits is the total number of exploits between those two

domains.

Figure 47. Recommended Hardening between a Pair of Protection Domains

Figure 48 shows the details for an individual exploit to be hardened.

Figure 48. Exploit Details for a Hardening Recommendation

Documents

User tGuide