metrics suite for network attack graphs
TRANSCRIPT
65th Meeting of IFIP Working Group 10.4 On Dependable Computing and Fault Tolerance
Sorrento, Italy, January 23-27, 2014
Steven Noel
Center for Secure Information Systems
George Mason University
csis.gmu.edu
Metrics Suite for Network Attack Graphs
Motivation • Impact of combined topology, policy, and
vulnerabilities on security posture
– Attack graphs show multi-step vulnerability paths through networks
– But they lack quantitative scores that capture overall security state at a point in time
• Show metric trends over time
• Compare security across organizations
• Complementary dimensions of network security
• Funded by DHS BAA 11-02 (12 months)
1 1/23/2014 65th IFIP Working Group 10.4 Meeting
Motivating Example
1/23/2014 65th IFIP Working Group 10.4 Meeting 2
Attack Graph Before Remediation
Top CVSS Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 3
CVSS > 7
Remediated Attack Graph
Top Exposed Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 4
Top 3 Exposed
Remediated Attack Graph
Attack Graph Metrics
5
Network Topology
Firewall Rules
Host Vulnerabilities
Attack Graph Analysis
Metrics Engine
Metrics Dashboard
1/23/2014 65th IFIP Working Group 10.4 Meeting
Nessus Retina nCircle
Core Impact Foundscan
Qualys SAINT nmap
Cisco ASA Cisco IOS
Juniper JUNOS Juniper ScreenOS
Fortinet McAfee FE
XML CSV
Graphical
1/23/2014 65th IFIP Working Group 10.4 Meeting 6
Cauldron Attack Graph
7
CVSS Base Metric
Exploitability
Access
Vector
Access
Complexity Authentication
Impact
Confidentiality Integrity Availability
Common Vulnerability Scoring System (CVSS)
1/23/2014 65th IFIP Working Group 10.4 Meeting
• Victimization: Individual vulnerabilities and exposed services each have elements of risk. We score the entire network across individual vulnerability victimization dimensions.
• Size: The size of attack graph (vectors and exposed machines) is a prime indication of risk. The larger the graph, the more ways you can be compromised.
• Containment: Networks are generally administered in pieces (subnets, domains, etc.). Risk mitigation should aim to reduce attacks across such boundaries, to contain attacks.
• Topology: The connectivity, cycles, and depth of the attack graph indicate how graph relationships enable network penetration.
8
Attack Graph Metrics Families
1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Hierarchy
9
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
Network Score
Metrics Family
Individual Metrics
1/23/2014 65th IFIP Working Group 10.4 Meeting
0
min
1 xxxf
minmax
min2
xx
xxxf
minmax
min3 10xx
xxxf
maxmin , xxx
Best Worst
10
10 1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Scaling
xf 3
0
min
1 xxxf
minmax
min2
xx
xxxf
maxmin , xxx
Worst Best
10
minmax
min3 1xx
xxxf
minmax
min4 1xx
xxxf
minmax
min5 110xx
xxxf
1/23/2014 65th IFIP Working Group 10.4 Meeting 11
Metrics Scaling (Reversal)
xf 5
Combining Metrics
12
10
10 0 11sw
101 w
102 w 22
2
1 1010 ww
Largest Possible
1/23/2014 65th IFIP Working Group 10.4 Meeting
22sw
10,01010
102
2
2
1
2
22
2
11
ww
swsw
Combining Metrics
13 1/23/2014 65th IFIP Working Group 10.4 Meeting
.ht with weig score individualFor
10,010
10
is score combined thescores, for general,In
2
2
ii
n
i i
n
i ii
ws
w
swS
Sn
Metrics Hierarchy
14
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Family: Victimization
15 1/23/2014 65th IFIP Working Group 10.4 Meeting
• Existence – relative number of ports that are vulnerable:
• Exploitability – average CVSS Exploitability:
• Impact – average CVSS Impact:
UueU
i ilityExploitabi
,Impact UumU
i i
nv
v
ss
s
10Existence
Metrics Hierarchy
16
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Size Family
Vectors Metric
17 1/23/2014 65th IFIP Working Group 10.4 Meeting
Within domain (implicit vectors)
Across domains: explicit vectors
jiv ,
im
j ji vm 1
d
ji ji
d
i
m
j jia vvmvi
, ,1 torsAttack vec
m
i ip smv 1 torsattack vec possible Total
p
a
v
v10Size Vectors
Size Family
Machines Metric
18 1/23/2014 65th IFIP Working Group 10.4 Meeting
Vulnerable machines
d
i irr
Non-vulnerable machines
d
j jmm
mr
r
10Size Machines
Metrics Hierarchy
19
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Containment Family
Vectors Metric
20 1/23/2014 65th IFIP Working Group 10.4 Meeting
Within domain (implicit vectors)
Across domains: explicit vectors
jiv ,
im
j ji vm 1
d
ji ji
d
i
m
j jia vvmvi
, ,1 torsAttack vec
d
ji jic vv, ,domainsacrossvectorsAttack
a
c
v
v10tContainmen Vectors
Containment Family
Machines Metric
21 1/23/2014 65th IFIP Working Group 10.4 Meeting
Victims across domains
Victims within domain only
d
i iiw Vmmmm ,
d
i iia Vmmmm ,
wa
a
mm
m
10tContainmen Machines
Containment Family
Vulnerability Types Metric
22 1/23/2014 65th IFIP Working Group 10.4 Meeting
Vulnerability types across domains
Vulnerability types within domain only
d
i iiiiw Vmtmmtt ,
d
i iiiia Vmtmmtt ,
wa
a
tt
t
10tContainmen Types Vuln
Metrics Hierarchy
23
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Attack Graph Connectivity
1/23/2014 65th IFIP Working Group 10.4 Meeting 24
One Component
Two Components
Three Components
Motivation: Better to have attack graph as disconnected parts versus connected whole
Less Secure
More Secure
Topology Family
Connectivity Metric
1/23/2014 65th IFIP Working Group 10.4 Meeting 25
1 component 4 components 5 components
10111
11110Metric
7
111
14110Metric
6
111
15110Metric
Attack Graph Cycles
1/23/2014 65th IFIP Working Group 10.4 Meeting 26
Motivation: For a connected attack graph, better to avoid cycles among subgraphs
Less Secure
More Secure
1/23/2014 65th IFIP Working Group 10.4 Meeting 27
4 components 5 components 10 components
7111
14110Metric
6
111
15110Metric
1
111
110110Metric
Topology Family
Cycles Metric
Attack Graph Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting 28
One Step Deep
2 Steps Deep
3 Steps Deep
Less Secure
More Secure
Motivation: Better to have attack graph deeper versus shallower
1/23/2014 65th IFIP Working Group 10.4 Meeting 29
Shortest path 3/8 Shortest path 4/8 Shortests paths 2/3 and 1/5
7.518
3110Metric
3.4
18
4110Metric
3.2
15
115
13
213
82
10Metric
Topology Family
Depth Metric
Metrics Dashboard
30 1/23/2014 65th IFIP Working Group 10.4 Meeting
Family-Level Metrics
31 1/23/2014 65th IFIP Working Group 10.4 Meeting
Temporal Zoom
32 1/23/2014 65th IFIP Working Group 10.4 Meeting
Trend Summary
33 1/23/2014 65th IFIP Working Group 10.4 Meeting
Example Network Topology
34 1/23/2014 65th IFIP Working Group 10.4 Meeting
Attack Graph – No Hardening
1/23/2014 65th IFIP Working Group 10.4 Meeting 35
1/23/2014 65th IFIP Working Group 10.4 Meeting 36
Block Partners to Inside
1/23/2014 65th IFIP Working Group 10.4 Meeting 37
Block Partner 4 to DMZ
1/23/2014 65th IFIP Working Group 10.4 Meeting 38
Block DMZ to Inside 3
1/23/2014 65th IFIP Working Group 10.4 Meeting 39
Patch Host Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 40
1/23/2014 65th IFIP Working Group 10.4 Meeting 41
1/23/2014 65th IFIP Working Group 10.4 Meeting 42
1/23/2014 65th IFIP Working Group 10.4 Meeting 43
1/23/2014 65th IFIP Working Group 10.4 Meeting 44
Contact
45
The MITRE Corporation McLean, Virginia
Steven Noel http://csis.gmu.edu/noel/
1/23/2014 65th IFIP Working Group 10.4 Meeting