Igor Kotenko. SPIIRASivkote@comsec.spb.ruEffectsplus Clustering Event. Amsterdam. July 4-5, 2011.
MASSIF Overview [MASSIF DoW]
Why we need to use attack models in SIEMsystems • Figure-out possible sequences of attacks, and to preemptively identify the security objectives that are most likely to be targeted by the attacker. • Correlate sequences of alerts as they pertain to specific actions within an attack model. • Identify appropriate sets of countermeasures, that is actions taken by the system to subvert the ongoing sequence of attacker actions. • Dynamically compute the impact of attacks and countermeasures; the former when they violate the normal security policy, and the latter when they modify the system configuration, so it no longer complies with the default policy requirements. [Nizar Kheir, Herve Debar, etc. ] 3
State-of-the-art in analytical attack modelling• Representing attack scenarios and malefactors [Schneier, 1999; Dawkins et al., 2002;[Shepard et al., 2005; …]• Specification of platforms, vulnerabilities, vulnerability scorings, attacks, weaknesses and configurations [NVD; OSVDB; CVE; CVSS; CPE; CCE; CWE; CAPEC; … ]• Attack graphs [Ortalo et al., 1999; Ritchey&Ammann, 2000; Sheyner et al., 2002; Rieke, 2004; Noel&Jajodia, 2005; Lippmann&Ingols, 2006; …]• Security metrics [Mell et al., 2007; Jaquith, 2007; Herrmann, 2007; Jansen, 2009; …]• Combining service dependency graphs with attack graphs [Kheir et al., 2009; Kheir et al., 2010; …]• Representing zero day attacks [Ingols et al., 2009; Wang et al., 2010; …]• Modelling of responses/countermeasures [Kheir et al., 2010; …] 4
Range of Alternatives for attack modellingand simulationDesirable realismand accuracy,but costly to build Packet- CAIRN, Internet2, Investigation level WAIL, PlanetLab, etc. of local simulation interactions tools: ModelNet, EmuLab, and local NS2, NS3, VINI, DETER, etc. realization of OMNeT++ defense INET "immersive" Framework, mechanisms SSF Net, J-Sim, Investigation DaSSF, of global PDNS, interactions GTNetS, and global etc. realization of Analytical Models (e.g. Significantly defense Epidemic Models, simplified mechanisms attack graphs, etc.) assumptions
Approach Description• The approach to attack analysis uses two groups of techniques: 1. Analytical modelling based on generating multi-level (abstract and detailed) attack graphs and service dependencies; 2. Fine-grained modelling and simulation based on dynamical imitation of attack and response actions by mixing analytical modelling and packet-based simulation.• The analytical and fine-grained modelling and simulation is highly beneficial for deep understanding of network attacks and a prerequisite for their prevention, detection, and mitigation.• The approach consists in using a multi-level model of attack scenarios and service dependencies, attack modelling and simulation to determine a family of security metrics, comprehensive evaluation of responses, generation of attack and response impacts. • Important issue is providing links with Event and Information Collection Architecture, Event-driven Process Models, Decision- support, reaction and counter-measures and Integration, Repository and Visualisation 6
Common approach to analytical attack modelling – Generating the common attack graph based on current and possible vulnerabilities – Determining the current malefactors’ actions based on correlating logs and alerts, and generating the attack (sub)graphs for possible sequences of malefactors’ actions by modelling of malefactors’ behaviour – Modelling possible responses (countermeasures) – Calculating the security metrics (attack and response impacts) – Providing the risk analysis procedures – Links with Event and Information Collection Architecture, Event-driven Process Models, Decision-support, reaction and counter-measures and Integration, Repository and Visualisation 7
Key elements of architectural solutions– Using security repository (including system configuration, malefactor models, vulnerabilities, attacks, scores, countermeasures, etc.)– Effective attack tree generation techniques– Taking into account as known as well as new attacks based on zero- day vulnerabilities– Using Anytime algorithms for near-real time attack subgraph (re)generation and analytical modelling– Stochastic analytical modeling– Combined use of attack graphs and service dependency graphs– Calculation metrics of attack and security countermeasures (including attack impact, response efficiency, response collateral damages, attack potentiality, attacker skill level, etc.)– Interactive decision support to select the solutions on security measures/tools by defining their preferences regarding different types of requirements (risks, costs, benefits) and setting trade-offs between several high-level security objectives 8
Architecture of AMSEC 9
Main components (1/3)• User (Decision maker) interface provides the user (decision maker) with the ability to control all components, set the needed input data, and inspect results/reports.• Network interface supports interaction with external environment (sending requests to external vulnerabilities databases for updates and communicating with data sources).• Generator of system and security policy specification converts the information about network configuration and security policy received from collector or user into internal representation.• Data controller is used to detect the incorrect or undefined data which are necessary for the security evaluation.• Data repository updater downloads the open databases, for example, NVD (National Vulnerability Database), CVE (Common Vulnerabilities and Exposures), OSVDB (Open Source Vulnerability DataBase), CAPEC (Common Attack Pattern Enumeration and Classification), Common Configuration Enumeration (CCE) Reference Data, Common Weakness Enumeration (CWE) data, and translates them into database of attack actions. 10
Main components (2/3)• Malefactor modeller determines a malefactor’s individual characteristics, skill level, his initial position (insider/outsider, available points of entry, etc.), possible actions/attacks already fulfilled (which can be predicted according to events and alerts) and knowledge about analyzed network. Malefactor’s skill level defines the set of actions used by malefactor and the attack strategy.• Attack graph generator builds attack graphs by modelling sequences of malefactor’s attack actions in the analyzed computer network using information about available attack actions of different types, services dependencies, network configuration and used security policy. Attack graphs can represent complex multi-stage attack scenarios, consisting from various single-point attack actions.• Generator of attack graph based on zero-day vulnerabilities builds attack traces taking into account unknown vulnerabilities which are required to compromise a network assets.• Manager of service dependencies operates service dependencies for attack modelling and security evaluation 11
Main components (3/3)• Security evaluator generates combined objects of the attack graphs and service dependencies (routes, threats), calculates metrics of combined objects on basis of the security metrics of elementary objects, evaluates the common security level, compares obtained results with requirements, finds “weak” places, generates recommendations on strengthening the security level.• Analytical attack modeller performs stochastic imitation of multi-step attacks against (by explicitly setting different tasks for Attack graph generator and Security Evaluator) and determining the consequences with regard to various countermeasures and criteria defined by the decision maker.• Module of interactive decision support allows decision makers to select the solutions on countermeasures by defining their preferences regarding different types of requirements and setting trade-offs between objectives. Decision support can include three phases: (1) setting feasible security solutions (security measures/tools); (2) identification of efficient (Pareto-optimal) security solutions; (3) selection (generation) of final preferred solution.• Reports generator shows vulnerabilities, represents “weak” places, generates recommendations on strengthening the security level, etc.• Data repository is a hybrid database, including ontological representation of network configuration, hardware/software platform, vulnerabilities, attacks, countermeasures, etc. 12
Main Components of Simulation Environment• Simulation Framework is a discrete-event simulator. It can use for its functioning the various domain-oriented discrete- event simulation software tools and software libraries.• Environment Simulation Framework is a suite of simulation modules that allows to imitate realistically the environment for interaction. This component implements the communication environment and transport protocols models.• Component-based Framework is a library that defines basic components (agents) implemented as applications.• Subject Domain Library is the library that contains modules for imitation of attack and response processes. The libraries for different domains are supposed to be implemented and used.
Prototype of attack modeling component
MASSIF ConsortiumIndustry use case providers SIEM product providers ... Scientific research Massif project presentation 15