The fundamental approach of cyber security analysis with securiCAD is to simulate potential attacks. These simulations are performed in models of Information and Communication Technology (ICT) infrastructures. This teaching module will use an example model of a fictitious and simplified ICT infrastructure. The example model is bundled with the software. We suggest you run securiCAD in parallel while going forward with this module.
The ACME corp. ICT infrastructure
In the below Figure the made-up ACME corp. ICT infrastructure is presented. It consists of three network zones; office, staging, and production. In the networks there are a few hosts with established communication between them. Overall, we want to protect the company’s customer record database from an attacker we assume has compromised an office work station.
The ACME model
When launching securiCAD for the first time a model of the ACME infrastructure is automatically loaded.
Turning our attention to the ACME model we see that it consists of objects and connections between them. Objects are of various types and some examples include networks, routers, hosts, user accounts, and services. In our example we have for instance one network object called Office and one called Staging Infra. The Office and Staging infra networks are connected via a router object GW1. The connections carry specific meanings so that for instance a host connected to a network states that a host is reachable from that network and a service connected to a host states that the service is run by this particular host.
If you navigate around a little bit in the model you find other objects representing the other things from the above infrastructure specification. In addition, there are some objects not directly found in the specification that were added according to some interpretation (or further investigation). For instance, we have an RDP session running between hosts in the Office and Staging infra networks and several hosts have access control related to them.
Objects can also have different types of attack steps and defenses mechanisms associated to them. An attack step is something harmful that an attacker can accomplish and defenses are countermeasures that will make the attack steps more difficult or “expensive” to succeed with. Attack steps and defense mechanisms are shown in tabs in the upper right corner of securiCAD.
For instance, if we select the Office network object, we find the attack steps ARPCachePoisoning, Compromise, DNSSpoof and DenialOfService and the defense mechanisms DNSSec, PortSecurity and StaticARPTables.
Finally the model also contains an Attacker object defining the threat scenario. In our case we assume that the attacker has compromised Workstation 1.
Now, let us move directly to the core of securiCAD. We want to understand: how secure are our customer records? In order to answer that question securiCAD lets you simulate potential attack paths from the attacker to all the assets in our modeled ICT infrastructure by simply clicking the Simulate button.
Simulations then run as an online cloud service. As soon as the simulation is ready, the results will be shown as a report in a web browser window, see below.
From a simulation we get a number of different interesting types of results; risk levels, most probable attack paths, and weak links (chokepoints) for the attacker to exploit. The presented results relates to those objects that have been marked in the model with a “consequence value” if they are compromised. For the ACME model, the Stage srv 2 and the Customer records objects have (already) been marked with such values. The consequence of the attacker being able to write in the customer records database was set to a severity value of “8” (out of 10), and the compromise of the host Stage srv 2 was set to a value of “5”.
First, we turn our attention to the Risk matrix, the first part of the report.
Here we see that two dots are plotted in the matrix. These dots represents the two selected attacks steps we wanted to investigate. On the x-axis we simply find the consequence value (as assigned in the model). More interestingly, on the y-axis we find the probability that the attacker is successful in reaching from the starting point all the way to this step in a certain number of days, as found by the attack simulations.
We can get more information about these risks by clicking the attack steps in the list below the risk matrix.
When doing so, the Risk details diagram shows a probability distribution for the attacker succeeding with the attack. On the x-axis in this diagram the expected Time-To-Compromise (TTC) is depicted, and on the y-axis we find the probability of the attacker succeeding with the step. As expected, given more time it is more likely that the attacker succeeds with the attack step.
With the risk values we get an overview of how vulnerable the infrastructure is. A next natural question to ask is: why are we vulnerable? securiCAD addresses this question by showing attack paths from the simulations. To visualize attack paths we return to the list of attack steps below the risk matrix. To the far right there is an icon for showing the “Critical path”. Click the icon on the Customer records row.
When a simulation is run, the simulation engine will analyze the model and explore all possible paths an attacker could follow throughout it. Naturally, there are lots and lots of such attack paths. However, the critical path is the attack path that has been found to be the easiest (in terms of time spent on each individual attack step). In the Figure below we see the critical path for the attack step Write on the object Customer records.
Just after rendering the critical path we have bubbles floating around trying to adjust their position in relation to other bubbles. This will stabilize in a short while. If needed the bubbles can be adjusted by manual dragging (as done in the Figure). Each bubble represents an attack step, specified in the text under it, and the circle contains an icon showing what type of object the attack step is located on.
We see that the attack path is splitting up and connecting again. This is due to the fact that for some attack steps the attacker is required to do multiple previous steps to succeed with the current one (for instance both get access and provide credentials to login), in other cases the paths are alternatives (either crack a password or social engineer the user for it). Furthermore we see that the arrows between attack steps are of different size and color. Recall that securiCAD is probabilistic and is conducting simulations. Simulations are done by running and aggregating multiple samples of attack paths. The thick red arrows indicate paths that are often (in many samples) taken by the attacker and scaling down to thin yellow arrows indicating less taken paths. (Details of attack path simulations are further described in another module.)
In our example we see that the attacker starts at our specified entry point. Since we assumed that the attacker had compromised Workstation 1 this also automatically means that the RDP client and the LSASS keystore are also breached. The first active attack step is to the RDP Session dataflow and then further on to the RDP Service.
Additional attack paths
As previously mentioned, there are a number of possible attack paths leading from the attacker to the target. At the first opening of the attack path window only the most likely attack path is shown. However, in many situations it is also interesting and important to understand other possible attack paths. Showing these alternative attack paths is done by dragging the “Details” slider to the right.
When we increase the number of shown attack paths we see that the attacker can also exploit the Prod Srv 3 host and LSASS datastore as well as the System user account and Oracle login access control, and more.
As briefly mentioned earlier, defenses help making attack steps harder to succeed with. In the attack path visualization, defenses are shown as green bubbles with shields in them.
Only defenses that are missing or could be enhanced are shown. This view thus supports us with identifying suggestions for improvement. In the above zoomed in cut-out we have a simple but illustrative example. We see that some certain imperfect defenses enable the attacker succeed with compromising Joe’s user account; the bubble “Joe MFA” indicates that using multi factor authentication for the user account would help here.
Another type of information that can be interesting to us when analyzing vulnerabilities of the infrastructure is to know if there are assets and attack steps that are commonly exploited by the attacker in the simulations. Such places we call chokepoints. At the bottom of the securiCAD simulation report, we have the Chokepoints chart.
To the left we have objects called chokepoints in grey and yellow. The yellow ones are more frequently used by the attacker than the grey ones. To the right we have objects with consequences set. These are our targets. The vertical size of the objects indicate how many choke points each target is associated with. The connection lines between the target objects and the chokepoint objects show what chokepoints the attacker have been mainly using on the way towards the target. The size of the relations illustrate the number of attack paths where the object is included. In our example we find the obvious fact that the RDP service is frequently used by the attacker while reaching both targets but also that the local accounts seem to be a weak spot in the architecture.
In this module we have introduced the basic securiCAD building blocks and use cases. We learnt how to analyze an ICT infrastructure model by generating overview risk estimates, inspecting related attack paths as well as how to identify means to vulnerability mitigations. By now you are in a good position to start checking out the securiCAD capabilities in more detail and analyzing your own models. There is however more to securiCAD and we recommend that you continue with our next module (follow the link below) where we will focus on how to build models.