Modeling From Scratch

Introduction

Models of ICT infrastructures are the basis for security analysis in securiCAD; it is our lab environment. This module guides you on how to create models from scratch. Also various aspects and properties of the modeling objects is introduced along the way. Even though your main goal may not be to conduct manual modeling, an understanding of how models are structured is important for model navigation and analysis.

This module is applicable to both the Community Edition and the Professional Edition of securiCAD.

Minimalist architecture

In this module, we will start with a very minimalist piece of input, two hosts on different networks, since the goal is to introduce the basic modeling objects and what they represent.

Minimalist Architecture

 

What does the above sketch tell us?

  1. There are two boxes here, labeled ClientZone and ServerZone. These represent the network structure.
  2. We imagine that our most precious data is stored in the server in the ServerZone.
  3. Some information is traveling between the zones; the Information Request is our data flow.
  4. The applications running the Information Request data flow are not outlined. They seldom are in maps like these. Either we need to ask someone about the Information Request data flow, what’s in there, what it’s used for, or we need to make assumptions and represent them using generic application objects, which is what we will do in this case. Let’s assume that there is a client application in the client zone and a server application in the server zone.
  5. According to the map, we have a host in the client zone called Workstation and another host in the server zone called Server.

This is enough to illustrate an initial very simple setup that we will gradually extend. Now, we will make a simple model from this very sparse information and assumptions.

The securiCAD user interface

When starting securiCAD, the main securiCAD window will appear.

The securiCAD Community Edition interface
The securiCAD Community Edition interface

 

As seen in the previous module, securiCAD Community Edition will automatically load the included example model until you tell it not to (by ticking that in the welcome window at start up).

The securiCAD main window is divided into three vertical sections. To the left we have tools and windows related to adding objects to a model.
The middle section is the main canvas where we are going to build our models.
To the right, we find the analysis area with tools related to setting different properties of the model objects and to inspect, trace and analyze different attacks’ success rates within the modeled architecture.

The sizes, locations and presence of the different windows and tabs within securiCAD are highly customizable by the user.

The securiCAD Community Edition interface
The securiCAD Community Edition interface

 

Since we are about to create a new model from scratch, please select [File]->[New]->[Model] to create an empty one.

Adding objects to the model

First of all, we model the ClientZone and ServerZone networks. We also connect them, since hosts in them are able to communicate with each other.
To add an object to our model, drag it from the Object Explorer list to the right onto the main canvas.

Adding an Object to the Canvas/Model
Adding an Object to the Canvas/Model

 

When the Network object is added to the canvas/model, it will look like the following;

First <em>Network</em> Added Object to the Canvas/Model
First Network Added Object to the Canvas/Model

 

Renaming an object, which is recommended, is done by clicking the object or pressing the F2 button.

Rename Object using the F2 button

 

Rename the Network object to ClientZone. Add another Network object and rename it to ServerZone.

Connecting objects

To connect one network zone to another, a Router component is needed between them to represent the zone border/connection.

We have been dragging-and-dropping two Network objects from the list called Object Model Explorer to the left and renamed them to ClientZone and ServerZone. Now, drag a Router object from the Object Explorer onto the canvas and rename it to CS-SZ. This will give us three objects on the canvas; ClientZone, CZ-SZ and ServerZone.

<em>Router</em> and <em>Network</em> Objects
Router and Network Objects

Next thing is to connect them by holding [Shift] and clicking over one object and releasing the connection over another.

Selecting type of connection

While making the connection, a dialogue will appear asking you to choose which type of connection to use. The options we have are either Administration or Connection. Using the Administration connection type will state that the router in question is possible to administer from a certain network zone. Using the Connection type will state that the router is communicating with the zone but administration is not allowed from that zone.

Choosing Router Connection Type

Since, in many environments, router administration is made using an administrative network zone, we add an extra network object representing the administration. If we do not have such an administrative network zone, we will see a message in the Problems tab to the top right area of securiCAD telling us that we need to add one. For a smaller architecture, this might be the same as for instance the inner of the two network zones and then there will be two parallel connections; one for Connection and one for Administration.

An Administration type of connection is only defining from what network zone administration is possible. If you also want to say that regular (non-administration) network traffic is possible to that zone, you need to also add a Connection type connection in parallel with the Administration connection.

Router and Network Objects with Connections

In the current model the router is modeled as part of a connection between the ClientZone and the ServerZone objects. In most cases, modeling a Router object, assumes a router with some restrictions. Therefore we want to add some more objects to it; an access control object and a firewall object. These objects state that login credentials are required to administer it and also that communication through it is obliged to adhere to some routing (firewall) rules.

Adding objects instantly using arrows

Adding objects can be done by selecting the CS-SZ Router object and then clicking on the right arrow appearing. This will present a list of connectable objects to the Router object.

When clicking on the left arrow, you will see a list of already existing and connected objects. In this case, the ClientZone, AdminZone and the ServerZone network objects.

These arrows are only shown when you can add an object on the current canvas. This means that if you open an object to see what other objects are in it, these arrows for adding additional objects will not be available. A more complete description on this is found in the Program Features module describing Object Views.

Select AccessControl and then Firewall.

Adding Objects to a Router
Adding Objects to a Router

We also see that when we added a Firewall object to our Router object, a mini-icon appears on the Router object. This doesn’t happen when adding the AccessControl to it. The reason for this is that a Router is assumed to have an AccessControl (even though it is not mandatory) while a Router does not necessarily have a Firewall connected to it. Firewalls provide more modeling and architectural information to the model than access controls do.

As with the Router object, we need to add a UserAccount object to the AccessControl object. Select AccessControl, click on the right hand arrow and select UserAccount.

Router With Restrictions

When adding a UserAccount object to an AccessControl object, we will be prompted for which type of connection to use, root or non-root authorization;

Selecting Type of UserAccount

Since the access control and the corresponding user account in this case represents the administration of the router settings, including the firewall rule set, please choose the Root Authorization option.

When adding an AccessControl object, it is always good practice to also add a UserAccount connected with the Root Authorization type of connection. This is to represent that it is possible to for instance add new user accounts or edit existing user accounts and settings. Regular user accounts shall have the Non-Root Authorization type of connection and are optional.

When building different models and performing attack analysis, you will later on see that getting hold of a root user account is much more useful to the attacker than a regular user account, even if such a user account is also useful for performing further attacks.

Router With Restrictions and a UserAccount

Hiding objects

For cleaning up the view of our network structure, we may drop the AccessControl and the Firewall object into the Router object, since they belong to each other. Objects may be displayed in the same image/canvas, but, quite soon, such an approach might get rather cluttered. Therefore, we provide the possibility to contain/hide objects that have relations to each other within other objects.

The following picture illustrate how to move/hide objects into other objects. First move the UserAccount object into the AccessControl object and then the AccessControl and the Firewall into the Router object.

Moving Objects Into Other Related Objects

 

Moving Objects Into Other Related Objects

Introducing components

When building a securiCAD model, you have not only the single/native objects in the Object Explorer pane, but also a collection of component objects containing several already connected objects.

Below the list of “native objects” we have been working with so far, there is an area containing a collection of categorized components or “extended objects”.

The components belongs to different categories and you we encourage you to first look for a suitable component object. If no component seem to fit your current need, you should use native objects as a secondary option.

Components and categories

There is a separate module describing how to use components and how to create your own.

Host components

From the given sketch, we see that there is a Workstation in the Client Zone and a Server in the Server Zone. They are systems and systems are in their most basic form represented by Host objects in our models. The nature of these systems is defined later on by what additional objects and settings we add to them.

We are seeing anything that has an ip address, such as computers, network printers, smart phones, tablets, embedded systems, virtual machines and so on, as being a kind of host.

Hosts are added to the networks either by dropping a single Host object to the canvas and then connecting it, or by selecting a Network object and use the arrows as previously described. However, for a Host object, there are component objects available.

Defining a “System”

A system, as we see it, consists of several objects; a Host object, a Software Product, AccessControl, Client and a Data Store.

Even though we have no information on what type of host we have in the given sketch, we still recommend using a component object. And we know that one host is acting client (workstation) and one is acting server. From the securiCAD components directory, pick the component labeled Linux Server and drop it onto the main canvas.

Adding the Linux Server component

Then connect it (shift-drag and drop) to the ServerZone.

When connecting the Linux Server object with the ServerZone object, you will be prompted with a window asking what objects to connect. The reason for this is that connections can be made to/from objects that are contained within other objects. We will soon discuss this in more detail but at the moment, just click the left area and then the right area and then the OK button.

Select Association Type

 

ServerZone and Linux Server

A small Host icon is added to the Network object. Not all networks have hosts in them, some are merely set up for intercommunication.

For clarity, rename Linux Server to ServerSystem to match our initial sketch.

ServerZone and ServerSystem

Object content details

Hovering the mouse over the network object, is presenting a yellow label saying that this network object ServerZone is containing an object labeled ServerSystem.

Network content

Doing the same with the ServerSystem object, we see that it contains three objects; a SoftwareProduct, an AccessControl, and a Service object.

ServerSystem content

 

Next, we shall to add a host component to the ClientZone object, representing the client workstation in the initial sketch. Since the sketch says Workstation, please pick the Windows 7 component. For simplicity, you can drag it from the components library and drop it directly on the ClientZone object. This will add it to the model and at the same time connect it to the ClientZone.

Adding Windows 7 to the ClientZone

Object views; objects within objects

If we want to check what is in the ClientZone, we can double-click it to open it. This will bring up a new canvas, a so called Object View. These kind of views have some limitations to them; you can only add objects that can be connected to the “upper” object, since adding an object here will at the same time connect it to the object above or “parent” object.

The content of the ClientZone
The content of the ClientZone

In this case, the object view we are looking at is a Network object which means that we can only add Dataflow, Host, PhysicalZone, Router, Service, VulnerabilityScanner and ZoneManagement objects to this view. Please also take the opportunity to rename Windows 7 to Workstation to match the initial sketch.

We shall add a Client object to the Windows7/Workstation host. A Client object is the initiator of a Dataflow that we will introduce in the next section. For now, we only need to add a client to the Windows 7 host from the client section of the components library. You do this while Workstation is visible within the expanded ClientZone view.

Add a Client to Windows 7

 

And select Non-Root Client Execution;

Select non-root client execution

More details on the Client and the Service objects and the difference between root and non-root connections is available in the Learn More section.

Representing communication

Adding a Dataflow

Now we have a client on a host in one network zone and a service on another host in another network zone. It is time to add the DataFlow object representing the Information Request line in the sketch.

A Dataflow is to be seen as representing a session between a client and a service.

Dataflows traveling between network zones are best located on the same level/canvas as network zones and routers. So far, we should have the following on the canvas;

Network Overview

Sometimes it is interesting to see what types of associations the lines represent. This is done by right-clicking on the canvas and select Association Labels. In the above example, the labels show that the vertical associations represent Connections and the horizontal one, Administration.

But let’s go back to the Dataflow discussion. In the Components library, there is a component called SSH Traffic found under the Traffic directory. Adding such a component will add both a Dataflow and a Protocol object, describing the Dataflow protection level, to the model. Rename it to Information Request.

Dataflow Object

 

Connecting the Dataflow

Now we shall connect it both to the putty Client object and to the sshd Service object. Start by clicking on the Network objects and their left arrows and then select the Host objects to show them on the canvas.

Then hold down the [Shift] key and drag a connection from the Information Request to Windows 7 workstation.

Since a Dataflow shall not be connected to a Host object but instead to the Client object in the Host object, we will get a window asking where to connect it.

Select AssociationType

 

To the left we have the objects to connect from and to the right the objects possible to connect to will be dynamically shown. Select Information Request and the right hand area will present the unfoldable label Windows 7 workstation.

Select Information Request

 

Unfolding Windows 7 workstation will present putty which is the object we want to connect to. Select it.

Select putty

 

Pressing [OK] will close the window and create the connection between Information Request and putty.

Then you can hide the Host object again by selecting it and pressing backspace.

This is a good opportunity to describe Indirect Connections. They are not enabled by default, but if you right click on the canvas, you will see an option to enable them. Doing so, aOn the canvas a new kind of connection line is then shown between Information Request and ClientZone; an indirect connection. It is showing that there is a connection between Information Request but not directly to ClientZone but to something within it.

Indirect Connection

 

Repeat the procedure from Information Request to Linux Server to connect Information Request to the Service labeled sshd.

Select sshd

 

Now we shall have the following objects and connections;

Information Request between the Networks

 

We also see that holding and keeping the mouse pointer over the indirect connection, presents a label showing (a list of) what connections the indirect connection represents.

Indirect connection label

Hovering the mouse pointer over the indirect connection brings up a label saying that Information Request is connected to Router and the connection type is Communication.

Allowing the Dataflow

By now, we are almost finished squeezing all information out of the simple sketch we got as input. Next thing, we need to allow the data flow Information Request to travel between the ClientZone and the ServerZone. To do that, we need to add a connection between the Information Request data flow and the CZ-SZ Router object and a connection between Information Request and the Firewall object connected to our CZ-SZ Router;

Connecting Information Request to Router

 

And then drag a connection between Information Request to the CZ-SZ. This will state that the dataflow Information Request is allowed to travel via the CS-SZ router and that all properties of the router is applied to the dataflow. In this case, it is protected by (and allowed to go through) the firewall.

With the connections in place, we will have the following content on the main canvas.

Dataflow Connections

 

 

Attacker

At this moment, the model we have created so far includes enough objects to run simulations on.

Therefore, we will add an Attacker object to the model and make a Simulation test run. The attacker object is representing the starting point of the attack we want to study.

Drag an Attacker object into the model just like any other object. Connect it to the WorkStation object. Since the WorkStation is located in the ClientZone, we make a connection from the attacker to the ClientZone and then get to choose where we want to connect it.

Selecting the WorkStation Object for the Attacker Entry Point

Doing that, securiCAD will give us several options representing different attack steps/operations to choose from;

Select WorkStation Compromise as the Attacker Entry Point

The options to choose from are all the possible attack steps to this particular object. Several of them are used as intermediate attack steps used to achieve other attack steps in this or other objects in the model. Choosing the compromise attack step is the same as saying “We imagine that the attacker has succeeded in owning/controlling this object (the WorkStation)”. This is the attacker’s entry point in this case.

On the canvas, we now have an Attacker object, indirectly connected to the ClientZone, since it is connected to the Host WorkStation in the ClientZone.

Attacker Connected

Simulation

Check for remaining things to fix

To the top right area of securiCAD we have a tab labeled Problems. It gives us hints on mandatory things we need to add before running a simulation. For instance, in order to be able to calculate, a Protocol object is mandatory for each Dataflow object. If this would be missing, then it would show up as a notification in the Problems pane.

Remaining things to fix before simulating

 

To fix this, please add a Protocol object to the canvas and connect it to the Dataflow. Since we have ssh related client/services, the protocol labeled encrypted in the components library is the most suitable one.

Selecting what assets to analyze

Attack simulations spread and are performed throughout the entire model. However, when it comes to reporting, we need to select what asset we want to look at in the simulation results. It is perfectly possible to select several assets.  This is done by selecting  an asset, unfolding the attack step we are interested in, often Compromise, and set the Consequence value to a figure between 1 and 10.

Selecting asset to analyze by setting the <em>Consequence</em> value.
Selecting asset to analyze by setting the Consequence value.

Time to simulate

At this moment in the manual we will not go into if this is a reasonable attack, what it really means and what we can do about it. These topics are described in much more detail in other sections of this manual. What we will look at now is how the attack affects the different parts of the model to see that the attack propagates through it. Press the Simulate button;

Start a simulation by hitting the button.
Start a simulation by hitting the button.

 

If you have not yet saved the model, you will be prompted to do so before the simulation starts.

The simulation starts;

Simulating
Simulating

 

The model is now colored according to the success rate of the attack;

Initial Simulation Results
Initial Simulation Results

 

When the simulation is finished, we see that the model is colored according to the success rate of each attack step throughout the model. The deeper red a label is colored, the higher the probability of a successful attack on that particular object.

In addition to the coloring of the object frames, we will also, when using securiCAD Community Edition, get a web page showing the simulation results.

Simulation results
Simulation results (ServerSystem selected)

 

Conclusions

In this module we have learnt how to build models and what models mean. Next we will continue dig deeper into the attack simulations and how to use them for actionable results.

The resulting model we have just built can be downloaded here.