Models of ICT infrastructures are the basis for security analysis in securiCAD; it is our lab environment. This module guides you on how to create models from scratch. Also various aspects and properties of the modeling objects is introduced along the way. Even though your main goal may not be to conduct manual modeling, an understanding of how models are structured is important for model navigation and analysis.
This module is applicable to both the Community Edition and the Professional Edition of securiCAD.
In this module, we will start with a very minimalist piece of input, two hosts on different networks, since the goal is to introduce the basic modeling objects and what they represent.
What does the above sketch tell us?
- There are two boxes here, labeled ClientZone and ServerZone. These represent the network structure.
- We imagine that our most precious data is stored in the server in the ServerZone.
- Some information is traveling between the zones; the Information Request is our data flow.
- The applications running the Information Request data flow are not outlined. They seldom are in maps like these. Either we need to ask someone about the Information Request data flow, what’s in there, what it’s used for, or we need to make assumptions and represent them using generic application objects, which is what we will do in this case. Let’s assume that there is a client application in the client zone and a server application in the server zone.
- According to the map, we have a host in the client zone called Workstation and another host in the server zone called Server.
This is enough to illustrate an initial very simple setup that we will gradually extend. Now, we will make a simple model from this very sparse information and assumptions.
The securiCAD user interface
When starting securiCAD, the main securiCAD window will appear.
As seen in the previous module, securiCAD Community Edition will automatically load the included example model until you tell it not to (by ticking that in the welcome window at start up).
The securiCAD main window is divided into three vertical sections. To the left we have tools and windows related to adding objects to a model.
The middle section is the main canvas where we are going to build our models.
To the right, we find the analysis area with tools related to setting different properties of the model objects and to inspect, trace and analyze different attacks’ success rates within the modeled architecture.
The sizes, locations and presence of the different windows and tabs within securiCAD are highly customizable by the user.
Since we are about to create a new model from scratch, please select [File]->[New]->[Model] to create an empty one.
Adding objects to the model
First of all, we model the ClientZone and ServerZone networks. We also connect them, since hosts in them are able to communicate with each other.
To add an object to our model, drag it from the Object Explorer list to the right onto the main canvas.
When the Network object is added to the canvas/model, it will look like the following;
Renaming an object, which is recommended, is done by clicking the object or pressing the F2 button.
Rename the Network object to ClientZone. Add another Network object and rename it to ServerZone.
To connect one network zone to another, a Router component is needed between them to represent the zone border/connection.
We have been dragging-and-dropping two Network objects from the list called Object Model Explorer to the left and renamed them to ClientZone and ServerZone. Now, drag a Router object from the Object Explorer onto the canvas and rename it to CS-SZ. This will give us three objects on the canvas; ClientZone, CZ-SZ and ServerZone.
Next thing is to connect them by holding [Shift] and clicking over one object and releasing the connection over another.
Selecting type of connection
While making the connection, a dialogue will appear asking you to choose which type of connection to use. The options we have are either Administration or Connection. Using the Administration connection type will state that the router in question is possible to administer from a certain network zone. Using the Connection type will state that the router is communicating with the zone but administration is not allowed from that zone.
Since, in many environments, router administration is made using an administrative network zone, we add an extra network object representing the administration. If we do not have such an administrative network zone, we will see a message in the Problems tab to the top right area of securiCAD telling us that we need to add one. For a smaller architecture, this might be the same as for instance the inner of the two network zones and then there will be two parallel connections; one for Connection and one for Administration.
An Administration type of connection is only defining from what network zone administration is possible. If you also want to say that regular (non-administration) network traffic is possible to that zone, you need to also add a Connection type connection in parallel with the Administration connection.
In the current model the router is modeled as part of a connection between the ClientZone and the ServerZone objects. In most cases, modeling a Router object, assumes a router with some restrictions. Therefore we want to add some more objects to it; an access control object and a firewall object. These objects state that login credentials are required to administer it and also that communication through it is obliged to adhere to some routing (firewall) rules.
Adding objects instantly using arrows
Adding objects can be done by selecting the CS-SZ Router object and then clicking on the right arrow appearing. This will present a list of connectable objects to the Router object.
When clicking on the left arrow, you will see a list of already existing and connected objects. In this case, the ClientZone, AdminZone and the ServerZone network objects.
These arrows are only shown when you can add an object on the current canvas. This means that if you open an object to see what other objects are in it, these arrows for adding additional objects will not be available. A more complete description on this is found in the Program Features module describing Object Views.
Select AccessControl and then Firewall.
We also see that when we added a Firewall object to our Router object, a mini-icon appears on the Router object. This doesn’t happen when adding the AccessControl to it. The reason for this is that a Router is assumed to have an AccessControl (even though it is not mandatory) while a Router does not necessarily have a Firewall connected to it. Firewalls provide more modeling and architectural information to the model than access controls do.
As with the Router object, we need to add a UserAccount object to the AccessControl object. Select AccessControl, click on the right hand arrow and select UserAccount.
When adding a UserAccount object to an AccessControl object, we will be prompted for which type of connection to use, root or non-root authorization;
Since the access control and the corresponding user account in this case represents the administration of the router settings, including the firewall rule set, please choose the Root Authorization option.
When adding an AccessControl object, it is always good practice to also add a UserAccount connected with the Root Authorization type of connection. This is to represent that it is possible to for instance add new user accounts or edit existing user accounts and settings. Regular user accounts shall have the Non-Root Authorization type of connection and are optional.
When building different models and performing attack analysis, you will later on see that getting hold of a root user account is much more useful to the attacker than a regular user account, even if such a user account is also useful for performing further attacks.
For cleaning up the view of our network structure, we may drop the AccessControl and the Firewall object into the Router object, since they belong to each other. Objects may be displayed in the same image/canvas, but, quite soon, such an approach might get rather cluttered. Therefore, we provide the possibility to contain/hide objects that have relations to each other within other objects.
The following picture illustrate how to move/hide objects into other objects. First move the UserAccount object into the AccessControl object and then the AccessControl and the Firewall into the Router object.
When building a securiCAD model, you have not only the single/native objects in the Object Explorer pane, but also a collection of component objects containing several already connected objects.
Below the list of “native objects” we have been working with so far, there is an area containing a collection of categorized components or “extended objects”.
The components belongs to different categories and you we encourage you to first look for a suitable component object. If no component seem to fit your current need, you should use native objects as a secondary option.
There is a separate module describing how to use components and how to create your own.
From the given sketch, we see that there is a Workstation in the Client Zone and a Server in the Server Zone. They are systems and systems are in their most basic form represented by Host objects in our models. The nature of these systems is defined later on by what additional objects and settings we add to them.
We are seeing anything that has an ip address, such as computers, network printers, smart phones, tablets, embedded systems, virtual machines and so on, as being a kind of host.
Hosts are added to the networks either by dropping a single Host object to the canvas and then connecting it, or by selecting a Network object and use the arrows as previously described. However, for a Host object, there are component objects available.
Defining a “System”
A system, as we see it, consists of several objects; a Host object, a Software Product, AccessControl, Client and a Data Store.
Even though we have no information on what type of host we have in the given sketch, we still recommend using a component object. And we know that one host is acting client (workstation) and one is acting server. From the securiCAD components directory, pick the component labeled Linux Server and drop it onto the main canvas.
Then connect it (shift-drag and drop) to the ServerZone.
When connecting the Linux Server object with the ServerZone object, you will be prompted with a window asking what objects to connect. The reason for this is that connections can be made to/from objects that are contained within other objects. We will soon discuss this in more detail but at the moment, just click the left area and then the right area and then the OK button.
A small Host icon is added to the Network object. Not all networks have hosts in them, some are merely set up for intercommunication.
For clarity, rename Linux Server to ServerSystem to match our initial sketch.
Object content details
Hovering the mouse over the network object, is presenting a yellow label saying that this network object ServerZone is containing an object labeled ServerSystem.
Doing the same with the ServerSystem object, we see that it contains three objects; a SoftwareProduct, an AccessControl, and a Service object.
Next, we shall to add a host component to the ClientZone object, representing the client workstation in the initial sketch. Since the sketch says Workstation, please pick the Windows 7 component. For simplicity, you can drag it from the components library and drop it directly on the ClientZone object. This will add it to the model and at the same time connect it to the ClientZone.
Object views; objects within objects
If we want to check what is in the ClientZone, we can double-click it to open it. This will bring up a new canvas, a so called Object View. These kind of views have some limitations to them; you can only add objects that can be connected to the “upper” object, since adding an object here will at the same time connect it to the object above or “parent” object.
In this case, the object view we are looking at is a Network object which means that we can only add Dataflow, Host, PhysicalZone, Router, Service, VulnerabilityScanner and ZoneManagement objects to this view. Please also take the opportunity to rename Windows 7 to Workstation to match the initial sketch.
We shall add a Client object to the Windows7/Workstation host. A Client object is the initiator of a Dataflow that we will introduce in the next section. For now, we only need to add a client to the Windows 7 host from the client section of the components library. You do this while Workstation is visible within the expanded ClientZone view.
And select Non-Root Client Execution;
More details on the Client and the Service objects and the difference between root and non-root connections is available in the Learn More section.
Adding a Dataflow
Now we have a client on a host in one network zone and a service on another host in another network zone. It is time to add the DataFlow object representing the Information Request line in the sketch.
A Dataflow is to be seen as representing a session between a client and a service.
Dataflows traveling between network zones are best located on the same level/canvas as network zones and routers. So far, we should have the following on the canvas;
Sometimes it is interesting to see what types of associations the lines represent. This is done by right-clicking on the canvas and select Association Labels. In the above example, the labels show that the vertical associations represent Connections and the horizontal one, Administration.
But let’s go back to the Dataflow discussion. In the Components library, there is a component called SSH Traffic found under the Traffic directory. Adding such a component will add both a Dataflow and a Protocol object, describing the Dataflow protection level, to the model. Rename it to Information Request.
Connecting the Dataflow
Now we shall connect it both to the putty Client object and to the sshd Service object. Start by clicking on the Network objects and their left arrows and then select the Host objects to show them on the canvas.
Then hold down the [Shift] key and drag a connection from the Information Request to Windows 7 workstation.
Since a Dataflow shall not be connected to a Host object but instead to the Client object in the Host object, we will get a window asking where to connect it.
To the left we have the objects to connect from and to the right the objects possible to connect to will be dynamically shown. Select Information Request and the right hand area will present the unfoldable label Windows 7 workstation.
Unfolding Windows 7 workstation will present putty which is the object we want to connect to. Select it.
Pressing [OK] will close the window and create the connection between Information Request and putty.
Then you can hide the Host object again by selecting it and pressing backspace.
This is a good opportunity to describe Indirect Connections. They are not enabled by default, but if you right click on the canvas, you will see an option to enable them. Doing so, aOn the canvas a new kind of connection line is then shown between Information Request and ClientZone; an indirect connection. It is showing that there is a connection between Information Request but not directly to ClientZone but to something within it.
Repeat the procedure from Information Request to Linux Server to connect Information Request to the Service labeled sshd.
Now we shall have the following objects and connections;
We also see that holding and keeping the mouse pointer over the indirect connection, presents a label showing (a list of) what connections the indirect connection represents.
Hovering the mouse pointer over the indirect connection brings up a label saying that Information Request is connected to Router and the connection type is Communication.
Allowing the Dataflow
By now, we are almost finished squeezing all information out of the simple sketch we got as input. Next thing, we need to allow the data flow Information Request to travel between the ClientZone and the ServerZone. To do that, we need to add a connection between the Information Request data flow and the CZ-SZ Router object and a connection between Information Request and the Firewall object connected to our CZ-SZ Router;
And then drag a connection between Information Request to the CZ-SZ. This will state that the dataflow Information Request is allowed to travel via the CS-SZ router and that all properties of the router is applied to the dataflow. In this case, it is protected by (and allowed to go through) the firewall.
With the connections in place, we will have the following content on the main canvas.
At this moment, the model we have created so far includes enough objects to run simulations on.
Therefore, we will add an Attacker object to the model and make a Simulation test run. The attacker object is representing the starting point of the attack we want to study.
Drag an Attacker object into the model just like any other object. Connect it to the WorkStation object. Since the WorkStation is located in the ClientZone, we make a connection from the attacker to the ClientZone and then get to choose where we want to connect it.
Doing that, securiCAD will give us several options representing different attack steps/operations to choose from;
The options to choose from are all the possible attack steps to this particular object. Several of them are used as intermediate attack steps used to achieve other attack steps in this or other objects in the model. Choosing the compromise attack step is the same as saying “We imagine that the attacker has succeeded in owning/controlling this object (the WorkStation)”. This is the attacker’s entry point in this case.
On the canvas, we now have an Attacker object, indirectly connected to the ClientZone, since it is connected to the Host WorkStation in the ClientZone.
Check for remaining things to fix
To the top right area of securiCAD we have a tab labeled Problems. It gives us hints on mandatory things we need to add before running a simulation. For instance, in order to be able to calculate, a Protocol object is mandatory for each Dataflow object. If this would be missing, then it would show up as a notification in the Problems pane.
To fix this, please add a Protocol object to the canvas and connect it to the Dataflow. Since we have ssh related client/services, the protocol labeled encrypted in the components library is the most suitable one.
Selecting what assets to analyze
Attack simulations spread and are performed throughout the entire model. However, when it comes to reporting, we need to select what asset we want to look at in the simulation results. It is perfectly possible to select several assets. This is done by selecting an asset, unfolding the attack step we are interested in, often Compromise, and set the Consequence value to a figure between 1 and 10.
Time to simulate
At this moment in the manual we will not go into if this is a reasonable attack, what it really means and what we can do about it. These topics are described in much more detail in other sections of this manual. What we will look at now is how the attack affects the different parts of the model to see that the attack propagates through it. Press the Simulate button;
If you have not yet saved the model, you will be prompted to do so before the simulation starts.
The simulation starts;
The model is now colored according to the success rate of the attack;
When the simulation is finished, we see that the model is colored according to the success rate of each attack step throughout the model. The deeper red a label is colored, the higher the probability of a successful attack on that particular object.
In addition to the coloring of the object frames, we will also, when using securiCAD Community Edition, get a web page showing the simulation results.
In this module we have learnt how to build models and what models mean. Next we will continue dig deeper into the attack simulations and how to use them for actionable results.
The resulting model we have just built can be downloaded here.