Security Analysis

Introduction

The means to assess and understand security in securiCAD is to study what attacks could be performed in the modeled ICT infrastructure. Like virtual penetration tests. We will continue using the model we crated in the previous module, Modeling from Scratch. The model can be downloaded here.

The module starts by describing the Attack Step and Defense concepts in more detail. We will then look into the attack step visualization techniques; tracing attack chains by an attack step map and also using an attack step tree. Finally, we will take a look at the simulation results on a particular attack step on a particular object/asset to see what securiCAD will tell us in a particular position of our modeled architecture.

Attack steps

When looking at how vulnerable our architecture is, we look at the success rate of different attack steps. Attack steps are different actions that an attacker might achieve when trying to gain control of a particular object in our model. Having succeeded with one attack step might in turn open up for further achievements, going from one object to another. Some attack steps need to be accomplished by the attacker in order to start working on others.

Different objects have different attack steps associated with them depending on what type of object it is. For instance, looking at the model we built in the Modeling from Scratch module, we had the following situation.

Initial simulation results
Initial simulation results

 

What we then concluded was simply that the different objects had different levels of red coloring on their frames and that an object with a deeper red color on its frame is easier (faster) to attack.

Selecting these objects will in the top right area of securiCAD show a list of possible attack steps associated with that object and, after simulation, the attack steps’ corresponding coloring.

Please click on the Information Request Dataflow object to see the different attack steps and their coloring in the top right pane.

Dataflow Attack Steps
Dataflow Attack Steps

 

In the above picture we see that a Dataflow object is associated with the Access, DenialOfService, Eavesdrop and so on attack steps. We also see that some of them are very red which is due to this particular Dataflow object being located close to the attacker’s starting point in our model. However, the most important attack steps (regarding information confidentiality) Eavesdrop and MainInTheModdle are not red at all. This is because the Dataflow is encrypted and our model does not say where the encryption key is located. We will soon adjust this.

So far, we have been talking about the simulation results as “level of redness” and use words like “seems harder”. This is of course not everything securiCAD will tell us and will later on dive deeper into more details on the analysis results.

Defenses

Defenses can be seen as the opposite of attack steps. Attack steps are actions the attacker wants to achieve and defenses are properties of our objects we can use to make those achievements harder and take more time. While attack steps are something securiCAD will simulate and present, defense settings are something that securiCAD would like to get from us in order to make the simulations reflect the real life situation we have in the architecture we have modeled. However, if we are not able to provide securiCAD with such details, securiCAD will use a set of reasonable default values that are common within many architectures.

To check the defense setting of an object, for instance the Network object, please select it on the canvas and switch to the Defenses tab next to the Attacks tab.

Network Defenses
Network Defenses

 

The list of defenses holds three columns; the defense name, the defense setting and the default value.
The drop-down menu allows us to adjust this particular defense on this particular object to either Unset, On, Off or Probability.

When unset is selected, as with all fresh objects we add from the object explorer, defenses are in unset mode which means that securiCAD will use the default value. For the defense StaticARPTables the default value is set to off since most network zones do not use static ARP tables only.

Object frame coloring

When a simulation is finished, the objects in our model will have different tones in the red scale on their borders depending on how hard or easy it is for the attacker to gain control over it. When looking at the list of attack steps, we see that different attack steps in most cases have different tones of red even within the same object. This is natural since some attacks are easy to achieve while others are harder.

From the list of attack steps, securiCAD chooses an attack step coloring to use for the object border. It is not always that the most red attack step will decide the object border. And the object border coloring is not a mean value of all the attack steps. Instead, we have, for each object, chosen which of the attacks that is of most interest to the modeler when looking at the simulation results.

For instance, when it comes to the router object, the color of Forwarding is used while for a Host object, Compromise” is used, and so on depending on which attack step is considered being the most interesting one when doing practical modeling and analysis.

ObjectAttack Step Deciding Object Frame Coloring
Access ControlCompromise
AttackerNone
ClientCompromise
DataflowManInTheMiddle
DatastoreFastest of Read, Write, Delete
FirewallCompromise
HostCompromise
IDSNone
IPSNone
KeystoreRead
NetworkCompromise
PhysicalZoneCompromise
ProtocolNone
RouterCompromise
ServiceCompromise
SoftwareProductFastest of DevelopExploitForPublicPatchableVulnerability, DevelopExploitForPublicUnpatchableVulnerability, DevelopZeroDay
UserNone
UserAccountCompromise
VulnerabilityScannerNone
WebApplication Fastest of ExploitCommandInjection, ExploitRFI, ExploitSQLInjection
WebApplicationFirewallNone
ZoneManagementNone

Attack Step Deciding Object Frame Coloring on Canvas

Selecting attack step

securiCAD simulates the success rate of each attack step based on its difficulty and on the probability of completing previous steps. You can say that a certain attack step is possible because other previous attack steps were possible and thus we will have a chain of attack steps influencing each other.

There are two main methods for looking at this attack step chain; the attack step graph and the attack step tree. While the attack step graph is showing only the most likely paths an attacker will follow, the text based attack step tree will show all theoretically possible attack paths the attacker might follow in order to access the selected target. They both have their use and can be seen as presenting slightly different aspects of the attacker’s journey throughout our model.

In general, you want to look at the attack success rate and the previous attacks that lead to a particular object on a certain object that you or the customer has identified as a precious asset when it comes to intrusion. It might be a Datastore holding sensitive information or a system/host/service essential to business operations.

A good example in our model for showing the attack step presentation is the sshd Service object connected to the ServerSystem Host object in the ServerZone object. In order to access it, from the main network overview, so far called View 1, first double-click the ServerZone object.

Double-click the <em>ServerZone</em> object.
Double-click the ServerZone object.

 

This will bring up a new view tab called Object:ServerZone next to View 1. This is a so called Object View showing what is contained within the ServerZone object, in our model we see the ServerSystem object.

Contents of the ServerZone Object.
Contents of the ServerZone Object.

Selecting Compromise will show the attack step plot of ServerSystem.Compromise in the lower right corner.

Selecting <em>ServerSystem Compromise</em>.
Selecting ServerSystem Compromise.

We will discuss both the plot and the attack step tree in detail shortly but at the moment we want to look at the attack step graph.

Attack step graph

The attack step graph is the graphical presentation of the attacker’s most probable paths or routes in our model and is the main tool for analyzing the attack path, finding attack success mitigations and discussing the results.

Showing the attack step graph is done from the simulation results web page automatically opened when running a simulation in securiCAD Community Edition. Below the risk matrix, there is a list if attack steps that we have set a consequence value to. In our current example, it is the Compromise attack step of the ServerSystem object.

<em>ServerSystem Compromise</em>.
ServerSystem Compromise.

Click on the Critical path symbol to the right will show the attack step graph of the selected attack step.

The Attack Step Graph of the <em>ServerSystem.Compromise</em> attack step.
The Attack Step Graph of the ServerSystem.Compromise attack step.

Using the Fullscreen button will make it more visible.

The Attack Step Graph of the <em>ServerSystem.Compromise</em> attack step, fullscreen mode.
The Attack Step Graph of the ServerSystem.Compromise attack step, fullscreen mode.

Graph members

From the above attack step graph we see that there are different types of artifacts.

  • The Red item is the Attacker, pointing to the attacker’s starting point.
  • The blue item is our selected attack step of our selected asset, the object we are about to analyze.
  • The gray items in between are the different attack steps the attacker is likely to use while going from the starting point to our selected asset.
  • Each gray item along the way is linked to another item with an arrow showing the attack path’s direction.
  • The icons used for the grey items are the object icons from the object explorer indicating what type of asset it is and the name of the attack step used for each step is shown in the label below it.
  • To the top right of the items there is a box showing the object id from the model.
  • Green items are imperfect defenses that the attacker is using to achieve certain attack steps.
  • The color of the arrows are indicating how much time it is estimated to take going from one node to the next one. It is not taking the “total time spent” into account, only giving an indication on how hard this single attack step is.
  • The thickness of the arrows are indicating how common this attack step is considering all attack steps in the map. A “jump” that is used/needed by many attack paths will be indicated by a thicker arrow.
  • The diameter of a node is indicating how often it is visited. Or, in other words, how frequently used it is. This usage frequency is relative to all the nodes in the graph which means that when all nodes are equally frequently used, they will have the same size.

Alternative attack paths

The attack step graph is initially showing the most likely attack path taken. However, it also has the possibility to show other alternative attack paths as well. These alternative attack paths are also reasonably likely to be used. The slider to the left, labeled Details allows you to select how many of the most likely attack paths you want to show. Sliding it a bit to the right will add more alternative attack paths, also contributing to the result.

The Attack Step Graph including medium number of alternative attack paths.
The Attack Step Graph including medium number of alternative attack paths.

Sliding the detail selector fully to the right will show all attack paths considered being reasonable likely. Strictly speaking, it will show the nine most likely or successful/probable attack paths from the attacker’s starting point to the blue asset.

The Attack Step Graph including all likely attack paths.
The Attack Step Graph including all likely attack paths.

 

Hide defenses

When only looking at the attacker’s route, it is sometimes convenient to hide the items representing imperfect defenses.

The Attack Step Graph with defenses hidden.
The Attack Step Graph with defenses hidden.

 

Group attack steps

Since the attack path consists of attacker operations rather than what asset the attacker is currently working on, several attack steps shown in the graph will be related to the same asset. However, in many cases, we are more interested in what asset/object/system the attacker is currently attacking. Showing this is done by ticking the Group attack steps check box.

Attack step graph with <em>Group attack steps</em> enabled.
Attack step graph with Group attack steps enabled.

Highlight basepath

The base path is the most likely of the alternative paths. This is the path shown when the details slider is at the leftmost position. When several alternative paths are shown, it is often interesting to emphasis this main route from the other alternatives. It is done by checking the Highlight basepath check box.

The Attack Step Graph with base path emphasized.
The Attack Step Graph with base path emphasized.

Searching for objects

To the top right corner of the visualization of the attack graph, there is a search field for finding particular objects in the map. It is searching for object names, attack steps and object ID numbers. The items matching the search string will be highlighted and the others grayed out.

Searching for <em>sshd</em>.
Searching for sshd.

 

Clicking on Select will select all highlighted objects for you, giving them a blue border, so that you can move them all together. This is useful when rearranging an attack graph sorting the items by which object they are related to.

Selecting <em>sshd</em>.
Selecting sshd.

Rearranging the items

Items in the attack step graph tries to dynamically position themselves in a suitable way. However, when looking at a particular track in the graph, like when looking for mitigation suggestions, it might be better if the items would not move themselves automatically. This is achieved by ticking the Freeze nodes check box.

The Attack Step Graph rearranged for clarity.
The Attack Step Graph rearranged for clarity.

Such rearranging of the attack path will help seeing areas or topics in the attack graph like the following.

Attack step graph areas.
Attack step graph areas.
  • Area A is related to the starting point of the attacker.
  • Area B is related to finding useful allowed communication paths in the firewall.
  • Area C is related to the vulnerability status and patch level of the sshd service.
  • Area D makes use of the fact that the ServerSystem in our model is not hardened. In other words, there might be extra non tracked services running on that host. Such services are represented by the automatically added UnknownService object.
  • Area E describes the PrivilegeEscalation operations that the attacker will attempt one having succeeded with ServerSystem.UserAccess.

Please note that we have not listed these areas in any prioritized order but rather based on their relation to different operations.

Re-enabling the defenses will give us a hint on what properties in our model we can change in order to find suggestions for security improvements.

The Attack Step Graph rearranged including imperfect defenses.
The Attack Step Graph rearranged including imperfect defenses.

 

Single attack step analysis

Up until now, we have been looking at attack paths that allows us to follow chains of attacks from the attacker to an object of interest. Now it is time to take a closer look at what securiCAD tells us about a particular attack step, in terms of attack success rate, probability and time. At the lower right corner, there is a plot for each attack step we select. This plot is called the TTC Plot where TTC stands for Time To Compromise. Mathematically, it is a cumulative distribution function, meaning that the probabilities are added as time goes by.

Example: If there is a 7% probability for an attack to succeed given 10 days and a 34% probability for success given 20 days, then, the situation after 20 days, would include the both the probability for days 0-10 and days 11-20 since we sum up all attacks that have succeeded up until day 20.

The plot for our ServerSystem.Compromise attack step is as follows;

Probability Versus Time for <em>Datastore.Write</em>.
Probability Versus Time for Datastore.Write.

 

Probability versus time

securiCAD simulates the propagation of an attack based both on possible routes and, for each step of the route, taking research based probabilities into account. This leads to the fact that each attack step is more probable to have succeeded the more time is given. On the vertical axis of this plot we have the accumulated probability for this attack step while the horizontal axis shows time between zero and the so called “infinity threshold” which is a configurable value where we limit our analysis.

Along the edge of the plot, there are labels with amount of days and probability figures. In our example we see figures below the plot; 10 days: 37%, 20 days: 51% and 50 days: 69%. Furthermore, there are three labels that use the probability levels 5, 50 and 95% as a fixed levels, showing how many days it would take before each probability level is reached.

A common way of reading this plot is to look at the probability for an attacker having succeeded with Datastore.Write after 20 days, which in this case is 47%. The proactive changes to the modeled architecture then aims at lowering this level.

The infinity

As mentioned above, the plot ends at the “infinity threshold value” which in this case is 100 days. Since the simulations are based on probability versus time, we need to tell securiCAD to stop plotting after a number of days we choose. However, since the probability is increasing over time, all the way towards infinity, all the remaining attempts will be stacked at the infinity threshold value. This can be seen as “all attempts that did not make it before the infinity threshold value are ignored”. This is not mathematically correct, but as a modeler you often tend to argue that the architecture might have changed before the infinity threshold value (100 days) is reached, which means that the attack path might not be available to the attacker any more.

This method of stopping the plot after a specific amount of time means that all remaining samples are stacked just before the infinity threshold value which in turn leads to the phenomena of the thin vertical spike in the plot at 100 days.

Changing the infinity threshold value can be done from the Configuration – Simulation window.

Attack step success rate

Just below the heading of the plot, there is a line saying (Max Success Rate=64%, Reached within 100.0 days). It is an indicator of the “total” success rate of this attack step. Or: “How probable it is that this attack would succeed within 100 days.” The probability of this attack step does not reach up to 100% before time reaches the infinity threshold but in case the probability would be 100% before 100 days, this line would tell when the 100% level is reached.

Conclusions

Now, you have the basic knowledge you will need to use securiCAD for doing threat modeling and security analysis of ICT architectures. From here, we suggest that you explore the content under the Learn More section of this web site. This is where you will find more detailed descriptions spanning from securiCAD program features and how to create and use components to detailed descriptions on the research behind securiCAD.