Metrics Suite for Network Attack Graphs
Transcript of Metrics Suite for Network Attack Graphs
65th Meeting of IFIP Working Group 10.4 On Dependable Computing and Fault Tolerance
Sorrento, Italy, January 23-27, 2014
Steven Noel
Center for Secure Information Systems
George Mason University
csis.gmu.edu
Metrics Suite for Network Attack Graphs
Motivation • Impact of combined topology, policy, and
vulnerabilities on security posture
– Attack graphs show multi-step vulnerability paths through networks
– But they lack quantitative scores that capture overall security state at a point in time
• Show metric trends over time
• Compare security across organizations
• Complementary dimensions of network security
• Funded by DHS BAA 11-02 (12 months)
1 1/23/2014 65th IFIP Working Group 10.4 Meeting
Motivating Example
1/23/2014 65th IFIP Working Group 10.4 Meeting 2
Attack Graph Before Remediation
Top CVSS Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 3
CVSS > 7
Remediated Attack Graph
Top Exposed Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 4
Top 3 Exposed
Remediated Attack Graph
Attack Graph Metrics
5
Network Topology
Firewall Rules
Host Vulnerabilities
Attack Graph Analysis
Metrics Engine
Metrics Dashboard
1/23/2014 65th IFIP Working Group 10.4 Meeting
Nessus Retina nCircle
Core Impact Foundscan
Qualys SAINT nmap
Cisco ASA Cisco IOS
Juniper JUNOS Juniper ScreenOS
Fortinet McAfee FE
XML CSV
Graphical
1/23/2014 65th IFIP Working Group 10.4 Meeting 6
Cauldron Attack Graph
7
CVSS Base Metric
Exploitability
Access
Vector
Access
Complexity Authentication
Impact
Confidentiality Integrity Availability
Common Vulnerability Scoring System (CVSS)
1/23/2014 65th IFIP Working Group 10.4 Meeting
• Victimization: Individual vulnerabilities and exposed services each have elements of risk. We score the entire network across individual vulnerability victimization dimensions.
• Size: The size of attack graph (vectors and exposed machines) is a prime indication of risk. The larger the graph, the more ways you can be compromised.
• Containment: Networks are generally administered in pieces (subnets, domains, etc.). Risk mitigation should aim to reduce attacks across such boundaries, to contain attacks.
• Topology: The connectivity, cycles, and depth of the attack graph indicate how graph relationships enable network penetration.
8
Attack Graph Metrics Families
1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Hierarchy
9
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
Network Score
Metrics Family
Individual Metrics
1/23/2014 65th IFIP Working Group 10.4 Meeting
0
min
1 xxxf
minmax
min2
xx
xxxf
minmax
min3 10xx
xxxf
maxmin , xxx
Best Worst
10
10 1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Scaling
xf 3
0
min
1 xxxf
minmax
min2
xx
xxxf
maxmin , xxx
Worst Best
10
minmax
min3 1xx
xxxf
minmax
min4 1xx
xxxf
minmax
min5 110xx
xxxf
1/23/2014 65th IFIP Working Group 10.4 Meeting 11
Metrics Scaling (Reversal)
xf 5
Combining Metrics
12
10
10 0 11sw
101 w
102 w 22
2
1 1010 ww
Largest Possible
1/23/2014 65th IFIP Working Group 10.4 Meeting
22sw
10,01010
102
2
2
1
2
22
2
11
ww
swsw
Combining Metrics
13 1/23/2014 65th IFIP Working Group 10.4 Meeting
.ht with weig score individualFor
10,010
10
is score combined thescores, for general,In
2
2
ii
n
i i
n
i ii
ws
w
swS
Sn
Metrics Hierarchy
14
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Family: Victimization
15 1/23/2014 65th IFIP Working Group 10.4 Meeting
• Existence – relative number of ports that are vulnerable:
• Exploitability – average CVSS Exploitability:
• Impact – average CVSS Impact:
UueU
i ilityExploitabi
,Impact UumU
i i
nv
v
ss
s
10Existence
Metrics Hierarchy
16
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Size Family
Vectors Metric
17 1/23/2014 65th IFIP Working Group 10.4 Meeting
Within domain (implicit vectors)
Across domains: explicit vectors
jiv ,
im
j ji vm 1
d
ji ji
d
i
m
j jia vvmvi
, ,1 torsAttack vec
m
i ip smv 1 torsattack vec possible Total
p
a
v
v10Size Vectors
Size Family
Machines Metric
18 1/23/2014 65th IFIP Working Group 10.4 Meeting
Vulnerable machines
d
i irr
Non-vulnerable machines
d
j jmm
mr
r
10Size Machines
Metrics Hierarchy
19
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Containment Family
Vectors Metric
20 1/23/2014 65th IFIP Working Group 10.4 Meeting
Within domain (implicit vectors)
Across domains: explicit vectors
jiv ,
im
j ji vm 1
d
ji ji
d
i
m
j jia vvmvi
, ,1 torsAttack vec
d
ji jic vv, ,domainsacrossvectorsAttack
a
c
v
v10tContainmen Vectors
Containment Family
Machines Metric
21 1/23/2014 65th IFIP Working Group 10.4 Meeting
Victims across domains
Victims within domain only
d
i iiw Vmmmm ,
d
i iia Vmmmm ,
wa
a
mm
m
10tContainmen Machines
Containment Family
Vulnerability Types Metric
22 1/23/2014 65th IFIP Working Group 10.4 Meeting
Vulnerability types across domains
Vulnerability types within domain only
d
i iiiiw Vmtmmtt ,
d
i iiiia Vmtmmtt ,
wa
a
tt
t
10tContainmen Types Vuln
Metrics Hierarchy
23
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
Attack Graph Connectivity
1/23/2014 65th IFIP Working Group 10.4 Meeting 24
One Component
Two Components
Three Components
Motivation: Better to have attack graph as disconnected parts versus connected whole
Less Secure
More Secure
Topology Family
Connectivity Metric
1/23/2014 65th IFIP Working Group 10.4 Meeting 25
1 component 4 components 5 components
10111
11110Metric
7
111
14110Metric
6
111
15110Metric
Attack Graph Cycles
1/23/2014 65th IFIP Working Group 10.4 Meeting 26
Motivation: For a connected attack graph, better to avoid cycles among subgraphs
Less Secure
More Secure
1/23/2014 65th IFIP Working Group 10.4 Meeting 27
4 components 5 components 10 components
7111
14110Metric
6
111
15110Metric
1
111
110110Metric
Topology Family
Cycles Metric
Attack Graph Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting 28
One Step Deep
2 Steps Deep
3 Steps Deep
Less Secure
More Secure
Motivation: Better to have attack graph deeper versus shallower
1/23/2014 65th IFIP Working Group 10.4 Meeting 29
Shortest path 3/8 Shortest path 4/8 Shortests paths 2/3 and 1/5
7.518
3110Metric
3.4
18
4110Metric
3.2
15
115
13
213
82
10Metric
Topology Family
Depth Metric
Metrics Dashboard
30 1/23/2014 65th IFIP Working Group 10.4 Meeting
Family-Level Metrics
31 1/23/2014 65th IFIP Working Group 10.4 Meeting
Temporal Zoom
32 1/23/2014 65th IFIP Working Group 10.4 Meeting
Trend Summary
33 1/23/2014 65th IFIP Working Group 10.4 Meeting
Example Network Topology
34 1/23/2014 65th IFIP Working Group 10.4 Meeting
Attack Graph – No Hardening
1/23/2014 65th IFIP Working Group 10.4 Meeting 35
1/23/2014 65th IFIP Working Group 10.4 Meeting 36
Block Partners to Inside
1/23/2014 65th IFIP Working Group 10.4 Meeting 37
Block Partner 4 to DMZ
1/23/2014 65th IFIP Working Group 10.4 Meeting 38
Block DMZ to Inside 3
1/23/2014 65th IFIP Working Group 10.4 Meeting 39
Patch Host Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 40
1/23/2014 65th IFIP Working Group 10.4 Meeting 41
1/23/2014 65th IFIP Working Group 10.4 Meeting 42
1/23/2014 65th IFIP Working Group 10.4 Meeting 43
1/23/2014 65th IFIP Working Group 10.4 Meeting 44
Contact
45
The MITRE Corporation McLean, Virginia
Steven Noel http://csis.gmu.edu/noel/
1/23/2014 65th IFIP Working Group 10.4 Meeting