The fundamental approach of cyber security analysis with securiCAD is to simulate potential attacks. These simulations are performed in models of Information and Communication Technology (ICT) infrastructures. This teaching module will use an example model of a fictitious and simplified ICT infrastructure. The example model is bundled with the software. We suggest you run securiCAD in parallel while going forward with this module.
The ACME corp. ICT infrastructure
In the below Figure the made-up ACME corp. ICT infrastructure is presented. It consists of three network zones; office, staging, and production. In the networks there are a few hosts with established communication between them. Overall, we want to protect the company’s customer record database from an attacker we assume has compromised an office work station.
The ACME model
When launching securiCAD for the first time, you will see a greeting window with some useful information and then you will be prompted to put in your e-mail address and the simulation key from the e-mail you got when fetching securiCAD.
When this information has been put in and verified, securiCAD will start with a model of the ACME infrastructure automatically loaded.
Turning our attention to the ACME model we see that it consists of objects and connections between them. Objects are of various types and some examples include networks, routers, hosts, user accounts, and services. In our example we have for instance one network object called Office and one called Staging Infra. The Office and Staging infra networks are connected via a router object GW1. The connections carry specific meanings so that for instance a host connected to a network states that a host is reachable from that network and a service connected to a host states that the service is run by this particular host.
If you navigate around a little bit in the model you find other objects representing the other things from the above infrastructure specification. In addition, there are some objects not directly found in the specification that were added according to some interpretation (or further investigation). For instance, we have an RDP session running between hosts in the Office and Staging infra networks and several hosts have access control related to them.
Objects can also have different types of attack steps and defenses mechanisms associated to them. An attack step is something harmful that an attacker can accomplish and defenses are countermeasures that will make the attack steps more difficult or “expensive” to succeed with. Attack steps and defense mechanisms are shown in tabs in the upper right corner of securiCAD.
For instance, if we select the Office network object, we find the attack steps ARPCachePoisoning, Compromise, DNSSpoof and DenialOfService and the defense mechanisms DNSSec, PortSecurity and StaticARPTables.
Finally the model also contains an Attacker object defining the threat scenario. In our case we assume that the attacker has compromised Workstation 1.
Now, let us move directly to the core of securiCAD. We want to understand: how secure are our customer records? In order to answer that question securiCAD lets you simulate potential attack paths from the attacker to all the assets in our modeled ICT infrastructure by simply clicking the Simulate button.
Simulations then run both in an online cloud service and locally in the securiCAD software. As soon as the simulation is ready, the results will be shown in two ways; the frames of the objects in the model will be given colors based on the attack success rate and the results will also be presented in an online report, see below.
From a simulation we get a number of different interesting types of results; risk levels, most probable attack paths, and weak links (chokepoints) for the attacker to exploit. The presented results relates to those objects that have been marked in the model with a “consequence value” if they are compromised. For the ACME model, the Stage srv 2 and the Customer records objects have (already) been marked with such values. The consequence of the attacker being able to write in the customer records database was set to a severity value of “8” (out of 10), and the compromise of the host Stage srv 2 was set to a value of “5”.
First, we turn our attention to the Risk matrix, the first part of the report.
Here we see that two dots are plotted in the matrix. These dots represents the two selected attacks steps we wanted to investigate. On the x-axis we simply find the consequence value (as assigned in the model). More interestingly, on the y-axis we find the probability that the attacker is successful in reaching from the starting point all the way to this step in a certain number of days, as found by the attack simulations.
We can get more information about these risks by clicking the attack steps in the list below the risk matrix.
When doing so, the Risk details diagram shows a probability distribution for the attacker succeeding with the attack. On the x-axis in this diagram the expected Time-To-Compromise (TTC) is depicted, and on the y-axis we find the probability of the attacker succeeding with the step. As expected, given more time it is more likely that the attacker succeeds with the attack step.
With the risk values we get an overview of how vulnerable the infrastructure is. A next natural question to ask is: why are we vulnerable? securiCAD addresses this question by showing attack paths from the simulations. To visualize attack paths we return to the list of attack steps below the risk matrix. To the far right there is an icon for showing the “Critical path”. Click the icon on the Customer records row.
When a simulation is run, the simulation engine will analyze the model and explore all possible paths an attacker could follow throughout it. In the Figure below we see the critical path for the attack step Write on the object Customer records.
Arrows between attack steps are of different size and color. The thick red arrows indicate paths that are often used by the attacker and scaling down to thin yellow arrows indicating less taken paths. (More details on attack path visualization are further described in the Security Analysis module.)
In our example we see that the attacker starts at our specified entry point. Since we assumed that the attacker had compromised Workstation 1 this also automatically means that the RDP client and the LSASS keystore are also breached. The first active attack step is to the RDP Session dataflow and then further on to the RDP Service.
Additional attack paths
There are a number of possible attack paths leading from the attacker to the target. At the first opening of the attack path window only the most likely attack path is shown. However, in many situations it is also interesting and important to understand other possible attack paths. Showing these alternative attack paths is done by dragging the “Details” slider to the right.
When we increase the number of shown attack paths we see that the attacker can also exploit the Prod Srv 3 host and LSASS datastore as well as the System user account and Oracle login access control, and more.
As briefly mentioned earlier, defenses help making attack steps harder to succeed with. In the attack path visualization, defenses are shown as green bubbles with shields in them.
Only defenses that are missing or could be enhanced are shown. This view thus supports us with identifying suggestions for improvement. In the above zoomed in cut-out we have a simple but illustrative example. We see that some certain imperfect defenses enable the attacker succeed with compromising Joe’s user account; the bubble “Joe MFA” indicates that using multi factor authentication for the user account would help here.
Another type of information that can be interesting to us when analyzing vulnerabilities of the infrastructure is to know if there are assets and attack steps that are commonly exploited by the attacker in the simulations. Such places we call chokepoints. At the bottom of the securiCAD simulation report, we have the Chokepoints chart.
To the left we have objects called chokepoints in grey and yellow. The yellow ones are more frequently used by the attacker than the grey ones. To the right we have objects with consequences set. These are our targets. The vertical size of the objects indicate how many choke points each target is associated with. The connection lines between the target objects and the chokepoint objects show what chokepoints the attacker have been mainly using on the way towards the target. The size of the relations illustrate the number of attack paths where the object is included. In our example we find the obvious fact that the RDP service is frequently used by the attacker while reaching both targets but also that the local accounts seem to be a weak spot in the architecture.
In this module we have introduced the basic securiCAD building blocks and use cases. We learnt how to analyze an ICT infrastructure model by generating overview risk estimates, inspecting related attack paths as well as how to identify means to vulnerability mitigations. By now you are in a good position to start checking out the securiCAD capabilities in more detail and analyzing your own models. There is however more to securiCAD and we recommend that you continue with our next module (follow the link below) where we will focus on how to build models.