We recommend creating a high level model of the structure to be analyzed to start with and then adding more details when needed either by further manual modeling or with help of imported data from different sources.
securiCAD supports many pieces of information to be added to a model like user info, software properties, and protocols just to mention a fraction of them. Do not put too much effort into finding these other information until a basic structure has been modeled.
This module guides you how to create a securiCAD model from scratch. It is also describing different aspects of the modeling objects while introducing them along the way. Even though your main goal may not be to conduct manual modeling, an understanding of how models are created will help in model navigation and analysis.
We will start with a very minimalist piece of input, two hosts on different networks, since the goal is to introduce the basic modeling objects and what they represent.
What does the above sketch tell us?
- There are two boxes here, labeled ClientZone and ServerZone. These represent the network structure.
- We imagine that our most precious data is stored in the server in the ServerZone.
- Some information is traveling between the zones; the Information Request is our data flow.
- The applications running the Information Request data flow are not outlined. They seldom are in maps like these. Either we need to ask someone about the Information Request data flow, what’s in there, what it’s used for, or we need to make assumptions and represent them using generic application objects, which is what we will do in this case. Let’s assume that there is a client application in the client zone and a server application in the server zone.
- According to the map, we have a host in the client zone called Workstation and another host in the server zone called Server.
This is enough to illustrate a very simple setup that we will gradually extend. Now, we will make a simple model from this very sparse information and assumptions.
The securiCAD user interface
When starting securiCAD, the main securiCAD window will appear.
As seen in the securiCAD in a Nutshell module, securiCAD Community Edition will automatically load the included example model until you tell it not to (by ticking that in the welcome window at start up).
The securiCAD main window is divided into three vertical sections. To the left we have tools and windows related to adding objects to a model.
The middle section is the main canvas where we are going to build our models.
To the right, we find the analysis area with tools related to setting different properties of the model objects and to inspect, trace and analyze different attacks’ success rates within the modeled architecture.
The sizes, locations and presence of the different windows and tabs within securiCAD are highly customizable by the user.
Since we are about to create a new model from scratch, please select [File]->[New]->[Model] to create an empty one.
Adding objects to the model
First of all, we model the ClientZone and ServerZone networks. We also connect them, since hosts in them are able to communicate with each other.
To add an object to our model, drag it from the Object Explorer list to the right onto the main canvas.
When the Network object is added to the canvas/model, it will look like the following;
Renaming an object, which is recommended, is done by clicking the object or pressing the F2 button.
Rename the Network object to ClientZone. Add another Network object and rename it to ServerZone.
To connect one network zone to another, a Router component is needed between them to represent the zone border/connection.
We have been dragging-and-dropping two Network objects from the list called Object Model Explorer to the left and renamed them to ClientZone and ServerZone. Now, drag a Router object from the Object Explorer onto the canvas and rename it to CS-SZ. This will give us three objects on the canvas; ClientZone, CZ-SZ and ServerZone.
Next thing is to connect them by holding [Shift] and clicking over one object and releasing the connection over another.
Selecting type of connection
While making the connection, a dialogue will appear asking you to choose which type of connection to use. The options we have are either Administration or Connection. Using the Administration connection type will state that the router in question is possible to administer from a certain network zone. Using the Connection type will state that the router is communicating with the zone but administration is not allowed from that zone.
Since, in many environments, router administration is made using an administrative network zone, we add an extra network object representing the administration. If we do not have such an administrative network zone, we will see a message in the Problems tab to the top right area of securiCAD telling us that we need to add one. For a smaller architecture, this might be the same as for instance the inner of the two network zones and then there will be two parallel connections; one for Connection and one for Administration.
An Administration type of connection is only defining from what network zone administration is possible. If you also want to say that regular (non-administration) network traffic is possible to that zone, you need to also add a Connection type connection in parallel with the Administration connection.
In the current model the router is modeled as part of a connection between the ClientZone and the ServerZone objects. In most cases, modeling a Router object, assumes a router with some restrictions. Therefore we want to add some more objects to it; an access control object and a firewall object. These objects state that login credentials are required to administer it and also that communication through it is obliged to adhere to some routing (firewall) rules.
Adding objects instantly using arrows
Adding objects can be done by selecting the CS-SZ Router object and then clicking on the right arrow appearing. This will present a list of connectable objects to the Router object.
When clicking on the left arrow, you will see a list of already existing and connected objects. In this case, the ClientZone, AdminZone and the ServerZone network objects.
These arrows are only shown when you can add an object on the current canvas. This means that if you open an object to see what other objects are in it, these arrows for adding additional objects will not be available. A more complete description on this is found in the Program Features module describing Object Views.
Select AccessControl and then Firewall.
We also see that when we added a Firewall object to our Router object, a mini-icon appears on the Router object. This doesn’t happen when adding the AccessControl to it. The reason for this is that a Router is assumed to have an AccessControl (even though it is not mandatory) while a Router does not necessarily have a Firewall connected to it. Firewalls provide more modeling and architectural information to the model than access controls do.
As with the Router object, we need to add a UserAccount object to the AccessControl object. Select AccessControl, click on the right hand arrow and select UserAccount.
Next, click on the AccessControl and then the right-bound arrow to add a UserAccount to it.
When adding a UserAccount object to an AccessControl object, we will be prompted for which type of connection to use, root or non-root authorization;
Since the access control and the corresponding user account in this case represents the administration of the router settings, including the firewall rule set, please choose the Root Authorization option.
When adding an AccessControl object, it is always good practice to also add a UserAccount connected with the Root Authorization type of connection. This is to represent that it is possible to for instance add new user accounts or edit existing user accounts and settings. Regular user accounts shall have the Non-Root Authorization type of connection and are optional.
When building different models and performing attack analysis, you will later on see that getting hold of a root user account is much more useful to the attacker than a regular user account, even if such a user account is also useful for performing further attacks.
For cleaning up the view of our network structure, we may drop the AccessControl and the Firewall object into the Router object, since they belong to each other. Objects may be displayed in the same image/canvas, but, quite soon, such an approach might get rather cluttered. Therefore, we provide the possibility to contain/hide objects that have relations to each other within other objects.
The following picture illustrate how to move/hide objects into other objects. First move the UserAccount object into the AccessControl object and then the AccessControl and the Firewall into the Router object.
When building a securiCAD model, you have not only the single/native objects in the Object Explorer pane, but also a collection of component objects containing several already connected objects.
Below the list of “native objects” we have been working with so far, there is an area containing a collection of categorized components or “extended objects”.
The components belongs to different categories and you we encourage you to first look for a suitable component object. If no component seem to fit your current need, you should use native objects as a secondary option.
There is a separate module describing how to use components and how to create your own.
From the given sketch, we see that there is a Workstation in the Client Zone and a Server in the Server Zone. They are systems and systems are in their most basic form represented by Host objects in our models. The nature of these systems is defined later on by what additional objects and settings we add to them.
We are seeing anything that has an ip address, such as computers, network printers, smart phones, tablets, embedded systems, virtual machines and so on, as being a kind of host.
Hosts are added to the networks either by dropping a single Host object to the canvas and then connecting it, or by selecting a Network object and use the arrows as previously described. However, for a Host object, there are component objects available.
Defining a “System”
A system, as we see it, consists of several objects; a Host object, a Software Product, AccessControl, Client and a Data Store.
Even though we have no information on what type of host we have in the given sketch, we still recommend using a component object. And we know that one host is acting client (workstation) and one is acting server. From the securiCAD components directory, pick the component labeled Linux Server and drop it onto the main canvas.
Then connect it (shift-drag and drop) to the ServerZone.
A small Host icon is added to the Network object. Not all networks have hosts in them, some are merely set up for intercommunication.
For clarity, rename Linux Server to ServerSystem to match our initial sketch.
Object content details
Hovering the mouse over the network object, is presenting a yellow label saying that this network object ServerZone is containing an object labeled ServerSystem.
Doing the same with the ServerSystem object, we see that it contains three objects; a SoftwareProduct, an AccessControl, and a Service object.
Next, we shall to add a host component to the ClientZone object, representing the client workstation in the initial sketch. Since the sketch says Workstation, please pick the Windows 7 component. For simplicity, you can drag it from the components library and drop it directly on the ClientZone object. This will add it to the model and at the same time connect it to the ClientZone.
Object views; objects within objects
If we want to check what is in the ClientZone, we can double-click it to open it. This will bring up a new canvas, a so called Object View. These kind of views have some limitations to them; you can only add objects that can be connected to the “upper” object, since adding an object here will at the same time connect it to the object above or “parent” object.
In this case, the object view we are looking at is a Network object which means that we can only add Dataflow, Host, PhysicalZone, Router, Service, VulnerabilityScanner and ZoneManagement objects to this view. Please also take the opportunity to rename Windows 10 to Workstation to match the initial sketch.
We shall add a Client object to the Windows10/Workstation host. A Client object is the initiator of a Dataflow that we will introduce in the next section. For now, we only need to add a client to the Windows 10 host from the client section of the components library. You do this while Workstation is visible within the expanded ClientZone view.
And select Non-Root Client Execution;
More details on the Client and the Service objects and the difference between root and non-root connections is available in the Learn More section.
Adding a Dataflow
Now we have a client on a host in one network zone and a service on another host in another network zone. It is time to add the DataFlow object representing the Information Request line in the sketch.
A Dataflow is to be seen as representing a session between a client and a service.
Dataflows traveling between network zones are best located on the same level/canvas as network zones and routers. Select and then press backspace to hide the ServerSystem object from the main canvas. Then, we should have the following on the canvas;
Sometimes it is interesting to see what types of associations the lines represent. This is done by right-clicking on the canvas and select Association Labels.
In the above example, the labels show that the vertical associations represent Connections and the horizontal one, Administration.
But let’s go back to the Dataflow discussion. In the Components library, there is a component called SSH Traffic found under the Traffic directory. Adding such a component will add both a Dataflow and a Protocol object, describing the Dataflow protection level, to the model. Rename it to Information Request.
Connecting the Dataflow
Now we shall connect it both to the putty Client object and to the sshd Service object. Start by clicking on the Network objects and their left arrows and then select the Host objects to show them on the canvas.
Then hold down the [Shift] key and drag a connection from the Information Request to Windows 10 workstation.
Since a Dataflow shall not be connected to a Host object but instead to the Client object in the Host object, we need to use the left-bound arrows on the Host objects to display the Client and Service objects as well.
Renaming the Client to putty and connecting the Dataflow Information Request to both the Client and the Service object shall give the following on the canvas.
Then you can hide the Host, Client and Service objects again by selecting them and pressing backspace.
This is a good opportunity to describe Indirect Associations. They are not enabled by default, but if you right click on the canvas, you will see an option to enable them. Doing so, a new kind of connection line is then shown between Information Request and ClientZone and ServerZone; an indirect connection. It is showing that there is a connection between Information Request but not directly to these zones but to something within them.
We also see that holding and keeping the mouse pointer over the indirect connection, presents a label showing (a list of) what associations the indirect association represents.
Hovering the mouse pointer over the indirect connection brings up a label saying that Information Request is connected to Router and the connection type is Communication.
Allowing the Dataflow
By now, we are almost finished squeezing all information out of the simple sketch we got as input. Next thing, we need to allow the data flow Information Request to travel between the ClientZone and the ServerZone. To do that, we need to add a connection between the Information Request data flow and the CZ-SZ Router object;
This will state that the dataflow Information Request is allowed to travel via the CS-SZ router and that all properties of the router is applied to the dataflow. In this case, it is protected by (and allowed to go through) the firewall.
At this moment, the model we have created so far includes enough objects to run simulations on.
Therefore, we will add an Attacker object to the model and make a Simulation test run. The attacker object is representing the starting point of the attack we want to study.
Drag an Attacker object into the model just like any other object. Connect it to the ClientZone object.
Doing that, securiCAD will give us several options representing different attack steps/operations to choose from;
The options to choose from are all the possible attack steps to this particular object. Several of them are used as intermediate attack steps used to achieve other attack steps in this or other objects in the model. Choosing the compromise attack step is the same as saying “We imagine that the attacker has succeeded in owning/controlling this object (the ClientZone)”. This is the attacker’s entry point in this case.
On the canvas, we now have an Attacker object connected to the ClientZone.
Check for remaining things to fix
To the right in securiCAD we have a tab labeled Problems. It is a list of mandatory things we need to add before running a simulation. For instance, in order to be able to calculate, a Protocol object is mandatory for each Dataflow object. If this would be missing, then it would show up as a notification in the Problems pane.
While building our model, we have also seen that there are sometimes small red labels near the top left corners of some objects. This indicates that a mandatory association is missing to that object.
At this moment, we don’t have any remaining Problems blocking us from running the first simulation.
Selecting what assets to analyze
Attack simulations spread and are performed throughout the entire model. However, when it comes to reporting, we need to select what asset we want to look at in the simulation results. It is perfectly possible to select several assets. This is done by selecting an asset, unfolding the attack step we are interested in, often Compromise, and set the Consequence value to a figure between 1 and 10.
Time to simulate
At this moment in the manual we will not go into if this is a reasonable attack, what it really means and what we can do about it. These topics are described in much more detail in other sections of this manual. What we will look at now is how the attack affects the different parts of the model to see that the attack propagates through it. Press the Simulate button;
If you have not yet saved the model, you will be prompted to do so before the simulation starts.
Simulations are run both locally in securiCAD and on line in the securiCAD cloud based simulation service.
The model is now colored according to the success rate of the attack;
When the simulation is finished, we see that the model is colored according to the success rate of each attack step throughout the model. The deeper red a label is colored, the higher the probability of a successful attack on that particular object.
In addition to the coloring of the object frames, we will also, when using securiCAD Community Edition, get a web page showing the simulation results.
In this module we have learnt how to build models and what models mean. Next we will continue dig deeper into the attack simulations and how to use them for actionable results.
The resulting model we have just built can be downloaded here.