The means to assess and understand security in securiCAD is to study what attacks could be performed in the modeled ICT infrastructure. Like virtual penetration tests. We will continue using the model we crated in the previous module, Modeling from Scratch. The model can be downloaded here.
The module starts by describing the Attack Step and Defense concepts in more detail. We will then look into the attack step visualization techniques; tracing attack chains by an attack step map and also using an attack step tree. Finally, we will take a look at the simulation results on a particular attack step on a particular object/asset to see what securiCAD will tell us in a particular position of our modeled architecture.
When looking at how vulnerable our architecture is, we look at the success rate of different attack steps. Attack steps are different actions that an attacker might achieve when trying to gain control of a particular object in our model. Having succeeded with one attack step might in turn open up for further achievements, going from one object to another. Some attack steps need to be accomplished by the attacker in order to start working on others.
Different objects have different attack steps associated with them depending on what type of object it is. For instance, looking at the model we built in the Modeling from Scratch module, we had the following situation.
What we then concluded was simply that the different objects had different levels of red coloring on their frames and that an object with a deeper red color on its frame is easier (faster) to attack.
Selecting these objects will in the top right area of securiCAD show a list of possible attack steps associated with that object and, after simulation, the attack steps’ corresponding coloring.
Please click on the Information Request Dataflow object to see the different attack steps and their coloring in the top right pane.
In the above picture we see that a Dataflow object is associated with the Access, DenialOfService, Eavesdrop and so on attack steps. We also see that some of them are very red which is due to this particular Dataflow object being located close to the attacker’s starting point in our model. However, the most important attack steps (regarding information confidentiality) Eavesdrop and MainInTheModdle are not red at all. This is because the Dataflow is encrypted and our model does not say where the encryption key is located. We will soon adjust this.
So far, we have been talking about the simulation results as “level of redness” and use words like “seems harder”. This is of course not everything securiCAD will tell us and will later on dive deeper into more details on the analysis results.
Defenses can be seen as the opposite of attack steps. Attack steps are actions the attacker wants to achieve and defenses are properties of our objects we can use to make those achievements harder and take more time. While attack steps are something securiCAD will simulate and present, defense settings are something that securiCAD would like to get from us in order to make the simulations reflect the real life situation we have in the architecture we have modeled. However, if we are not able to provide securiCAD with such details, securiCAD will use a set of reasonable default values that are common within many architectures.
To check the defense setting of an object, for instance the Network object, please select it on the canvas and switch to the Defenses tab next to the Attacks tab.
The list of defenses holds three columns; the defense name, the defense setting and the default value.
The drop-down menu allows us to adjust this particular defense on this particular object to either Unset, On, Off or Probability.
When unset is selected, as with all fresh objects we add from the object explorer, defenses are in unset mode which means that securiCAD will use the default value. For the defense StaticARPTables the default value is set to off since most network zones do not use static ARP tables only.
Object frame coloring
When a simulation is finished, the objects in our model will have different tones in the red scale on their borders depending on how hard or easy it is for the attacker to gain control over it. When looking at the list of attack steps, we see that different attack steps in most cases have different tones of red even within the same object. This is natural since some attacks are easy to achieve while others are harder.
From the list of attack steps, securiCAD chooses an attack step coloring to use for the object border. It is not always that the most red attack step will decide the object border. And the object border coloring is not a mean value of all the attack steps. Instead, we have, for each object, chosen which of the attacks that is of most interest to the modeler when looking at the simulation results.
For instance, when it comes to the router object, the color of Forwarding is used while for a Host object, Compromise” is used, and so on depending on which attack step is considered being the most interesting one when doing practical modeling and analysis.
|Object||Attack Step Deciding Object Frame Coloring|
|Datastore||Fastest of Read, Write, Delete|
|SoftwareProduct||Fastest of DevelopExploitForPublicPatchableVulnerability, DevelopExploitForPublicUnpatchableVulnerability, DevelopZeroDay|
|WebApplication||Fastest of ExploitCommandInjection, ExploitRFI, ExploitSQLInjection|
Attack Step Deciding Object Frame Coloring on Canvas
Selecting attack step
securiCAD simulates the success rate of each attack step based on its difficulty and on the probability of completing previous steps. You can say that a certain attack step is possible because other previous attack steps were possible and thus we will have a chain of attack steps influencing each other.
There are two main methods for looking at this attack step chain; the attack step graph and the attack step tree. While the attack step graph is showing only the most likely paths an attacker will follow, the text based attack step tree will show all theoretically possible attack paths the attacker might follow in order to access the selected target. They both have their use and can be seen as presenting slightly different aspects of the attacker’s journey throughout our model.
In general, you want to look at the attack success rate and the previous attacks that lead to a particular object on a certain object that you or the customer has identified as a precious asset when it comes to intrusion. It might be a Datastore holding sensitive information or a system/host/service essential to business operations.
A good example in our model for showing the attack step presentation is the sshd Service object connected to the ServerSystem Host object in the ServerZone object. In order to access it, from the main network overview, so far called View 1, first double-click the ServerZone object.
This will bring up a new view tab called Object:ServerZone next to View 1. This is a so called Object View showing what is contained within the ServerZone object, in our model we see the ServerSystem object.
Selecting Compromise will show the attack step plot of ServerSystem.Compromise in the lower right corner.
We will discuss both the plot and the attack step tree in detail shortly but at the moment we want to look at the attack step graph.
Attack step graph
The attack step graph is the graphical presentation of the attacker’s most probable paths or routes in our model and is the main tool for analyzing the attack path, finding attack success mitigations and discussing the results.
Showing the attack step graph is done from the simulation results web page automatically opened when running a simulation in securiCAD Community Edition. Below the risk matrix, there is a list if attack steps that we have set a consequence value to. In our current example, it is the Compromise attack step of the ServerSystem object.
Click on the Critical path symbol to the right will show the attack step graph of the selected attack step.
Using the Fullscreen button will make it more visible.
When a simulation is run, the simulation engine will analyze the model and explore all possible paths an attacker could follow throughout it. Naturally, there are lots and lots of such attack paths. However, the critical path is the attack path that has been found to be the easiest (in terms of time spent on each individual attack step). In the Figure below we see the critical path for the attack step Write on the object Customer records.
Just after rendering the critical path we have bubbles floating around trying to adjust their position in relation to other bubbles. This will stabilize in a short while. If needed the bubbles can be adjusted by manual dragging (as done in the Figure). Each bubble represents an attack step, specified in the text under it, and the circle contains an icon showing what type of object the attack step is located on.
We see that the attack path is splitting up and connecting again. This is due to the fact that for some attack steps the attacker is required to do multiple previous steps to succeed with the current one (for instance both get access and provide credentials to login), in other cases the paths are alternatives (either crack a password or social engineer the user for it). Furthermore we see that the arrows between attack steps are of different size and color. Recall that securiCAD is probabilistic and is conducting simulations. Simulations are done by running and aggregating multiple samples of attack paths. The thick red arrows indicate paths that are often (in many samples) taken by the attacker and scaling down to thin yellow arrows indicating less taken paths. (Details of attack path simulations are further described in another module.)
From the above attack step graph we see that there are different types of artifacts.
- The Red item is the Attacker, pointing to the attacker’s starting point.
- The blue item is our selected attack step of our selected asset, the object we are about to analyze.
- The gray items in between are the different attack steps the attacker is likely to use while going from the starting point to our selected asset.
- Each gray item along the way is linked to another item with an arrow showing the attack path’s direction.
- The icons used for the grey items are the object icons from the object explorer indicating what type of asset it is and the name of the attack step used for each step is shown in the label below it.
- To the top right of the items there is a box showing the object id from the model.
- Green items are imperfect defenses that the attacker is using to achieve certain attack steps.
- The color of the arrows are indicating how much time it is estimated to take going from one node to the next one. It is not taking the “total time spent” into account, only giving an indication on how hard this single attack step is.
- The thickness of the arrows are indicating how common this attack step is considering all attack steps in the map. A “jump” that is used/needed by many attack paths will be indicated by a thicker arrow.
- The diameter of a node is indicating how often it is visited. Or, in other words, how frequently used it is. This usage frequency is relative to all the nodes in the graph which means that when all nodes are equally frequently used, they will have the same size.
Alternative attack paths
The attack step graph is initially showing the most likely attack path used. However, it also has the possibility to show other alternative attack paths as well. These alternative attack paths are also reasonably likely to be used. The slider to the left, labeled Details allows you to select how many of the most likely attack paths you want to show. Sliding it a bit to the right will add more alternative attack paths, also contributing to the result.
Sliding the detail selector fully to the right will show all attack paths considered being reasonable likely. Strictly speaking, it will show the nine most likely or successful/probable attack paths from the attacker’s starting point to the blue asset.
When only looking at the attacker’s route, it is sometimes convenient to hide the items representing imperfect defenses.
Group attack steps
Since the attack path consists of attacker operations rather than what asset the attacker is currently working on, several attack steps shown in the graph will be related to the same asset. However, in many cases, we are more interested in what asset/object/system the attacker is currently attacking. Showing this is done by ticking the Group attack steps check box.
The base path is the most likely of the alternative paths. This is the path shown when the details slider is at the leftmost position. When several alternative paths are shown, it is often interesting to emphasis this main route from the other alternatives. It is done by checking the Highlight basepath check box.
Searching for objects
To the top right corner of the visualization of the attack graph, there is a search field for finding particular objects in the map. It is searching for object names, attack steps and object ID numbers. The items matching the search string will be highlighted and the others grayed out.
Clicking on Select will select all highlighted objects for you, giving them a blue border, so that you can move them all together. This is useful when rearranging an attack graph sorting the items by which object they are related to.
Rearranging the items
Items in the attack step graph tries to dynamically position themselves in a suitable way. However, when looking at a particular track in the graph, like when looking for mitigation suggestions, it might be better if the items would not move themselves automatically. This is achieved by ticking the Freeze nodes check box.
Such rearranging of the attack path will help seeing areas or topics in the attack graph like the following.
- Area A is related to the starting point of the attacker.
- Area B is related to finding useful allowed communication paths in the firewall.
- Area C is related to the vulnerability status and patch level of the sshd service.
- Area D makes use of the fact that the ServerSystem in our model is not hardened. In other words, there might be extra non tracked services running on that host. Such services are represented by the automatically added UnknownService object.
- Area E describes the PrivilegeEscalation operations that the attacker will attempt one having succeeded with ServerSystem.UserAccess.
Please note that we have not listed these areas in any prioritized order but rather based on their relation to different operations.
Re-enabling the defenses will give us a hint on what properties in our model we can change in order to find suggestions for security improvements.
Single attack step analysis
Up until now, we have been looking at attack paths that allows us to follow chains of attacks from the attacker to an object of interest. Now it is time to take a closer look at what securiCAD tells us about a particular attack step, in terms of attack success rate, probability and time. At the lower right corner, there is a plot for each attack step we select. This plot is called the TTC Plot where TTC stands for Time To Compromise. Mathematically, it is a cumulative distribution function, meaning that the probabilities are added as time goes by.
Example: If there is a 7% probability for an attack to succeed given 10 days and a 34% probability for success given 20 days, then, the situation after 20 days, would include the both the probability for days 0-10 and days 11-20 since we sum up all attacks that have succeeded up until day 20.
The plot for our ServerSystem.Compromise attack step is as follows;
Probability versus time
securiCAD simulates the propagation of an attack based both on possible routes and, for each step of the route, taking research based probabilities into account. This leads to the fact that each attack step is more probable to have succeeded the more time is given. On the vertical axis of this plot we have the accumulated probability for this attack step while the horizontal axis shows time between zero and the so called “infinity threshold” which is a configurable value where we limit our analysis.
Along the edge of the plot, there are labels with amount of days and probability figures. In our example we see figures below the plot; 10 days: 37%, 20 days: 51% and 50 days: 69%. Furthermore, there are three labels that use the probability levels 5, 50 and 95% as a fixed levels, showing how many days it would take before each probability level is reached.
A common way of reading this plot is to look at the probability for an attacker having succeeded with Datastore.Write after 20 days, which in this case is 47%. The proactive changes to the modeled architecture then aims at lowering this level.
As mentioned above, the plot ends at the “infinity threshold value” which in this case is 100 days. Since the simulations are based on probability versus time, we need to tell securiCAD to stop plotting after a number of days we choose. However, since the probability is increasing over time, all the way towards infinity, all the remaining attempts will be stacked at the infinity threshold value. This can be seen as “all attempts that did not make it before the infinity threshold value are ignored”. This is not mathematically correct, but as a modeler you often tend to argue that the architecture might have changed before the infinity threshold value (100 days) is reached, which means that the attack path might not be available to the attacker any more.
This method of stopping the plot after a specific amount of time means that all remaining samples are stacked just before the infinity threshold value which in turn leads to the phenomena of the thin vertical spike in the plot at 100 days.
Changing the infinity threshold value can be done from the Configuration – Simulation window.
Attack step success rate
Just below the heading of the plot, there is a line saying (Max Success Rate=64%, Reached within 100.0 days). It is an indicator of the “total” success rate of this attack step. Or: “How probable it is that this attack would succeed within 100 days.” The probability of this attack step does not reach up to 100% before time reaches the infinity threshold but in case the probability would be 100% before 100 days, this line would tell when the 100% level is reached.
Now, you have the basic knowledge you will need to use securiCAD for doing threat modeling and security analysis of ICT architectures. From here, we suggest that you explore the content under the Learn More section of this web site. This is where you will find more detailed descriptions spanning from securiCAD program features and how to create and use components to detailed descriptions on the research behind securiCAD.