Simulation Results

In the previous Get Started module, “securiCAD in a Nutshell”, we saw that the attack simulation results are presented in an online report. This module will give you an orientation on what different types of results such a report contains.

Selecting High Value Assets

Attack simulations will try to reach every corner of our model, which means that for most objects in a model, there are simulation results. However, in the report, only the “High Value Assets” are shown.

Looking at the example model, we see that two objects have a small star to them, indicating that these are our selected high value assets.

High Value Assets in the model
High Value Assets in the model

You can choose any object in the model and any number of objects too as high value assets, making them show up in the report, by assigning a consequence value to any of their attack steps.

Selecting an object to be a High Value Asset by setting a Consequence value.
Selecting an object to be a High Value Asset by setting a Consequence value to an attack step.

In our example model the Write attack step of the Customer records object has a consequence value of 8 and the Compromise attack step on the Stage srv 2 object has a consequence value of 5 set to them.

Consequence values are a business consideration indicating how important the object is and what the consequence would be if the selected attack step would succeed.

High Value Assets Table

Going back to the simulation results report, we see that our high value assets are listed in a table with their name, selected attack step, consequence value, total success rate, time to compromise value, risk classification and a link to the critical path. We will explain all of these in this module.

High Value Assets table
High Value Assets table

Asset Details

Clicking on an object in the High Value Assets table will present the Asset Details window.

Asset Details of the Write attack step on the Customer records object.
Asset Details of the Write attack step of the Customer records object.

To the left, we have the same information as in the High Value Assets table in the main report.

To the right, we have a plot and three figures showing the TTC, Time To Compromise, values.

TTC, Time To Compromise

Generally speaking, it is more likely that an attacker would succeed with something if given more time. Therefore, time is an important aspect when securiCAD is presenting the results of the attack simulations. The plot in the Asset Details window is showing that the attack success rate (of, in this case, writing to the customer records) is increasing as time goes by.

TTC, Time To Compromise plot.
TTC, Time To Compromise plot.

The three figures above the plot are readings from the plot showing how many days it would take to reach the 5%, 50% and 95% success rate levels. The plot has also got a vertical indicator allowing for reading of the success rate at for instance 20 days.

We also see that the success rate is flattening out at 58%, as shown in the Asset Details window under the Probability label. This means that it will not reach the 95% level within forseeable time which is why it says N/A above the plot.

Report Overview Figures

At the very top of the report, we see some figures summarizing our risk exposure based on both the consequence values we have set and the Time To Compromise values securiCAD has calculated from the simulation results.

Report Overview
Report Overview

Total Risk Exposure

The Total Risk Exposure value is a combination of consequence and TTC values. It is the main value of the risk exposure of the simulated model.

For the curious, the background to these figures are as follows;

  • The consequence of Customer records / Write was set to 8 and the consequence of Stage srv 2 / Compromise was set to 5 in the model. This gives a sum of 13.
  • The total TTC value (The Probability value in the High Value Assets table) was calculated by securiCAD to 58% and 68% respectively.
  • This in turn means that the total risk exposure for Customer records / Write is 8 * 0,58 = 4,64 and for Stage srv 2 / Compromise, it is 5 * 0,68 = 3,4.
  • Rounding these risk values upwards gives 4,64 + 3,4 as 5 + 4 which is shown as Total consequence: 9/13
  • To present the total risk exposure value, the figures are not rounded which gives 4,64 + 3,4 = 8,04 and 8,04 / 13 = 0,62

Highest Risk Exposure

The Highest Risk Exposure box is showing the asset which according to the simulations and consequence values has got the highest risk exposure. In the case with the example model, it is the Customer records asset.

Avg Time To Compromise

Average, max and min values of the Time To Compromise figures.

Lowest Time To Compromise

For the example model, the High Value Asset with the lowest Time To Compromise value (of 9 days) is the Stage srv 2 object with object id number 60 in the model.

Summary

The figures, risk exposure values and Time To Compromise values for the selected High Value Assets are usually a good and digestible input to security assessment reports. What we typically present at an early stage when doing such reports are these risk exposure values and also what objects in the modeled architecture that has the highest risk exposure.

However, securiCAD does not only calculate these values based on attack simulations, but also allows you to follow the attack paths to see how an attacker is expected to go about when trying to reach the High Value Assets.

Reading the attack paths is described in the next module; Attack Paths.