A threat modeling and attack simulation analysis on the IT security implications of the business adaption to the pandemic situation.
Traditionally, organizations related to critical infrastructure, finance, health care and other similar areas have for good reasons been very restrictive with allowing employees to access essential business systems remotely. VPN access have in general been restricted to those employees which needs to have instant and around the clock access to production systems.
Recently, responding to the 2020 Corona/Covid-19 pandemic situation, the table has turned and accessing business systems remotely via VPN solutions, has not only been less restricted but also the recommended way of working whenever possible.
The time to evaluate the security aspects of this change has been very limited to say the least. On top of that, this situation requires an organization to take the impact of unknown network zones (i.e. the employees’ home networks) into account.
Therefore, the analysis of this new situation calls for new methods where threat modeling and attack simulations can serve this purpose.
Like health authorities use modeling tools to predict the pandemic development, it is not possible to get a complete and exact prediction of the future, but it is possible to find out what to expect from it.
The homeOfficeVPN threat model
As indicated, the IT architectural situation needed to be analyzed involves both relatively well known areas, like the organizations existing internal structure with network zones, systems, their statuses and interconnections, as well as unknown or nearly unknown areas like the employees’ home networks, the status of those areas and their equipment. From a threat modeling point of view, this is no news bus instead a classic example of when you have to interact or integrate with an area which you for different reasons know very little about and in most cases can not get much information about either.
The model representing the homeOfficeVPN structure has been created in securiCAD Professional and is available here.
Except from the structure of the model itself, the attack vectors applied to it are to some extent a novelty as well. The below picture is showing the attacker’s expected starting points considering an employee’s workstation connected to the home network.
The Attacker is connected to four objects in the model, representing three different options we want to consider.
- The connection to “Apache Web Service” and to “Linux Web Server” are representing the attacker’s attempt to perform a phishing or client side attack against the employee via the “Non-VPN Connection”. I.e. regular internet access that does not require the VPN connection.
- The connection to the “WS AC” object is representing the case of unauthorized access to the employee’s workstation as such. For instance, if someone unauthorized person is using the laptop or if the laptop is lost and similar situations.
- The connection to the “Home Office” network zone is representing the assumption that an attacker might have gained access to the employee’s home network but not directly to the company equipment yet. This is representing private equipment that might have been compromised due to lack of updates, installing insecure or non-clean applications or being tricked into becoming hacked some other way.
This analysis is focusing on the what-if scenario where ay of the above situations are considered realistic. Analyzing how likely these situations are can also be done with additional modeling but is at the moment seen as out of scope.
High value assets
The high value assets concept in securiCAD is a way to highlight what assets in the model that are considered as particularly important to the business. The selection of these does not affect the attack simulations but will make the risk levels and other related results of these objects be presented in the analysis.
The selected high value assets in this model are as follows.
- The “Local Storage” object of the employee’s workstation representing confidential business data stored locally.
- The “Employee’s Passwords” keystore object representing the presence of any locally stored login information either in text files or password managers or anything in between.
- A service called “Business System” which the employee needs to connect to over VPN in order to do the daily work.
- A host called “Other Business System” representing business systems which the employee might not need to have access to but all the same are present within the organization’s “HQ” zone.
The initial simulation report is generated using securiCAD Enterprise and is showing the security situation of the model considering the attack vectors applied.
The chokepoints chart of the report is showing the assets the attacker is expected to make most use of. In other words, they are the objects in the model that the attacker is most dependent on while emerging through the architecture. Therefore, their security statuses are expected to have a large impact on the security situation.
We can see that the three entry points are represented (where the “Google Chrome” object is representing any organization-approved network client software subject to client side attacks) and the “Unknown Service” is representing any other, unintended, software that the employee might, with or without knowing it, have started on the workstation.
If we want to take a closer look on how the attack is expected to happen, we can open the Critical Path map in securiCAD Enterprise. This map is based on the findings from the attack simulations are is presenting the expected chain of operations that the attacker expected to try and possibly succeed with. The first track presented is showing the most likely attack path which is also the one that is expected to require the least effort from the attacker.
The different high value assets have in most cases different attack paths. The first part of the attack path for the “Other Business System” is presented below.
As seen above, this is a traditional client side attack. And we also see that it is expected to go via the “Non-VPN Connection” Dataflow which means that this is about traditional or non-business Internet access.
In addition to this track, the attacker also has other options available which are shown by increasing the attack path detail in securiCAD Enterprise.
The secondary attack path showing up is related to the attacker having access to the hone network zone in combination with a possible additional and (to the organization) unknown service being started or already running on the workstation.
Showing even more of the attacker’s (less likely) options reveals the third attack vector which is related to gaining access to the workstation in some way in combination with “Reading” (for instance technically reading or finding/borrowing) the employee’s token and figuring out the necessary password. This case is covering the social engineering part of the attack.
Since the attack simulations are presenting the expected/most likely attack paths as a set of attack steps with interdependencies, these attack steps are good candidates for applying mitigations. How likely a certain mitigation is to block or delay the attack, i.e. how efficient it is expected to be, is then concluded by applying it to the model and then running a new simulation to compare the results.
As part of each simulation report, securiCAD Enterprise is therefore presenting a prioritized list of suggested mitigations based on how often their related attack steps are showing up in the simulation results.
The list of suggested mitigations for this model’s initial analysis is presented below.
The list of suggested mitigations is a prioritized list of security improvements based on the attack simulations.
It is showing expandable categories and each category is showing which objects in the model that are relevant to improve considering the expected attack paths.
In the example above, the “Patch Client Software” has been unfolded and it is also showing that not all client applications are equally necessary to keep patched.
This list can be seen as the todo-list of things to consider. However, it is of course recommended to apply these to the model and run a new simulation to see the effect of the mitigations before implementing them.
Worth noting is that the category “Train your users to be security aware” is located relatively far down the list while more basic mitigations are further up. The reason to this is that the “social engineering” vector was only showing up as the attacker’s “third” option looking at the attack paths.
We can pick and choose from these mitigations, apply them to the model and re-run simulations to see their expected efficiency. By doing so, we get a set of different iterative simulation results which can be used to generate a report from within securiCAD Enterprise so that their relative improvement can be used as decision support when deciding which ones are expected to be efficient enough to implement.
For this working-from-home model, the following mitigations or sets of related mitigations have been applied.
- “Encrypt password DB”; Make sure that employees use encrypted password managers and that no plaintext login information is available on the workstation.
- “Improve password quality”; Review the password quality (of the selected systems and services) so that no “machine guessable” passwords are in use.
- “Patch employee network clients”; Make sure that all network related client software on the employees’ workstations have all security patches applied.
- “Prevent employee from running additional software”; Installing additional, unqualified/unverified software is not necessary. Merely running it is of course a security problem.
- “Give employee basic security training”; Reduces the risk of social engineering and phishing attempts being successful.
The effect of the above listed work packages is seen in the diagram and the table below.
Risk matrix comparison
Bu comparing the different risk matrixes for the iterative mitigation process, we see that the risk is dropping with each set of mitigations but the significant improvement comes when/if employees can be prevented from running additional software on their work stations.
Larger and more detailed versions of these risk matrixes are automatically generated as part of the securiCAD Enterprise report which can be downloaded here.
The relative improvement is presented in the following tables.
Working from home versus working on prem
So far, this analysis has considered the situation of employees not used to the risks involved in remote connections to business resources connecting via VPN.
However, as a final reflection, it is also interesting to compare the risk levels this new situation brings with the risk levels of a traditional pre-pandemic situation/architecture where employees were only connecting to business systems from within the organization’s internal infrastructure.
The attack scenario considered is a successful phishing attack and what consequences that will bring.
This is done by adjusting the VPN model so that it is representing the traditional on-prem structure instead and then compare the simulation results of the two.
The working from home situation
A more detailed comparison of the two is, as before, showing that the workingFromHone case is bringing an expected probability of successful attack of 70% for the non-mitigated model.
The on-prem situation
The on-prem, more traditional, situation is on the other hand binging an expected probability of successful attack of between 38% and 46%.
When comparing the simulation results of the working-from-home model and the on-prem model, we see that the new situation and the related attack vectors are bringing a risk level exceeding the risk level of a phishing attack in a traditional environment by about 50%.
However, we have also found that by applying relatively basic defense-in-depth related security mitigations like credential quality review, patch management in prioritized systems and services and hardening the employees’ workstations, it is possible to lower that risk situation to a much lower level.
The analysis carried out in this example is a rather generic one based on assumptions on how a remotely connected workforce usually is connecting to on-prem services and systems within an organization. For carrying out an analysis closer to your actual architecture and situation, it is recommended to enrich the model with additional data sources like for instance vulnerability scanner data and firewall configurations.
For performing this type of analysis within your organization, the models presented here are recommended as a starting point or template. Then, to make it reflect your particular environment even closer, you can both adjust the structure by using securiCAD Professional ald also enrich the models with scanner data, firewall configuration data and other similar data sources.
Please feel free to contact foreseeti for a more personalized demo.
- homeOfficeVPN.sCAD The homeOfficeVPN model
- onPremEmployees-phishing.sCAD The onPrem-phishing model
- homeOfficeVPN.docx The securiCAD Enterprise report on the homeOfficeVPN model including detailed information about the suggested mitigations
- onPremPhishingReport.docx The securiCAD Enterprise report comparing the homeOfficeVPN results to the results of a traditional threat with on-prem emplyees and the phishing attack vector