cyber risk scoring and mitigation for ... - ciri.illinois.edu · • lack of insight into impact of...
TRANSCRIPT
Life in the Security Operation Center
Security advisories
Apache HTTP Server 2.4
vulnerabilities
Vulnerability reports
Network configuration
Intrusion Detection System alerts
Users and data assets
Security Risk Assessment
Prioritized Mitigation Plan
Research Challenges • Cognitive overload to the decision maker
• Overwhelming number of alerts • Lack of insight into impact of attack impairs effective decision making
• Cyber defense Remediation Plan • Which vulnerability to patch first? • Balance between operational resilience and security risk
• Isolated Alerts • Lack of strategies to integrate and correlate alerts
• Missing Information • Requires reach-back and updates from higher command levels
• Attacker strategies/tactics • Lateral Propagation • Stepping Stones/Pivot Points
Research Objectives
• Development of data-driven modeling techniques to assess and measure cyber risk
• Development of techniques to incorporate criticality of assets in cyber risk measurement.
• Characterize adversarial opportunity to conduct lateral propagation of attacker
• Development of prioritized mitigation plan for effective cyber defense remediation
• Development of optimal resource allocation scheme that balances tradeoff between operational resilience and cyber risk.
Multi-step Attacks Internet
Demilitarized zone (DMZ)
Organization
Web Server
workstation WebPages
File Server
Firewall 2
Buffer
Overflow
Trojan horse Shared Executable
NFS shell
Firewall 1
Measure Cyber Risk - Attack Graphs
• Adversaries penetrate network through a chain of exploits • Each exploit lays foundation for subsequent exploits
• Chain is called an attack path • All possible attack paths form an attack graph • Generate attack graphs to mission critical resources • Report only those vulnerabilities associated with the attack graphs
Bayesian Attack Graph
192.168.51.59Web Server
192.168.51.60Database Server
192.168.51.61Proxy Server
Remote Attacker
B C Pr(A) Pr(⌐A)
1 1 1.00 0.00
1 0 0.65 0.35
0 1 1.00 0.00
0 0 0.00 0.00
Pr(A)=0.61 Unconditional Probability0.65 1.00
0.85 0.70
Pr(D) Pr(�D)
0.70 0.30Pr(D)=0.70
Probability of successful exploit
D Pr(C) Pr(�C)
1 0.70 0.30
0 0.00 1.00
D Pr(B) Pr(�B)
1 0.85 0.15
0 0.00 1.00Pr(B)=0.60 Pr(C)=0.49
A
B C
D
Cyber RIsk Scoring and Mitigation (CRISM©)
©2016CIRI/AHomelandSecurityCenterofExcellence 8
Challenges SolutionsIdentification of Attack Surfaces Acquisition of vulnerability scores from live threat
intelligence feeds and vulnerability databases
Identification of Exploitable Attack Paths
Network Vulnerability Tests and attack graph generation
Modeling and assessing risk Bayesian attack graph modeling techniques to categorize attack paths by impact, cost and degree of difficulty
On demand and real-time access to quantifiable cyber risks
Cloud based risk assessment tool
Cyber RIsk Scoring and Mitigation (CRISM©)
SachinShetty,MichaelMcShane,LinfengZhang,JayKesan,CharlesA.Kamhoua,KevinKwiat,LaurentNjilla,“ReducingInformationalDisadvantagestoImproveCyberRiskManagement",GenevaPapersonRiskandInsurance,April2018,Volume43,Issue2,pp224–238MarcoGamarra,SachinShetty,OscarGonzalez,DavidNicol,CharlesA.Kamhoua,LaurentNjilla,“AnalysisofSteppingStoneAttacksinDynamicVulnerabilityGraphs,”IEEEInternationalConferenceonCommunications(ICC)20-24May2018,KansasCity,MO
Criticality Analysis • Modeldata-drivencriticalityofanodeinICSconsideringnodeheterogeneity.
• Optimalresourceallocationschemebasedonnodes’criticality
• Examine relationship between cost models of resource budget allocation forremovalofvulnerabilitiesoncriticalnodesandimpactonavailability.
• Empiricalvalidationwithinanindustrialcontrolsystem(ICS)test-bed
KamrulHasan,SachinShetty,SharifUllah,AminHassanzadeh,EthanHader,“SecurityRiskManagementinEnergyDeliverySystemsbasedonCriticalNodeAnalysis”,2019IEEEInternationalConferenceonCommunications(ICC)(underreview)
Criticality Analysis
MinimizedNetworkRisk
inOptimizedResourceAllocation
NetworkScanning
HostScanning
NetworkLogs
EDSNetwork
NetworkScanner(Nessus)
HostScanner(Qualys)
HostLogs
GraphGeneration
CriticalityCalculation
CRISM
AttackGraph
NodeRanking
CriticalPathAnalysis
CriticalPaths
ResourceAllocation
WiresharkTCP/DNP3dump
Node Criticality • CriticalityofanodeinICS: 𝑪(𝒊)=𝜶𝒍(𝒊)+𝜷𝑪𝑬𝑵(𝒊)+𝜸𝒅(𝒊)
• 𝐶(𝑖) isthecriticalityofnode𝑖 ,drivenbythreeproperties𝑙(𝑖), 𝐶𝐸𝑁(𝑖),and𝑑(𝑖)respectivelyindicatelocality,centralityandphysicaldamagepropertiesofcriticalnode𝑖.
• 𝑳𝒐𝒄𝒂𝒍𝒊𝒕𝒚 (𝒍):RelativepositionofanodeinarchitecturedefinedinIEC62443• Mappedfromrunningservicesandprocesses• Collectedfromhosts’scanlogs.• Ahigherscoreassignedtoanassetindicatesthatitisclosertothephysicalprocesses.
• 𝑪𝒆𝒏𝒕𝒓𝒂𝒍𝒊𝒕𝒚 (𝑪𝑬𝑵): Centrality of node 𝑖 defined as: 𝑪𝑬𝑵(𝒊)= (∑𝒋=𝟏↑𝑵▒𝒙↓𝒊𝒋 )↑𝟏−𝜹 (∑𝒋=𝟏↑𝑵▒𝒘↓𝒊𝒋 )↑𝜹
• 𝑥↓𝑖𝑗 indicatesthedegreeofnode𝑖, 𝑤↓𝑖𝑗 indicatesnormalizedpacketexchangedbetweennode𝑖and𝑗,and𝛿determinesrelativeimportanceofthenumberoflinkstotieweights.
• 𝑫𝒂𝒎𝒂𝒈𝒆 𝑭𝒂𝒄𝒕𝒐𝒓 (𝒅): Potential damage to the physical plant:𝒅(𝒊)= ( 𝑷↓𝒍 (𝒊)/𝑷↓𝑻 )↑𝑳↑∗ −𝟏
• 𝑃↓𝑙 (𝑖)islossofloadforcompromisedsystem𝑖, 𝑃↓𝑇 indicatessystem’stotalload,and 𝐿↑∗ indicatesthedivergepointofpowerflow(P-Vcurve).
• DerivedfromSCADAbyextractingcurrentandvoltagevaluesinDNP3message.
Node Criticality Nodes l CEN(δ=0.5)) d Criticality(C)
WS 1 0.228 0 0.3057
WebS 2 0.952 0 0.738
SCADA1 3 1.144 0.6 1.336
SCADA2 3 1.157 0.4 1.239
RTU1 4 0.872 0.1 1.268
RTU2 4 0.894 0.17 1.228
• Derived graph from TCP/DNP3 dump data. • Total exchanged packets analyzed in 30 minute window - 8006. • Calculate 𝐶𝑟𝑖𝑡𝑖𝑐𝑎𝑙𝑖𝑡𝑦 (𝐶) by plugging 𝛼=0.25, 𝛽=0.25, and 𝛾=0.5. • 3 MW load through 10 RTUs in SCADA1 and 2 MW load through 6 RTUs in SCADA2 • 𝐿↑∗ =2 from P-V curve.
Attack Graph and Criticality Analysis
• A t t a c k P a t h s : 0→1→2→3→4→5→6→7→8→9→10𝑎→11𝑎→12𝑎 ;0→13→6→7→8→9→10𝑎→11𝑎→12𝑎 - SCADA1 (target).
• A t t a c k P a t h s : 0→1→2→3→4→5→6→7→8→9→10𝑏→11𝑏→12𝑏 ;0→13→6→7→8→9→10𝑏→11𝑏→12𝑏 SCADA2 (target).
• Though paths have identical exploitation probability from attacker starting node to SCADA1/SCADA2, the damages along the paths are different.
• Attacker has opportunity to analyze options and select the path that can make the most damage to the target
Resource Allocation, Remediation Plan and Cost Model • Assuming resource budget 𝐵↓𝐷 units. • 𝑚𝑎𝑥𝐴↓𝑖 is the maximum cost to eliminate all
vulnerabilities and exploits from node 𝑖. • 𝐴↓𝑖 is the actual cost invested to node 𝑖. • The # of pre-conditions, vulnerabilities, and exploits in
node 𝑖 is denoted as 𝑉↓𝑖 . • The number of remaining vulnerabilities is a function of
actual budget allocation 𝐴↓𝑖 .
Linear Cost Model: 𝑉↓𝑖 (𝐴↓𝑖 )=1−𝜎↓𝑖 𝐴↓𝑖 ;0≤ 𝐴↓𝑖 ≤𝑚𝑎𝑥𝐴↓𝑖 where, 𝜎↓𝑖 = 1/𝑚𝑎𝑥𝐴↓𝑖 min�{𝑅(𝐴↓𝑖 )}=𝑚𝑖𝑛∑𝑖=1↑𝑁▒𝐶↓𝑖 max {(1− 𝐴↓𝑖 /𝑚𝑎𝑥𝐴↓𝑖 ),0} Subject to, ∑𝑖=1↑𝑁▒𝐴↓𝑖 ≤ 𝐵↓𝐷 ;𝐴↓𝑖 ≥0
Nodes C maxA C/maxA A V(%) R
WS 3.1 4.94 0.63 0 72 2.232
WebS 7.38 4.94 1.49 0 14.4 1.06
SCADA1 13.36 4.94 2.7 4.94 0 0
SCADA2 12.35 4.94 2.5 4.94 0 0
RTU1 12.68 4.94 2.57 4.94 0 0
RTU2 12.28 4.94 2.49 0.18 9.6 1.18
Linear Cost Resource Allocation
• Initially test-bed network’s total risk was 8.65 units.
• After linear cost resource allocation, the risk reduces to 4.472 units which is 52% of total risk.
Resource Allocation, Remediation Plan and Cost Model Exponential Cost Model: 𝑉↓𝑖 (𝐴↓𝑖 )= 𝑒↑− 𝜎↓𝑖 𝐴↓𝑖 ; 0≤ 𝐴↓𝑖 ≤1 ; where, 𝜎↓𝑖 = 1/𝑚𝑎𝑥𝐴↓𝑖 Allocation of budget 𝐵↓𝐷 to nodes is optimized when objective function 𝑅 is minimized. The optimized function is: 𝑅(𝐴↓𝑖 )=∑𝑖=1↑𝑁▒𝑒↑− 𝜎↓𝑖 𝐴↓𝑖 𝐶↓𝑖 −𝜆[∑𝑖=1↑𝑁▒𝐴↓𝑖 − 𝐵↓𝐷 ] where, 𝐴↓𝑖 = ln�(𝜎↓𝑖 𝐶↓𝑖 ) −ln(𝜆)/𝜎↓𝑖 and ln�(𝜆) = ∑𝑖=1↑𝑁▒ln( 𝜎↓𝑖 𝐶↓𝑖 )/𝜎↓𝑖 − 𝐵↓𝐷 /∑𝑖=1↑𝑁▒1/𝜎↓𝑖
Nodes C maxA C/maxA A V(%) R
WS 3.1 4.94 0.63 0 72 2.232
WebS 7.38 4.94 1.49 0 14.4 1.06
SCADA1 13.36 4.94 2.7 4.371 4.8 0.641
SCADA2 12.35 4.94 2.5 3.98 5.14 0.634
RTU1 12.68 4.94 2.57 4.11 3.91 0.495
RTU2 12.28 4.94 2.49 2.54 4.45 0.552
Exponential Cost Resource Allocation
• Initially test-bed network’s total risk was 8.65 units.
• After exponential cost resource allocation, the risk reduces to 4.98 units which is 58% of total risk.
• For both linear and exponential cost model, the optimal allocation is ensured when the budget is distributed according to the rank of nodes.
• Limited budget (15 units) is allocated after ranking their criticality from highest to lowest: SCADA1, RTU1, SCADA2, RTU2, WebS, and node WS for both linear and exponential cost model.
• Property 𝐶/max�𝐴 (ranking) ensures allocation priority – from highest to lowest irrespective of linear or exponential budget allocation.
Linearandexponentialcostremediationplan Linearandexponentialcostallocationvscriticality
Resource Allocation, Remediation Plan and Cost Model
Characterize Attacker’s lateral propagation
• Defense-in-deptharchitectureforcesattackerstoconductlateralpropagation.• Stealthattackscantakeadvantageofthisarchitecture.• ResearchChallenges
• Modellateralpropagationbyfactoringincontext• Incorporatehostcriticality• Modelattacker’sopportunityinICS.
• ResearchObjective• Modelingattacker’sopportunitybydevelopingcriticalitymetricsforeachhostalongthe
pathstothetarget.SharifUllah,SachinShetty,AminHassanzadeh,"TowardsModelingAttacker’sOpportunityforImprovingCyberResilienceinEnergyDeliverySystems”,ResilienceWeek,Denver,August2018
Topological Connectivity based Criticality Metric (TCCM) • Model the opportunity to the attacker provided by exploitable host
• Attack path is characterized by Global info (degree of exploitability) and Contextual Info- (Vulnerable Service (VS), Operating System (OS), Isolation Pattern (IP))
• For each parameter, we compute the relative abundance of difference instances in a attack path Py and define it as similarity index
Where Effective richness of parameter z:
• Parameters (VS,OS,IP) encoded in a set Z={z1,z2,z3}
• Each path has q types of instances defined by zɛZ.
• Py : an attack path • mj : number of instances of
type j • |Hy|: Total number of
instances in whole attack path
• rpy ,z : wz : weight factor
TCCM Algorithm Thehostweintendtofindcriticality
CostofhostntowardstargettwithinapathPy
Costmeasurementofeachtargethost
Effort-betweennessmatrixcalculation
TCCMforhostn,capturingtargetimpact,path-cost,diverseattackpaths,hostpositiononeachpath
etc.
Social Vulnerability based Criticality Metric (SVCM) • Attack path analysis is not sufficient to capture the opportunity of insider attack.
• Assigns score to hosts based on the susceptibility of social engineering attack. • Classify each attack vector (AV) in terms of stages
• Each major stages is divided by multiple sub-stages which is marked by classification parameter.
• Social vulnerability Score for attack vector i
• Our second Criticality metric is given as
Infection Propagation based Criticality Metric (IPCM) • Interaction between system objects could be new opportunity for the
attacker • We classify three types of objects : process, files and sockets for our analysis
• Capture the dependency between objects by control and information flow between them
• Intrusion on any object could initiate infection propagation
SVCM (maximum damage):
SVCM (minimum damage):
Setofobjectsrelatedtoprocesscontrolandoperation
Impactonsubstationoperation
Intrusionevidence
Simulation Results:
Standard deviation of TCCM due to multiple initial attack points, for each host (left) & for hosts within layer (right)
Evaluation result for SD of TCCM due to OS, VS and IP (left), risk of the network for particular attack points
Network diversity in terms of social attack vectors Infection Propagation based CM for hosts
Path Analysis Security Metric Shortest Path & Probabilistic Path Analysis
• The shortest path is assigned to path having minimum steps attacker needs to encounter.
• Each step is defined as a distinct security state of a network.
• Transformed logical attack graph showed how network and system configuration results unauthorized adversarial action
• Bayesian Network (BN) estimate the likelihood of attackers success in each penetration step.
Path Analysis Security Metric System Security State
• For tracking attackers progression attack graph is assigned as a set of system security states ( 𝑠↓𝑖 ).
• Each state represents distinct attacker’s action with associated conditions. • More formally:
• 𝑃𝑟𝑒�∃𝑐↓𝑝𝑟 =𝐹, (𝑒, 𝑐↓𝑝𝑟 )∈ 𝑠↓𝑖 =0 (𝑇ℎ𝑎𝑡 𝑖𝑠, 𝑎𝑛 𝑒𝑥𝑝𝑙𝑜𝑖𝑡 (𝑒)𝑐𝑎𝑛↑′ 𝑡 𝑏𝑒 𝑒𝑥𝑒𝑐𝑢𝑡𝑒𝑑 𝑢𝑛𝑡𝑖𝑙𝑙 𝑎𝑙𝑙 𝑖𝑡↑′ 𝑠 𝑝𝑟𝑒𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠 ( 𝐶↓𝑝𝑟 ) 𝑎𝑟𝑒 𝑠𝑎𝑡𝑖𝑠𝑓𝑖𝑒𝑑)• 𝑃𝑟𝑐↓𝑝𝑠 �∃𝑒=𝑇, (𝑒, 𝑐↓𝑝𝑠 )∈ 𝑠↓𝑖 =1 (𝑇ℎ𝑎𝑡 𝑖𝑠, 𝑎 𝑝𝑜𝑠𝑡𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛 ( 𝑐↓𝑝𝑠 ) 𝑐𝑎𝑛 𝑏𝑒 𝑠𝑎𝑡𝑖𝑠𝑓𝑖𝑒𝑑 𝑏𝑦 𝑎𝑛𝑦 𝑒𝑥𝑝𝑙𝑜𝑖𝑡 𝑎𝑙𝑜𝑛𝑒)• 𝑃𝑟𝑒�∀ 𝑐↓𝑝𝑟 ∈ 𝑠↓𝑖 =𝑇 (█𝑇ℎ𝑎𝑡 𝑖𝑠, 𝑡ℎ𝑒 𝑝𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 𝑜𝑓 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙𝑙𝑦 𝑒𝑥𝑒𝑐𝑢𝑡𝑖𝑛𝑔 𝑎𝑛 𝑒𝑥𝑝𝑙𝑜𝑖𝑡 𝑤ℎ𝑒𝑛 𝑎𝑙𝑙 �𝑝𝑟𝑒𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠 𝑎𝑟𝑒 𝑠𝑎𝑡𝑖𝑠𝑓𝑖𝑒𝑑 )
Path Analysis Security Metric - Stealthiest Path • Network requires various isolation between hosts
providing different layers of security. • Each layer signifies the type of security resistance
based on different security devices and capabilities.
• Hypothesis behind the stealthiness: The more isolation a path introduces – • More detectable by the defender • Less exploitable by the attacker
• The isolation between host for flow is formalized
as follows:
• Path stealthiness score can estimated by:
Path Analysis Security Metric Hardest Path • OurTransitionedmodelallowsattackgraphtotransformedintoastategraph.
• Wecanmeasurethehardnessofapathassumofeachstatehardness.
• Pathhardness:BinarySimilarityCase
• PathHardness:CorrelatedEffortcase
Evaluation of CRISM at Sentara Healthcare • SentaraHealthcareservesover2millionresidentsin100sitesinVirginiaandNorthCarolina• Interestedintoolsthatprovidesecurityriskassessmentandprioritizedmitigationplan
• EvaluationonSentaraHealthcare’scyberinfrastructure• ProductionITsystemsrunningdiverseWindowsandLinuxdistributions• Scalableevaluationonatmost50nodeseachrunningover20services
Conclusion and Future Work
• Developeddatadrivenmodelingtechniquestoa)measurecyberrisk,b)capturenodecriticalityinICScontext,c)proposecyberremediationsolutionandd)characterizeadversariallateralpropagation
• DevelopedCyberRIskScoringandMitigation(CRISM)asacloudbasedservicefororganizationstoassesscyberrisk
• EvaluatetheresearchtechniquesandtoolinICSandhealthcaresectors