metrics suite for network attack graphs
TRANSCRIPT
![Page 1: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/1.jpg)
65th Meeting of IFIP Working Group 10.4 On Dependable Computing and Fault Tolerance
Sorrento, Italy, January 23-27, 2014
Steven Noel
Center for Secure Information Systems
George Mason University
csis.gmu.edu
Metrics Suite for Network Attack Graphs
![Page 2: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/2.jpg)
Motivation • Impact of combined topology, policy, and
vulnerabilities on security posture
– Attack graphs show multi-step vulnerability paths through networks
– But they lack quantitative scores that capture overall security state at a point in time
• Show metric trends over time
• Compare security across organizations
• Complementary dimensions of network security
• Funded by DHS BAA 11-02 (12 months)
1 1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 3: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/3.jpg)
Motivating Example
1/23/2014 65th IFIP Working Group 10.4 Meeting 2
Attack Graph Before Remediation
![Page 4: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/4.jpg)
Top CVSS Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 3
CVSS > 7
Remediated Attack Graph
![Page 5: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/5.jpg)
Top Exposed Vulnerabilities
1/23/2014 65th IFIP Working Group 10.4 Meeting 4
Top 3 Exposed
Remediated Attack Graph
![Page 6: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/6.jpg)
Attack Graph Metrics
5
Network Topology
Firewall Rules
Host Vulnerabilities
Attack Graph Analysis
Metrics Engine
Metrics Dashboard
1/23/2014 65th IFIP Working Group 10.4 Meeting
Nessus Retina nCircle
Core Impact Foundscan
Qualys SAINT nmap
Cisco ASA Cisco IOS
Juniper JUNOS Juniper ScreenOS
Fortinet McAfee FE
XML CSV
Graphical
![Page 7: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/7.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 6
Cauldron Attack Graph
![Page 8: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/8.jpg)
7
CVSS Base Metric
Exploitability
Access
Vector
Access
Complexity Authentication
Impact
Confidentiality Integrity Availability
Common Vulnerability Scoring System (CVSS)
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 9: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/9.jpg)
• Victimization: Individual vulnerabilities and exposed services each have elements of risk. We score the entire network across individual vulnerability victimization dimensions.
• Size: The size of attack graph (vectors and exposed machines) is a prime indication of risk. The larger the graph, the more ways you can be compromised.
• Containment: Networks are generally administered in pieces (subnets, domains, etc.). Risk mitigation should aim to reduce attacks across such boundaries, to contain attacks.
• Topology: The connectivity, cycles, and depth of the attack graph indicate how graph relationships enable network penetration.
8
Attack Graph Metrics Families
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 10: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/10.jpg)
Metrics Hierarchy
9
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
Network Score
Metrics Family
Individual Metrics
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 11: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/11.jpg)
0
min
1 xxxf
minmax
min2
xx
xxxf
minmax
min3 10xx
xxxf
maxmin , xxx
Best Worst
10
10 1/23/2014 65th IFIP Working Group 10.4 Meeting
Metrics Scaling
xf 3
![Page 12: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/12.jpg)
0
min
1 xxxf
minmax
min2
xx
xxxf
maxmin , xxx
Worst Best
10
minmax
min3 1xx
xxxf
minmax
min4 1xx
xxxf
minmax
min5 110xx
xxxf
1/23/2014 65th IFIP Working Group 10.4 Meeting 11
Metrics Scaling (Reversal)
xf 5
![Page 13: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/13.jpg)
Combining Metrics
12
10
10 0 11sw
101 w
102 w 22
2
1 1010 ww
Largest Possible
1/23/2014 65th IFIP Working Group 10.4 Meeting
22sw
10,01010
102
2
2
1
2
22
2
11
ww
swsw
![Page 14: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/14.jpg)
Combining Metrics
13 1/23/2014 65th IFIP Working Group 10.4 Meeting
.ht with weig score individualFor
10,010
10
is score combined thescores, for general,In
2
2
ii
n
i i
n
i ii
ws
w
swS
Sn
![Page 15: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/15.jpg)
Metrics Hierarchy
14
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 16: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/16.jpg)
Metrics Family: Victimization
15 1/23/2014 65th IFIP Working Group 10.4 Meeting
• Existence – relative number of ports that are vulnerable:
• Exploitability – average CVSS Exploitability:
• Impact – average CVSS Impact:
UueU
i ilityExploitabi
,Impact UumU
i i
nv
v
ss
s
10Existence
![Page 17: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/17.jpg)
Metrics Hierarchy
16
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 18: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/18.jpg)
Size Family
Vectors Metric
17 1/23/2014 65th IFIP Working Group 10.4 Meeting
Within domain (implicit vectors)
Across domains: explicit vectors
jiv ,
im
j ji vm 1
d
ji ji
d
i
m
j jia vvmvi
, ,1 torsAttack vec
m
i ip smv 1 torsattack vec possible Total
p
a
v
v10Size Vectors
![Page 19: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/19.jpg)
Size Family
Machines Metric
18 1/23/2014 65th IFIP Working Group 10.4 Meeting
Vulnerable machines
d
i irr
Non-vulnerable machines
d
j jmm
mr
r
10Size Machines
![Page 20: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/20.jpg)
Metrics Hierarchy
19
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 21: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/21.jpg)
Containment Family
Vectors Metric
20 1/23/2014 65th IFIP Working Group 10.4 Meeting
Within domain (implicit vectors)
Across domains: explicit vectors
jiv ,
im
j ji vm 1
d
ji ji
d
i
m
j jia vvmvi
, ,1 torsAttack vec
d
ji jic vv, ,domainsacrossvectorsAttack
a
c
v
v10tContainmen Vectors
![Page 22: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/22.jpg)
Containment Family
Machines Metric
21 1/23/2014 65th IFIP Working Group 10.4 Meeting
Victims across domains
Victims within domain only
d
i iiw Vmmmm ,
d
i iia Vmmmm ,
wa
a
mm
m
10tContainmen Machines
![Page 23: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/23.jpg)
Containment Family
Vulnerability Types Metric
22 1/23/2014 65th IFIP Working Group 10.4 Meeting
Vulnerability types across domains
Vulnerability types within domain only
d
i iiiiw Vmtmmtt ,
d
i iiiia Vmtmmtt ,
wa
a
tt
t
10tContainmen Types Vuln
![Page 24: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/24.jpg)
Metrics Hierarchy
23
Overall
Victimization
Existence
Exploitability
Impact
Size
Vectors
Machines
Containment
Vectors
Machines
Vuln Types
Topology
Connectivity
Cycles
Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 25: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/25.jpg)
Attack Graph Connectivity
1/23/2014 65th IFIP Working Group 10.4 Meeting 24
One Component
Two Components
Three Components
Motivation: Better to have attack graph as disconnected parts versus connected whole
Less Secure
More Secure
![Page 26: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/26.jpg)
Topology Family
Connectivity Metric
1/23/2014 65th IFIP Working Group 10.4 Meeting 25
1 component 4 components 5 components
10111
11110Metric
7
111
14110Metric
6
111
15110Metric
![Page 27: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/27.jpg)
Attack Graph Cycles
1/23/2014 65th IFIP Working Group 10.4 Meeting 26
Motivation: For a connected attack graph, better to avoid cycles among subgraphs
Less Secure
More Secure
![Page 28: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/28.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 27
4 components 5 components 10 components
7111
14110Metric
6
111
15110Metric
1
111
110110Metric
Topology Family
Cycles Metric
![Page 29: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/29.jpg)
Attack Graph Depth
1/23/2014 65th IFIP Working Group 10.4 Meeting 28
One Step Deep
2 Steps Deep
3 Steps Deep
Less Secure
More Secure
Motivation: Better to have attack graph deeper versus shallower
![Page 30: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/30.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 29
Shortest path 3/8 Shortest path 4/8 Shortests paths 2/3 and 1/5
7.518
3110Metric
3.4
18
4110Metric
3.2
15
115
13
213
82
10Metric
Topology Family
Depth Metric
![Page 31: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/31.jpg)
Metrics Dashboard
30 1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 32: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/32.jpg)
Family-Level Metrics
31 1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 33: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/33.jpg)
Temporal Zoom
32 1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 34: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/34.jpg)
Trend Summary
33 1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 35: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/35.jpg)
Example Network Topology
34 1/23/2014 65th IFIP Working Group 10.4 Meeting
![Page 36: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/36.jpg)
Attack Graph – No Hardening
1/23/2014 65th IFIP Working Group 10.4 Meeting 35
![Page 37: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/37.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 36
Block Partners to Inside
![Page 38: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/38.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 37
Block Partner 4 to DMZ
![Page 39: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/39.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 38
Block DMZ to Inside 3
![Page 40: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/40.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 39
Patch Host Vulnerabilities
![Page 41: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/41.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 40
![Page 42: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/42.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 41
![Page 43: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/43.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 42
![Page 44: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/44.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 43
![Page 45: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/45.jpg)
1/23/2014 65th IFIP Working Group 10.4 Meeting 44
![Page 46: Metrics Suite for Network Attack Graphs](https://reader033.vdocument.in/reader033/viewer/2022052023/6286b5125d955c00aa66f088/html5/thumbnails/46.jpg)
Contact
45
The MITRE Corporation McLean, Virginia
Steven Noel http://csis.gmu.edu/noel/
1/23/2014 65th IFIP Working Group 10.4 Meeting