Abstract
Motivated by the practical importance of security assessment, researchers have developed numerous model-based methodologies. However, the diversity of different methodologies and tool designs makes it challenging to compare their respective strengths or integrate their results. To make it more conducive to incorporate them for practical assessment tasks, we believe it is critical to establish a common foundation of security assessment inputs to support different methodologies and tools. As the initial effort, this paper presents an open repository of Common Input Scenarios for Security Assessment (CISSA) for different model-based security assessment tools. By proposing a CISSA design framework and constructing six initial scenarios based on real-world incidents, we experimentally show how CISSA can provide new insights and concrete reference points to both security practitioners and tool developers. We have hosted CISSA on a publicly available website, and envision that community effort in building CISSA would significantly advance the scientific and practical values of model-based security assessment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this paper, we refer to the particular tool available at http://researchers.edf.com/software/kb3-44337.html.
- 2.
The PRM-based version in [27] provides XML import/export. However, we cannot find the format and semantics of the files, nor available tools for generating/processing them.
- 3.
The main difference is that the hypothesis in [4] about Contractor Remote Access attack vector is not included in our CISSA case.
- 4.
Earlier PRM-based versions of CySeMoL assume constant attack duration.
References
Public Repository for CISSA. http://www.illinois.adsc.com.sg/cissa
Abrams, M., Weiss, J.: Malicious control system cyber security attack case study - Maroochy water services, Australia (2008)
Aorato Labs: The untold story of the target attack step by step, August 2014. http://www.aorato.com/blog/untold-story-target-attack-step-step/
Byres, E., Ginter, A., Langill, J.: How stuxnet spreads - a study of infection paths in best practice systems. www.tofinosecurity.com/how-stuxnet-spreads
Chen, B., Kalbarczyk, Z., Nicol, D.M., Sanders, W.H., Tan, R., Temple, W.G., Tippenhauer, N.O., An Hoa, V., Yau, David, K.Y.: Go with the flow: toward workflow-oriented security assessment. In: NSPW (2013)
Command Five Pty Ltd.: SK Hack by an Advanced Persistent Threat, September 2011. http://www.commandfive.com/papers/C5_APT_SKHack.pdf
Falliere, N., Murchu, L.O., Chien, E.: Symantec security response: W32.stuxnet dossier. www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
iSightPartners: Kaptoxa point of sale compromise, January 2014. http://www.securitycurrent.com/resources/files/KAPTOXA-Point-of-Sale-Compromise.pdf
Kaspersky Lab Global Research and Analysis Team: Energetic bear - crouching yeti, July 2014. http://securelist.com/files/2014/07/EB-YetiJuly2014-Public.pdf
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack-defense trees. In: FAST, pp. 80–95 (2011)
Kordy, B., Pietre-Cambacedes, L., Schweitzer, P.: DAG-based attack, defense modeling: don’t miss the forest for the attack trees (2013). CoRR arXiv:1303.7397
Kriaa, S., Bouissou, M., Pietre-Cambacedes, L.: Modeling the stuxnet attack with BDMP: towards more formal risk assessments. In: Proceedings of International Conference on Risk and Security of Internet and Systems (CRiSIS), pp. 1–8, October 2012
Langill, J.: Defending against the dragonfly cyber security attacks (2014). http://www.belden.com/docs/upload/Belden-White-Paper-Dragonfly-Cyber-Security-Attacks.pdf
LeMay, E., Ford, M., Keefe, K., Sanders, W.H., Muehrke, C.: Model-based security metrics using ADversary VIew Security Evaluation (ADVISE). In: QEST (2011)
Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attack graphs (2005)
Mandiant, a FireEye Company: Beyond the breach (2014). https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf
North American Electric Reliability Corporation: Critical infrastructure protection standards. http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
Ou, X., Boyer, W.F.: A scalable approach to attack graph generation. In: CCS (2006)
Xinming, O., Govindavajhala, S., Appel, A.W.: Mulval: a logic-based network security analyzer. In: USENIX Security (2005)
PCI Security Standards Council: PCI SCC data security standards overview. https://www.pcisecuritystandards.org/security_standards/
Phillips, C., Swiler, L.: A graph-based system for network-vulnerability analysis. In: NSPW (1998)
Piètre-Cambacédès, L., Bouissou, M.: Attack and defense modeling with BDMP. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2010. LNCS, vol. 6258, pp. 86–101. Springer, Heidelberg (2010)
Pietre-Cambacedes, L., Bouissou, M.: Beyond attack trees: dynamic security modeling with Boolean logic driven Markov processes (BDMP). In: EDCC (2010)
Sanders, W.: Quantitative security metrics: unattainable holy grail or a vital breakthrough within our reach? IEEE-SPM 12, 67–69 (2014)
Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. 24, 21–29 (1999)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: IEEE S&P (2002)
Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)
Symantec Security Response: Dragonfly: cyberespionage attacks against energy suppliers, July 2014. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
Verendel, V.: Quantified security is a weak hypothesis. In: NSPW (2009)
Vu, A.H., Tippenhauer, N.O., Chen, B., Nicol, D.M., Kalbarczyk, Z.: CyberSAGE: a tool for automatic security assessment of cyber-physical systems. In: Norman, G., Sanders, W. (eds.) QEST 2014. LNCS, vol. 8657, pp. 384–387. Springer, Heidelberg (2014)
Acknowledgements
This study is supported by the research grant for the Human-Centered Cyber-physical Systems Programme at the Advanced Digital Sciences Center from Singapore’s Agency for Science, Technology and Research (A*STAR).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: CISSA Example
A Appendix: CISSA Example
In this section we provide an example CISSA by describing the seven elements (N, D, U, O, X, A, C) for the Target Corporation data breach. The input files themselves are available online in XML format [1].
1.1 A.1 Brief Recap of the Target Incident
The data breach at Target Corporation in 2013 resulted in the loss of credit card data from 40 million customers [3, 8]. This multi-stage attack began with the theft of an HVAC vendor’s credentials for Target’s vendor management web portal. From there, attackers were able to penetrate deep into Target’s corporate network, steal personally identifiable information (PII) from a database, and deploy malware to pull customers’ credit card information off of Target’s point-of-sale machines. Stolen data were exfiltrated via FTP from inside the corporate network.
1.2 A.2 CISSA Definition for the Target Scenario
To illustrate how CISSA specification can represent the details of read-world incidents for security assessment, we briefly present how we define the Target scenario under CISSA.
Components and Network N . A large retailer such as Target typically has 100s or 1000s of locations, each with numerous point-of-sale (POS) stations that accept and process customer payments. Figure 7 depicts the network connections (\(E_N\)) and devices (\(V_N\)) considered in this scenario. The model includes K store locations, each with \(T_K\) POS machines which are connected via a switch to a back-of-house (BoH) server. This BoH server connects to a central payment server at the corporate network, which interfaces with external financial institutions to verify transactions. The corporate network also includes a directory server, a web server, and a database server. We abstract other corporate services from this model. In the XML files online [1] we specify additional information.
Data D . Data plays a central role in the Target CISSA. The attackers’ goal was the theft of customer data, and this was made possible by the acquisition of additional system-specific data. Table 5 describes the data items that are modeled in this scenario. We provide a unique identifier for each data item \(ID_D\), a description of the data’s properties \(L_D\), and a list of devices that interact with the data \(Map_D\) (network links are omitted for brevity).
Users U . In this scenario, several different user types are affected by the incident. In particular, credentials from a vendor and, later, a Domain Administrator, enabled the adversaries to steal sensitive information relating to the company’s customers. Table 6 summarizes the relevant user information.
Operations O . Arguably the most important system operation in this scenario is the handling of consumer credit card information during POS transactions. Figure 8 depicts this process. Here the vertices \(V_O\) denote the major operations from the POS terminal, a store’s BoH Server, and the Bank responsible for clearing the transaction, while the edges \(E_O\) imply sequential order. The mapping function \(Map_O\) in this case assigns specific devices to the roles described above (e.g., POS Terminal 5 in Store #300). Additional system operations in this scenario could include the POS Terminal or BoH Server’s software update process, or the processes for collecting and storing personally identifiable information (PII) in the company’s database.
Undesirable Outcomes X . In this scenario we model the final undesirable outcomes of the attack as loss of credit card data and loss of personally identifiable information, as specified in Table 7. Due to space limit, we do not elaborate on intermediate undesirable outcomes \(x_1\) to \(x_7\) for each attack step, while providing brief summary in Table 8.
Attack A . The attacker input \(\alpha \) is modeled with:
-
Goal: theft of credit card data X1.
-
Access: external attacker, with access to “Web” in N.
-
Skills: use of existing tools and malware (no zero-days).
The attack on Target’s corporate network and POS system is thought to consist of 11 steps [3]. We model a simplified 8-step attack, i.e., \(\sigma _1\): Steal credentials of vendor, \(\sigma _2\): Exploit vulnerability on Target web portal, \(\sigma _3\): Steal Domain Admin access token, \(\sigma _4\): Create new Domain Admin account, \(\sigma _5\): Steal PII from database, \(\sigma _6\): Install malware on POS machines, \(\sigma _7\): Aggregate stolen data in network, and \(\sigma _8\): Exfiltrate data via FTP.
The above text constitutes the attack step description input (\(L_\omega \)). In Table 8 we specify the pre-conditions (\(Pre_\sigma \)) and post-conditions (\(Post_\sigma \)) for these attack steps.
Countermeasures C . The credit card industry maintains a set of standards for data protection [20]. In addition to those guidelines—which were followed in this scenario—other countermeasures can potentially detect or prevent similar attacks.
-
Multi-factor authentication for the outward-facing vendor portal, and for the Domain Administrators.
-
Application whitelisting for the point-of-sale machines and the servers involved in transaction verification.
-
Real-time monitoring of user lists and network queries to detect the addition of new user accounts (particularly admin accounts) and potentially identify lateral movement of an attacker within the network.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Dong, X. et al. (2016). The Right Tool for the Job: A Case for Common Input Scenarios for Security Assessment. In: Kordy, B., Ekstedt, M., Kim, D. (eds) Graphical Models for Security. GraMSec 2016. Lecture Notes in Computer Science(), vol 9987. Springer, Cham. https://doi.org/10.1007/978-3-319-46263-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-46263-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46262-2
Online ISBN: 978-3-319-46263-9
eBook Packages: Computer ScienceComputer Science (R0)