Attack Modeling for Information Security and Survivability

Presented By

Chad Frommeyer

Introduction

• Introduction

• Attack Trees

• Attack Pattern Reuse

• Attack Tree Refinement

• Conclusions

Introduction

• Problem– Attack Data not used for improving Design

and Implementation– Engineers still not learning from the past– Need a better way to utilize past attack data

• Solution (Attack Trees/Patterns)

• ACME Enterprise

Attack Trees

• Definition– a systematic method to characterize system

security based on varying attacks

Attack Trees (Structure/Semantics)

• Root Node

• Tree Nodes– Attack Sub-Goals

• AND-Decomposition requires all to succeed• OR-Decomposition requires one to succeed

AND Decomposition

OR Decomposition

Attack Trees

• Intrusion Scenarios– Scenarios that result in achieving the primary

goal– Generated by traversing the tree in a depth-

first manner– Intermediate nodes are not appear

• Branch Refinement

• ACME Attack Tree

Attack Trees

• ACME intrusion scenarios• <1.1> , <1.2> , <2.1, 2.2, 2.3, 2.4>• <3.1> , <3.2>• <4.1> , <4.2> , <5.1> , <5.2> , <5.3>• <6.1> , <6.2>

Attack Trees

• Refinement of ACME node 5.3

Attack Trees

• ACME intrusion scenarios (Refined)• <1, 2.1, 3.1, 4.1, 5.1> , <1, 2.2, 3.1, 4.1, 5.1>• <1, 2.3, 3.1, 4.1, 5.1> , <1, 2.1, 3.2, 4.1, 5.1>• <1, 2.2, 3.2, 4.1, 5.1> , <1, 2.3, 3.2, 4.1, 5.1>• <1, 2.1, 3.1, 4.2, 5.1> , <1, 2.2, 3.1, 4.2, 5.1>• <1, 2.3, 3.1, 4.2, 5.1> , <1, 2.1, 3.2, 4.2, 5.1>• <1, 2.2, 3.2, 4.2, 5.1> , <1, 2.3, 3.2, 4.2, 5.1>

Attack Pattern Reuse

• Definition

• Components of an Attack Pattern

• Pertain to Software and Hardware

• Attack Profiles

Attack Pattern Reuse

• Components of an Attack Pattern– Overall Goal– Preconditions/Assumptions– Attack Steps– Post-conditions (true if attack is successful)

Buffer Overflow Attack

Unexpected Operator Attack

Attack Pattern Reuse

• Components of an Attack Profile– Common Reference Model– Set of Variants– Set of Attack Patterns– Glossary of terms and phrases

Attack Reference Model

Attack Tree Refinement

• Refinement Process

• Require security expertise

• Attack pattern libraries

Attack Tree Refinement

• Profile/Enterprise Consistency

• Definition: “Consistency”

• Attack Pattern Relevance

• ACME Example– Org = ACME– Intranet = ACME Internet– Firewall = ACME Firewall

Attack Tree Refinement

• Resulting Reference Model

Attack Tree Refinement

• Pattern Application– Show relevance to the attack tree goal

(relevance)– Applying Attack Patterns

Conclusions

• Objective

• Documentation via Attack Trees/Profiles

• Documentation Reuse

• Questions still to answer

• Continued Research