Risk-based Automated Cyber Defencequerzoni/corsi_assets/... · Intrusion Detection is the process...

Research Center for Cyber Intelligence and information Security

CIS SapienzaResearch Center for Cyber Intelligence

and information Security

CIS Sapienza

Risk-basedAutomatedCyberDefence

Introduction,PreliminaryConceptsandPANOPTESECCaseStudy

Silvia [email protected]


CIS Sapienza

Cybersecurity(orComputersecurity,orITsecurity)istheprotection ofinformationsystemsfromtheftordamagetothehardware,thesoftware,andtotheinformationonthem,aswellasfromdisruptionormisdirectionoftheservicestheyprovide

• Tosecureacomputersystem,itisimportanttounderstanditsthreats i.e.,potentialcausesofanincident,thatmayresultinharmofsystemsandorganization(ISO27005).


CIS Sapienza

STRIDEThreatsClassification

• STRIDEhasbeenproposedbyMicrosoft:– Spoofingofuseridentity– Tampering– Repudiation– Informationdisclosure(privacybreachorDataleak)– DenialofService(D.o.S.)– Elevationofprivilege


CIS Sapienza

• IT systems managing control automation in industrialenvironments are one of the main source of risk whenspeaking about critical system failure.– E.g.SCADANetworkscontrollingelectricalPlants,ATCSystem,

Railwaynetworksetc.

• Historically they have not been designed considering ITattacks.

Riskincriticalinfrastructures

Word Economic Forum (WEF) http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2013.pdf


CIS Sapienza

TechnologicalRisks


CIS Sapienza


CIS Sapienza

TheNatureofanAttacker• First generation (70’s) was inspired by the need for knowledge

• Second generation (1980-1984) was driven by curiosity plus theknowledge starving: the only way to learn OSs was to hack them; later(1985-1990) hacking becomes a trend.

• The Third one (90’s) was simply pushed by the anger for hacking, meaninga mix of addiction, curiosity, learning new stuff, hacking IT systems andnetworks, exchanging info with the underground community.

• Fourth generation (2000-today) is driven by angerness and money: oftenwe can see subjects with a very low know-how, thinking that it’s “cool &bragging” being hackers, while they are not interested in hacking &phreaking history, culture and ethics. Here hacking meets with politics(cyber-activism) or with the criminal world (cybercrime).


CIS Sapienza

Detectionvs Tolerance

• Securityisgenerallyaddressedalongtwoorthogonalaxis:– DetectionandReaction• Mechanismareinplacetocontinuouslymonitoring,detectandreacttomisbehaviour(e.g.,antivirus,IDSsetc…)

– Tolerance• Mechanismareinplacetocopewiththepresenceofmisbehavingentities(BFTapproaches)


CIS Sapienza

Proactivevs Reactive

• Whentotakecountermeasure?– On-line(reactiveapproach)assoonasmisbehavioursaredetected

– Off-line(proactiveapproach)whenthesystemisin“quiet”state


CIS Sapienza

MAPEControlLoop

Monitor

Analyse

Plan

Execute

• DecisionsupportCycle• MONITOR forcyber

vulnerabilitiesandincidents

• ANALYZE cyberrisksandimpacts

• PLAN andprioritizemitigationactions

• EXECUTEmitigationactions




CIS Sapienza

MonitoringTools

IDSandIPS


CIS Sapienza

IntrusionDetection

IntrusionDetectionistheprocessofmonitoring theeventsoccurringinacomputersystemornetworkandofanalysing

themforsignsofintrusions,definedasattemptstocompromisetheconfidentiality,theintegrity,theavailabilityortobypassthe

securitymechanismsofacomputersystemornetwork.

Intrusion Detection Systems (IDSs)

Intrusion Prevention Systems (IPSs)


CIS Sapienza

IDSTaxonomy


CIS Sapienza

TheGeneralArchitectureofanIDS


CIS Sapienza

AnomalyDetection

Anomalydetectionistheproblemoffindingpatternsindatathatdonotconformtoexpectedbehaviour


CIS Sapienza

• Signature-based Multi-step attack detection techniques canbe grouped in the following categories:– Classification approaches

• algorithms that analyse network connections to understand whether theyare legal or not.

• rule-based classifiers (e.g., decision trees), Bayesian classifiers, Supportvector machines (SVM, Neural networks, k-Nearest neighbours.

– Association rule approaches• Algorithm aiming at discovering relationships between seeminglyunrelated data

– Graph-based approaches• Algorithms uses attack graphs to discover correlations or causalrelationships between alerts

Multi-stepAttackDetectionSoAOverview




CIS Sapienza

AnalysisTools

AttackModelling


CIS Sapienza

Vulnerability• Aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormore

threats(ISO27005)

• Aflaworweaknessinasystem'sdesign,implementation,oroperationandmanagementthatcouldbeexploitedtoviolatethesystem'ssecuritypolicy(IETFRFC2828)

• Aflaworweaknessinsystemsecurityprocedures,design,implementation,orinternalcontrolsthatcouldbeexercised(accidentallytriggeredorintentionallyexploited)andresultinasecuritybreachoraviolationofthesystem'ssecuritypolicy(NIST)

• Theexistenceofaweakness,design,orimplementationerrorthatcanleadtoanunexpected,undesirableevent[G.11]compromisingthesecurityofthecomputersystem,network,application,orprotocolinvolved(ENISA)

• …


CIS Sapienza

Vulnerability Classification• Vulnerabilities may affect a system at different levels:

– Hardware, Software, Network, Personnel, Organizational…

• Mitre Corporation maintains a list of disclosedvulnerabilities in a system called Common Vulnerabilitiesand Exposures (CVE), where vulnerability are classified(scored) using Common Vulnerability Scoring System(CVSS).

• NIST collects and makes available scored vulnerabilitiesrough the NVD data-base (https://nvd.nist.gov/cvss.cfm)


CIS Sapienza

CVSS

• Itisascoringsystemusedtohelpinprioritizingvulnerabilities’fixingandpatching

• Itiscomposedofthreemetricgroups:Base,Temporal,andEnvironmental


CIS Sapienza

CVEExample


CIS Sapienza

AttackModellingSoA Overview• KillChain

– Modelsphasesofanattackratherthansteps– Notuniversallyacceptedandthusitsusageisstilllimited

• DiamondModel– Puttheemphasisontheadversary,itscapabilitiesandhowtheyareusedinan

infrastructureagainstavictim– Notwidelyused

• AttackGraph– Modelseachsinglestepofanattackintermsofexploitedvulnerability– Widelyusedasbasicbuildingblockforriskassessment– MainIssues:

• Thequalityofthemodeldependsontheknowledgeaboutnetworktopologyandvulnerabilities

• Scalability• Mainlyusedforofflineanalysis


CIS Sapienza

KillChainModel• originallyusedasamilitaryconceptrelatedtothestructureof

anattackintermsofitsphases• Extendedtocyberattacks


CIS Sapienza

AttackGraph-basedMulti-StepAttackdetection

• Threemainapproaches:– Attackgraphsthatmaintainbackgroundinformation

• Theattackgraphisusedasbasemodelandalertsarematched(atruntime)onittoinfersuspiciousactivities

– Attackgraphswithoutbackgroundinformation• Attackgraphsarenotknownbuttheyareconstructedusinginformationcomingfromalerts

– Ontology-Based• ontologiesareusedtoprovideaformalspecificationoftheconceptsandrelationshipsexistingbetweenentitieswithinadomain


CIS Sapienza

There is not an unique syntax.

A possible AG representation is:

– nodes: devices and vulnerabilities

– edges: relationships as pre-condition and post-

condition.

AttackGraph(AG)


CIS Sapienza

11(v4)

Exampleofattackgraph4(v1)

11(v5,v22)

3(v14)

13(v34)

8 (v3,v4)

7(v9)

7(v15)

10(v32)

Nodes represent attack

vulnerabilities)

Edges represent

dependency link

that a

or a

causality relationship exists

between attack actions.

Entry point

Target

actions (identified bydevice identificator and


CIS Sapienza

HowtouseAG• An attack graph gives us the possible paths (as far as weknow) that can be used to reach a target device.

• In a proactive way it is useful to understand where to applypatches.

• In a reactive way it is useful to try to understand, given IDSalerts, where an attacker is going to.




CIS Sapienza

PlanningReaction/MitigationandExecution


CIS Sapienza

RiskManagementRiskmanagementistheidentification,assessment,andprioritizationofrisksfollowedbycoordinatedandeconomicalapplicationofresourcestominimize,monitor,andcontroltheprobabilityand/orimpactofunfortunateeventsorto

maximizetherealizationofopportunities.

• Itisacrossdomaindisciplinebutitispossibletoidentifygeneralsteps:– Identifyandcharacterizethreats– assessthevulnerabilityofcriticalassetstospecificthreats– determinetherisk(i.e.theexpectedlikelihoodandconsequencesofspecifictypesof

attacksonspecificassets)– identifywaystoreducethoserisks– prioritizeriskreductionmeasuresbasedonastrategy


CIS Sapienza

CyberSecurityFrameworks

• Designedtoassesscyberriskawareness

FISMAEcosystem

ISO 27000Ecosystem

SANS 20(CSC-5)

NISTCSF


CIS Sapienza

NISTFrameworkforImproving CriticalInfrastructure Cybersecurity

• Composed of3parts:– Core– Tiers– Profiles


CIS Sapienza

NISTFrameworkforImprovingCriticalInfrastructureCybersecurity

FrameworkCore:• ItisasetofsecurityactivitiesdividedinFunctions:• i.e.,Identify,Protect,Detect,Respond,Recover

• EachFunctioniscomposedofasetofCategories• EachCategoriesisdividedinsubcategories

Limitation:Thereisnoprioritysetbetweenactions!


CIS Sapienza



CIS Sapienza


Profile• Each profile is alistofaction selected amongsubcategories.

• Usefull toidentify current profile andtargetprofile foragapanalysis


CIS Sapienza


4Tiers• (Partial,Risk Informed,Repeatable,Adaptive),• Used toprovide theorganizational view ofthecyberrisk


CIS Sapienza

FromNISTCIFrameworktoItalianNationalFramework

• Priority levels• Maturity levels– Defined foreach“contextualization”

14 Capitolo 3. I concetti di base

3.1 Framework Core, Profile e Implementation Tier

Il Framework Nazionale eredita le tre nozioni fondamentali del Framework NIST: FrameworkCore, Profile e Implementation Tier. Di seguito ne diamo una breve descrizione autocontenuta,rimandando al documento originale [15] per maggiori dettagli.

Framework Core. Il core rappresenta la struttura del ciclo di vita del processo di gestione dellacyber security, sia dal punto di vista tecnico sia organizzativo. Il core è strutturato gerarchicamentein Function, Category e Subcategory. Le Function, concorrenti e continue, sono: Identify, Protect,Detect, Respond, Recover e costituiscono le principali tematiche da affrontare per operare unaadeguata gestione del rischio cyber in modo strategico. Il Framework quindi definisce, per ogniFunction, Category e Subcategory, le quali forniscono indicazioni in termini di specifiche risorse,processi e tecnologie da mettere in campo per gestire la singola Function. Infine, la struttura delFramework core presenta degli informative reference, dei riferimenti informativi che legano lasingola Subcategory a una serie di pratiche di sicurezza note utilizzando gli standard di settore (ISO,SP800-53r4, COBIT-5, SANS20 e altri). La struttura del Framework Core del NIST è riportata inFigura 3.1.

Functions Categories Subcategories InformativeReferences

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

Figura 3.1: Struttura del Framework Core del NIST(da [15]).

Di seguito è riportata una breve descrizione delle 5 Function:Identify. La Function Identify è legata alla comprensione del contesto aziendale, degli asset chesupportano i processi critici di business e dei relativi rischi associati. Tale comprensione permetteinfatti a un’organizzazione di definire risorse e investimenti in linea con la strategia di gestionedel rischio e con gli obiettivi aziendali. Le Category all’interno di questa Function sono: AssetManagement; Ambiente di business; Governance; Valutazione del rischio; Strategia di gestione delrischio.

Protect. La Function Protect è associata all’implementazione di quelle misure volte alla protezionedei processi di business e degli asset aziendali, indipendentemente dalla loro natura informati-ca. Le Category all’interno di questa Function sono: Access Control; Awareness and Training;Data Security; Information Protection Processes and Procedures; Maintenance; and ProtectiveTechnology.

Detect. La Function Detect è associata alla definizione e attuazione di attività appropriate peridentificare tempestivamente incidenti di sicurezza informatica. Le Category all’interno di questaFunction sono: Anomalies and Events; Security Continuous Monitoring; and Detection Processes

Functions Categories Subcategories PriorityLevels InformativeReferences GuideLines

IDENTIFY

RESPOND

RECOVER

PROTECT

DETECT

• Frameworkcore• Profiles• Implementationtiers


CIS Sapienza

Italian NationalFramework• MoregeneralthanNISTCI-Framework

– Thecontextualizations canprovide“specialized”Frameworksusefulforspecificbusinesssectorsandsizes

• Atthesametimecompliant withtheNISTCI-Framework– Internationalrecognized

• CyberSecurityprofiles aremore“accurate”– thankstomaturitylevels

• Nation-widerecognized– Cangetthesupplychainofthewholenationeconomystronger– Providesacommonlanguageforcybersecurityinteractions

betweenpublicandprivateorganizations


CIS Sapienza

Patching

• A patch is a piece of software designed to update a computerprogram or its supporting data, to fix or improve it.

• Correcting vulnerabilities may variously involve theinstallation of a patch, a change in network security policy,reconfiguration of software (such as a firewall), or educatingusers about social engineering.




CIS Sapienza

ACaseStudy

ThePANOPTESECProject


CIS Sapienza

AnInnovativeApproach:thePANOPTESECProject

• The PANOPTESEC consortium will deliver a beyond-state- of-the-artprototype of a cyber defence decision support system, demonstrating arisk based approach to automated cyber defence that accounts for thedynamic nature of information and communications technologies (ICT)and the constantly evolving capabilities of cyber attackers.


CIS Sapienza

PANOPTESECArchitecture


CIS Sapienza

ThePANOPTESECDataFlow:ProactiveView

PersistencyManager

MissionImpactModel

NetworkDependencyAnalyser

ReachabilityMatrix

Correlator

VulnerabilityInventoryProcessor

NetworkInventoryProcessor

Emulation

Environm

ent

AttackGraphGenerator–ThreatRiskQuantifier

StrategicResponseDecider

Visualization

PolicyDeployer


CIS Sapienza

ThePANOPTESECDataFlow:ReactiveView


LowLevelCorrelator

ReachabilityMatrix

Correlator



PersistencyManager

Emulation

Environm

ent

AttackGraphGenerator– ThreatRiskQuantifier

HOC-Automata

BasedEngine

HOC-QueryBasedEngine

TacticalResponseDecider

VisualizationPolicyDeployer

MissionImpactModel


CIS Sapienza

ThePANOPTESECDataFlow:ReactiveView

ReachabilityMatrixCorrelator



PersistencyManager

EmulationEnvironm

ent

AttackGraphGenerator–ThreatRiskQuantifier

HOC- QueryBasedEngine

HOC-AutomataBasedEngine

TacticalResponseDecider

VisualizationPolicyDeployer

MissionImpactModel

LowLevelCorrelator



CIS Sapienza

a b a c

a be f

g

c

b a

d

a b

d

a

c

c b

ha c b

P2

P1

P3

Match P1

Match P2

Match P3

Unmatched

src:adest:b…

src:adest:b

src:adest:b

src:adest:b

src:adest:z…

src:adest:z

src:cdest:e…

src:cdest:e

src:ddest:c…

src:ddest:c

{"normalizedAlert_Ident":"20151117_154523.732","ingress":{"interface_Ident":"","address":{"ident":"","netmask":"","address":"192.18.200.210","category":"IPV4","vlan_name":"","vlan_num":-1}},"egress":{"interface_Ident":"","address":{"ident":"","netmask":"","address":"","category":"IPV4","vlan_name":"","vlan_num":-1},"portList":[{"portRange":[{"ip_Protocol":"TCP",

"port":""}]}]},"createTime":{"content":"","timeStamp":"2015-11-1716:00:58"},"aggregationMultiplicity":1,"classification":{"text":"","reference":[{"name":"","origin":"TLS_Not-TLS","meaning":"Notification","url":""}]},"monitored_System_Ident":"Acea_SimEnv","vulnerability_Ident":"CVE-2008-0074\t"}

LLCAlert Filtering


CIS Sapienza

Definitionofsuitablemetrics• Basic Intuition:

– LLC Notifications are interpreted as text (i.e., strings)– Attack Paths are coded as text as well (i.e., sequences of strings)

• We consider (in this version of the component) metrics widely used in thedomain of text mining and use them in the context of attack matching– Examples: Jaccard Similarity, Cosine Similarity, Edit Similarity

• Allows to take in to account possible errors in the notification order• Allows to take in to account the (possible) inaccuracy in the set of LLCNotifications


CIS Sapienza

MetricsEstimationandInstantiatedAttackPathGeneration

SEQ

d OR

AND

a b

c g

e f

P2

a be f

g

c

b a

d

PathSequences FilteringResult SimilarityMetricvalue

“dc-ce-ef” “dc-ce- “ 0,66

“dg-ge-ef” “- - “ 0

“da-ab-be-ef” “-ab- - “ 0,25

“db-ba-ae-ef” “- - - ” 0


CIS Sapienza

AttackGraph-basedMulti-StepAttackdetection:OpenIssues

• Inthedetectionprocess– Howtomanageincompleteinformation?

• E.g.,theattackgraphmaybenotcompleteduetoscalabilityreasons• E.g.,importantalertsmaybefilteredduetothesettingsoftheunderlyingIDSs/IPSs

– Howtomanageinaccurateinformation?• E.g.,theexploitedvulnerabilitycouldbemissinginthealertoritcanbeexpressedaccordingtodifferentlabellingsystems

– Howtomanagedynamicityinthenetwork?• E.g.,thetopologyorthesetofvulnerabilitymaychangeovertime

Solving these issues imposes to find the best trade-off between :

• accuracy of the detection (in terms of False Positive)• Timeliness of the detection


CIS Sapienza

OurResearchDirections• FromtheDetectionPointofview:

– Definingattackgraph-baseddetectionalgorithmsthatareableto:• Copewithmissingandinaccurateinformation• Adapttochanges(inthetopologyandinthevulnerabilitysurface)• Improvingthedetectionprocess(findingagoodtrade-offbetweenaccuracyandtimeliness)

• FromtheAttackModellingPointofview:– Considermixedmodels(e.g.,Diamondmodel+attackgraph)– attackgraphscalability(e.g.adoptingahierarchicalapproach)




CIS Sapienza

Q&A


CIS Sapienza

Credits

• Thankstothefollowingcolleaguesforprovidingpartofthematerial:– Antonella DelPozzo– RiccardoGhera andIvano Giancaterina– ThePANOPTESECConsortium– LucaMontanari

Risk-based Automated Cyber Defencequerzoni/corsi_assets/... · Intrusion Detection is the process...

Documents

Transcript of Risk-based Automated Cyber Defencequerzoni/corsi_assets/... · Intrusion Detection is the process...