A HOLISTIC APPROACH TO EVALUATE CYBER THREAT
Márcio Conte Monteiro (ICEA)Thalysson Sarmento (ICEA)Alexandre Barreto (ICEA)Paulo Costa (GMU)
Agenda
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
2
¨ Motivation¨ Background¨ The Proposed Metric¨ Results¨ Final Remarks
Bottom Line Up Front!
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
3
¨ Several vulnerability databases and standards are currently available for infrastructure security assessment
¨ Focus is on specificities, mostly failing to provide support holistic analyses
¨ We address this gap by proposing an ontology-supported holistic approach for evaluating infrastructure security that leverages:¤ Current security standards and databases¤ Human factors to build a broader and interconnected view
Common Vulnerabilities and Exposures
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
4
¨ CVE is a standard for cataloging vulnerabilities of
computer systems (ITU-T standard)
¨ The de facto standard to report and communicate
software vulnerabilities between organizations and
entities
¨ Heavily used by automatic security assessment tools
(e.g., Nessus and OpenVAS)
CVE Attributes
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
5
¨ CVE identifier¨ Vulnerability type (e.g., buffer overflow)¨ Vendor¨ List of vulnerable products¨ Attack type (e.g., remote)¨ Impact (e.g., code execution, DoS, information
disclosure)
Case in Point
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
6
Although those standards are very efficient in cataloging and prioritizing software
vulnerabilities, system administrators are usually interested in knowing how vulnerable their
network is a whole, not only that of individual hosts.
Common Vulnerability Scoring System
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
7
¨ CVSS is a framework for further describing software vulnerabilities,
as well as providing quantification assessment
¨ Built on top of CVS
¨ Scores the vulnerabilities with respect to their severity, impact and
exploitation capacity
¨ One of the most important CVSS databases is hosted and managed
by the National Vulnerability Database (NVD), which provides the
scores for most known vulnerabilities.
CVSS Metric Groups
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
8
¨ Base: represents the intrinsic qualities of vulnerabilities
¨ Temporal: reflects the features that changes over time
¨ Environmental: represents features that are unique to the user’s environment
CVSS Attributes
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
9
¨ Attack vector¨ Attack complexity¨ Privileges required¨ User interaction¨ Scope¨ Confidentiality impact¨ Integrity impact¨ Availability impact
• Impact Score
• Exploitability Score
Human Factors
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
10
¨ Play an important role in whole security
¨ Users can be used as attack vectors
¨ We propose to rate users in a CVSS-like fashion:¤ Impact score¤ Exploitability score
The Proposed Metric
11/15/2016
11
Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
12
WHAT (Activity)WHY (Goal and Desire Effect)HOW (Resource and Guidance)WHO (Performer)WHERE (Location)WHEN (Timestamp and Event)
Sample Network
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
13
Step #1: Complete Inventory
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
14
¨ Obtain a complete and detailed asset inventory of your target network
Step #1: Complete Inventory
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
15
¨ (1): Apache/2.4.7 (Ubuntu)¨ (2): pfSense 2.3.2-p1 RELEASE¨ (3): Cisco Nexus 7700 Sup. 2E¨ (4-6): Win. 7 Home Basic (SP1)¨ (7): Internet¨ (8): Employee #1¨ (9): Employee #2¨ (10): System administrator
Step #2: Communications
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
16
¨ Map the communication between assets, including the users.
Step #2: Communications
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
17
MATRIX AUTOMATICALLY BUILT VIA A SPARQL QUERY AGAINST THE ONTOLOGY
Step #2: Communications
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
18
Step #2: Communications
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
19
¨ There are different approaches for building such
graph and defining the underlying metrics
¨ Ontologies and Semantic Techniques can be used
to refine the interdependencies between the nodes,
assets, and users.
Step #3: Vulnerabilities Assessment
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
20
¨ Obtain CVE and CVSS for all hosts¨ Estimate users’ “CVSS-like” metric (not discussed in
this work)
Step #3: Vulnerabilities Assessment
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
21
¨ Example for a host¨ CVE #1:
¤ CVSS: “CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H”
¨ CVE #2: ...
Version 3.0
Attack vector: network
Attack complexity:
low
Privileges required:
low
User Interaction: required
Scope: changed
Confidentiality Impact: low
Integrity Impact:
low
Availability impact: high
Step #4: Calculating Scores
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
22
¨ Based on CVSS, calculate the impact score and
exploitability score.
¨ For hosts and system, use the standard metric
¨ For users, it must be defined (not discussed in this
work).
Step #4: Calculating Scores
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
23
CVE
CVSS
Impact ScoreExploitability
Score
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
5.3 2.3
CVE-2014-0160
Step #5: Computing the proposed metric
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
24
¨ Step 5.1: Assemble the P matrix
¨ Step 5.2: Compute the convex hull
¨ Step 5.3: Compute the area of the convex hull
Step #5.1: Assemble the P matrix
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
25
¨ Organize all scores (from all assets) in matrix form:
Impact Score Exploitability Score
Vulnerability #1
Vulnerability #N
Lower boundaries
Steps #5.2 and #5.3: Convex Hull
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
26
¨ Quickhull algorithm: computes the convex hull of a finite set of points in the plane using divide and conquer approach.
Highly Insecure Network
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
27
Convex Hull
Area
More Secure Network
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
28
Convex Hull
Area
Final Remarks
11/15/2016Semantic Technology for Intelligence, Defense, and Security (STIDS 2016)
29
¨ Presented an ontology-based approach for
analyzing the vulnerability of a network
¨ Multiple-criteria analysis
¨ Admits modeling of human factors in CVSS-like
metric
Thanks for your Attention
30
Top Related