Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
Risk-basedAutomatedCyberDefence
Introduction,PreliminaryConceptsandPANOPTESECCaseStudy
Silvia [email protected]
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cybersecurity(orComputersecurity,orITsecurity)istheprotection ofinformationsystemsfromtheftordamagetothehardware,thesoftware,andtotheinformationonthem,aswellasfromdisruptionormisdirectionoftheservicestheyprovide
• Tosecureacomputersystem,itisimportanttounderstanditsthreats i.e.,potentialcausesofanincident,thatmayresultinharmofsystemsandorganization(ISO27005).
Research Center for Cyber Intelligence and information Security
CIS Sapienza
STRIDEThreatsClassification
• STRIDEhasbeenproposedbyMicrosoft:– Spoofingofuseridentity– Tampering– Repudiation– Informationdisclosure(privacybreachorDataleak)– DenialofService(D.o.S.)– Elevationofprivilege
Research Center for Cyber Intelligence and information Security
CIS Sapienza
• IT systems managing control automation in industrialenvironments are one of the main source of risk whenspeaking about critical system failure.– E.g.SCADANetworkscontrollingelectricalPlants,ATCSystem,
Railwaynetworksetc.
• Historically they have not been designed considering ITattacks.
Riskincriticalinfrastructures
Word Economic Forum (WEF) http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2013.pdf
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TechnologicalRisks
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TheNatureofanAttacker• First generation (70’s) was inspired by the need for knowledge
• Second generation (1980-1984) was driven by curiosity plus theknowledge starving: the only way to learn OSs was to hack them; later(1985-1990) hacking becomes a trend.
• The Third one (90’s) was simply pushed by the anger for hacking, meaninga mix of addiction, curiosity, learning new stuff, hacking IT systems andnetworks, exchanging info with the underground community.
• Fourth generation (2000-today) is driven by angerness and money: oftenwe can see subjects with a very low know-how, thinking that it’s “cool &bragging” being hackers, while they are not interested in hacking &phreaking history, culture and ethics. Here hacking meets with politics(cyber-activism) or with the criminal world (cybercrime).
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Detectionvs Tolerance
• Securityisgenerallyaddressedalongtwoorthogonalaxis:– DetectionandReaction• Mechanismareinplacetocontinuouslymonitoring,detectandreacttomisbehaviour(e.g.,antivirus,IDSsetc…)
– Tolerance• Mechanismareinplacetocopewiththepresenceofmisbehavingentities(BFTapproaches)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Proactivevs Reactive
• Whentotakecountermeasure?– On-line(reactiveapproach)assoonasmisbehavioursaredetected
– Off-line(proactiveapproach)whenthesystemisin“quiet”state
Research Center for Cyber Intelligence and information Security
CIS Sapienza
MAPEControlLoop
Monitor
Analyse
Plan
Execute
• DecisionsupportCycle• MONITOR forcyber
vulnerabilitiesandincidents
• ANALYZE cyberrisksandimpacts
• PLAN andprioritizemitigationactions
• EXECUTEmitigationactions
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
MonitoringTools
IDSandIPS
Research Center for Cyber Intelligence and information Security
CIS Sapienza
IntrusionDetection
IntrusionDetectionistheprocessofmonitoring theeventsoccurringinacomputersystemornetworkandofanalysing
themforsignsofintrusions,definedasattemptstocompromisetheconfidentiality,theintegrity,theavailabilityortobypassthe
securitymechanismsofacomputersystemornetwork.
Intrusion Detection Systems (IDSs)
Intrusion Prevention Systems (IPSs)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
IDSTaxonomy
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TheGeneralArchitectureofanIDS
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AnomalyDetection
Anomalydetectionistheproblemoffindingpatternsindatathatdonotconformtoexpectedbehaviour
Research Center for Cyber Intelligence and information Security
CIS Sapienza
• Signature-based Multi-step attack detection techniques canbe grouped in the following categories:– Classification approaches
• algorithms that analyse network connections to understand whether theyare legal or not.
• rule-based classifiers (e.g., decision trees), Bayesian classifiers, Supportvector machines (SVM, Neural networks, k-Nearest neighbours.
– Association rule approaches• Algorithm aiming at discovering relationships between seeminglyunrelated data
– Graph-based approaches• Algorithms uses attack graphs to discover correlations or causalrelationships between alerts
Multi-stepAttackDetectionSoAOverview
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
AnalysisTools
AttackModelling
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Vulnerability• Aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormore
threats(ISO27005)
• Aflaworweaknessinasystem'sdesign,implementation,oroperationandmanagementthatcouldbeexploitedtoviolatethesystem'ssecuritypolicy(IETFRFC2828)
• Aflaworweaknessinsystemsecurityprocedures,design,implementation,orinternalcontrolsthatcouldbeexercised(accidentallytriggeredorintentionallyexploited)andresultinasecuritybreachoraviolationofthesystem'ssecuritypolicy(NIST)
• Theexistenceofaweakness,design,orimplementationerrorthatcanleadtoanunexpected,undesirableevent[G.11]compromisingthesecurityofthecomputersystem,network,application,orprotocolinvolved(ENISA)
• …
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Vulnerability Classification• Vulnerabilities may affect a system at different levels:
– Hardware, Software, Network, Personnel, Organizational…
• Mitre Corporation maintains a list of disclosedvulnerabilities in a system called Common Vulnerabilitiesand Exposures (CVE), where vulnerability are classified(scored) using Common Vulnerability Scoring System(CVSS).
• NIST collects and makes available scored vulnerabilitiesrough the NVD data-base (https://nvd.nist.gov/cvss.cfm)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CVSS
• Itisascoringsystemusedtohelpinprioritizingvulnerabilities’fixingandpatching
• Itiscomposedofthreemetricgroups:Base,Temporal,andEnvironmental
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CVEExample
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AttackModellingSoA Overview• KillChain
– Modelsphasesofanattackratherthansteps– Notuniversallyacceptedandthusitsusageisstilllimited
• DiamondModel– Puttheemphasisontheadversary,itscapabilitiesandhowtheyareusedinan
infrastructureagainstavictim– Notwidelyused
• AttackGraph– Modelseachsinglestepofanattackintermsofexploitedvulnerability– Widelyusedasbasicbuildingblockforriskassessment– MainIssues:
• Thequalityofthemodeldependsontheknowledgeaboutnetworktopologyandvulnerabilities
• Scalability• Mainlyusedforofflineanalysis
Research Center for Cyber Intelligence and information Security
CIS Sapienza
KillChainModel• originallyusedasamilitaryconceptrelatedtothestructureof
anattackintermsofitsphases• Extendedtocyberattacks
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AttackGraph-basedMulti-StepAttackdetection
• Threemainapproaches:– Attackgraphsthatmaintainbackgroundinformation
• Theattackgraphisusedasbasemodelandalertsarematched(atruntime)onittoinfersuspiciousactivities
– Attackgraphswithoutbackgroundinformation• Attackgraphsarenotknownbuttheyareconstructedusinginformationcomingfromalerts
– Ontology-Based• ontologiesareusedtoprovideaformalspecificationoftheconceptsandrelationshipsexistingbetweenentitieswithinadomain
Research Center for Cyber Intelligence and information Security
CIS Sapienza
There is not an unique syntax.
A possible AG representation is:
– nodes: devices and vulnerabilities
– edges: relationships as pre-condition and post-
condition.
AttackGraph(AG)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
11(v4)
Exampleofattackgraph4(v1)
11(v5,v22)
3(v14)
13(v34)
8 (v3,v4)
7(v9)
7(v15)
10(v32)
Nodes represent attack
vulnerabilities)
Edges represent
dependency link
that a
or a
causality relationship exists
between attack actions.
Entry point
Target
actions (identified bydevice identificator and
Research Center for Cyber Intelligence and information Security
CIS Sapienza
HowtouseAG• An attack graph gives us the possible paths (as far as weknow) that can be used to reach a target device.
• In a proactive way it is useful to understand where to applypatches.
• In a reactive way it is useful to try to understand, given IDSalerts, where an attacker is going to.
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
PlanningReaction/MitigationandExecution
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RiskManagementRiskmanagementistheidentification,assessment,andprioritizationofrisksfollowedbycoordinatedandeconomicalapplicationofresourcestominimize,monitor,andcontroltheprobabilityand/orimpactofunfortunateeventsorto
maximizetherealizationofopportunities.
• Itisacrossdomaindisciplinebutitispossibletoidentifygeneralsteps:– Identifyandcharacterizethreats– assessthevulnerabilityofcriticalassetstospecificthreats– determinetherisk(i.e.theexpectedlikelihoodandconsequencesofspecifictypesof
attacksonspecificassets)– identifywaystoreducethoserisks– prioritizeriskreductionmeasuresbasedonastrategy
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CyberSecurityFrameworks
• Designedtoassesscyberriskawareness
FISMAEcosystem
ISO 27000Ecosystem
SANS 20(CSC-5)
NISTCSF
Research Center for Cyber Intelligence and information Security
CIS Sapienza
NISTFrameworkforImproving CriticalInfrastructure Cybersecurity
• Composed of3parts:– Core– Tiers– Profiles
Research Center for Cyber Intelligence and information Security
CIS Sapienza
NISTFrameworkforImprovingCriticalInfrastructureCybersecurity
FrameworkCore:• ItisasetofsecurityactivitiesdividedinFunctions:• i.e.,Identify,Protect,Detect,Respond,Recover
• EachFunctioniscomposedofasetofCategories• EachCategoriesisdividedinsubcategories
Limitation:Thereisnoprioritysetbetweenactions!
Research Center for Cyber Intelligence and information Security
CIS Sapienza
NISTFrameworkforImproving CriticalInfrastructure Cybersecurity
Research Center for Cyber Intelligence and information Security
CIS Sapienza
NISTFrameworkforImproving CriticalInfrastructure Cybersecurity
Profile• Each profile is alistofaction selected amongsubcategories.
• Usefull toidentify current profile andtargetprofile foragapanalysis
Research Center for Cyber Intelligence and information Security
CIS Sapienza
NISTFrameworkforImproving CriticalInfrastructure Cybersecurity
4Tiers• (Partial,Risk Informed,Repeatable,Adaptive),• Used toprovide theorganizational view ofthecyberrisk
Research Center for Cyber Intelligence and information Security
CIS Sapienza
FromNISTCIFrameworktoItalianNationalFramework
• Priority levels• Maturity levels– Defined foreach“contextualization”
14 Capitolo 3. I concetti di base
3.1 Framework Core, Profile e Implementation Tier
Il Framework Nazionale eredita le tre nozioni fondamentali del Framework NIST: FrameworkCore, Profile e Implementation Tier. Di seguito ne diamo una breve descrizione autocontenuta,rimandando al documento originale [15] per maggiori dettagli.
Framework Core. Il core rappresenta la struttura del ciclo di vita del processo di gestione dellacyber security, sia dal punto di vista tecnico sia organizzativo. Il core è strutturato gerarchicamentein Function, Category e Subcategory. Le Function, concorrenti e continue, sono: Identify, Protect,Detect, Respond, Recover e costituiscono le principali tematiche da affrontare per operare unaadeguata gestione del rischio cyber in modo strategico. Il Framework quindi definisce, per ogniFunction, Category e Subcategory, le quali forniscono indicazioni in termini di specifiche risorse,processi e tecnologie da mettere in campo per gestire la singola Function. Infine, la struttura delFramework core presenta degli informative reference, dei riferimenti informativi che legano lasingola Subcategory a una serie di pratiche di sicurezza note utilizzando gli standard di settore (ISO,SP800-53r4, COBIT-5, SANS20 e altri). La struttura del Framework Core del NIST è riportata inFigura 3.1.
Functions Categories Subcategories InformativeReferences
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Figura 3.1: Struttura del Framework Core del NIST(da [15]).
Di seguito è riportata una breve descrizione delle 5 Function:Identify. La Function Identify è legata alla comprensione del contesto aziendale, degli asset chesupportano i processi critici di business e dei relativi rischi associati. Tale comprensione permetteinfatti a un’organizzazione di definire risorse e investimenti in linea con la strategia di gestionedel rischio e con gli obiettivi aziendali. Le Category all’interno di questa Function sono: AssetManagement; Ambiente di business; Governance; Valutazione del rischio; Strategia di gestione delrischio.
Protect. La Function Protect è associata all’implementazione di quelle misure volte alla protezionedei processi di business e degli asset aziendali, indipendentemente dalla loro natura informati-ca. Le Category all’interno di questa Function sono: Access Control; Awareness and Training;Data Security; Information Protection Processes and Procedures; Maintenance; and ProtectiveTechnology.
Detect. La Function Detect è associata alla definizione e attuazione di attività appropriate peridentificare tempestivamente incidenti di sicurezza informatica. Le Category all’interno di questaFunction sono: Anomalies and Events; Security Continuous Monitoring; and Detection Processes
Functions Categories Subcategories PriorityLevels InformativeReferences GuideLines
IDENTIFY
RESPOND
RECOVER
PROTECT
DETECT
• Frameworkcore• Profiles• Implementationtiers
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Italian NationalFramework• MoregeneralthanNISTCI-Framework
– Thecontextualizations canprovide“specialized”Frameworksusefulforspecificbusinesssectorsandsizes
• Atthesametimecompliant withtheNISTCI-Framework– Internationalrecognized
• CyberSecurityprofiles aremore“accurate”– thankstomaturitylevels
• Nation-widerecognized– Cangetthesupplychainofthewholenationeconomystronger– Providesacommonlanguageforcybersecurityinteractions
betweenpublicandprivateorganizations
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Patching
• A patch is a piece of software designed to update a computerprogram or its supporting data, to fix or improve it.
• Correcting vulnerabilities may variously involve theinstallation of a patch, a change in network security policy,reconfiguration of software (such as a firewall), or educatingusers about social engineering.
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
ACaseStudy
ThePANOPTESECProject
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AnInnovativeApproach:thePANOPTESECProject
• The PANOPTESEC consortium will deliver a beyond-state- of-the-artprototype of a cyber defence decision support system, demonstrating arisk based approach to automated cyber defence that accounts for thedynamic nature of information and communications technologies (ICT)and the constantly evolving capabilities of cyber attackers.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PANOPTESECArchitecture
Research Center for Cyber Intelligence and information Security
CIS Sapienza
ThePANOPTESECDataFlow:ProactiveView
PersistencyManager
MissionImpactModel
NetworkDependencyAnalyser
ReachabilityMatrix
Correlator
VulnerabilityInventoryProcessor
NetworkInventoryProcessor
Emulation
Environm
ent
AttackGraphGenerator–ThreatRiskQuantifier
StrategicResponseDecider
Visualization
PolicyDeployer
Research Center for Cyber Intelligence and information Security
CIS Sapienza
ThePANOPTESECDataFlow:ReactiveView
NetworkDependencyAnalyser
LowLevelCorrelator
ReachabilityMatrix
Correlator
VulnerabilityInventoryProcessor
NetworkInventoryProcessor
PersistencyManager
Emulation
Environm
ent
AttackGraphGenerator– ThreatRiskQuantifier
HOC-Automata
BasedEngine
HOC-QueryBasedEngine
TacticalResponseDecider
VisualizationPolicyDeployer
MissionImpactModel
Research Center for Cyber Intelligence and information Security
CIS Sapienza
ThePANOPTESECDataFlow:ReactiveView
ReachabilityMatrixCorrelator
VulnerabilityInventoryProcessor
NetworkInventoryProcessor
PersistencyManager
EmulationEnvironm
ent
AttackGraphGenerator–ThreatRiskQuantifier
HOC- QueryBasedEngine
HOC-AutomataBasedEngine
TacticalResponseDecider
VisualizationPolicyDeployer
MissionImpactModel
LowLevelCorrelator
NetworkDependencyAnalyser
Research Center for Cyber Intelligence and information Security
CIS Sapienza
a b a c
a be f
g
c
b a
d
a b
d
a
c
c b
ha c b
P2
P1
P3
Match P1
Match P2
Match P3
Unmatched
src:adest:b…
src:adest:b
src:adest:b
src:adest:b
src:adest:z…
src:adest:z
src:cdest:e…
src:cdest:e
src:ddest:c…
src:ddest:c
{"normalizedAlert_Ident":"20151117_154523.732","ingress":{"interface_Ident":"","address":{"ident":"","netmask":"","address":"192.18.200.210","category":"IPV4","vlan_name":"","vlan_num":-1}},"egress":{"interface_Ident":"","address":{"ident":"","netmask":"","address":"","category":"IPV4","vlan_name":"","vlan_num":-1},"portList":[{"portRange":[{"ip_Protocol":"TCP",
"port":""}]}]},"createTime":{"content":"","timeStamp":"2015-11-1716:00:58"},"aggregationMultiplicity":1,"classification":{"text":"","reference":[{"name":"","origin":"TLS_Not-TLS","meaning":"Notification","url":""}]},"monitored_System_Ident":"Acea_SimEnv","vulnerability_Ident":"CVE-2008-0074\t"}
LLCAlert Filtering
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Definitionofsuitablemetrics• Basic Intuition:
– LLC Notifications are interpreted as text (i.e., strings)– Attack Paths are coded as text as well (i.e., sequences of strings)
• We consider (in this version of the component) metrics widely used in thedomain of text mining and use them in the context of attack matching– Examples: Jaccard Similarity, Cosine Similarity, Edit Similarity
• Allows to take in to account possible errors in the notification order• Allows to take in to account the (possible) inaccuracy in the set of LLCNotifications
Research Center for Cyber Intelligence and information Security
CIS Sapienza
MetricsEstimationandInstantiatedAttackPathGeneration
SEQ
d OR
AND
a b
c g
e f
P2
a be f
g
c
b a
d
PathSequences FilteringResult SimilarityMetricvalue
“dc-ce-ef” “dc-ce- “ 0,66
“dg-ge-ef” “- - “ 0
“da-ab-be-ef” “-ab- - “ 0,25
“db-ba-ae-ef” “- - - ” 0
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AttackGraph-basedMulti-StepAttackdetection:OpenIssues
• Inthedetectionprocess– Howtomanageincompleteinformation?
• E.g.,theattackgraphmaybenotcompleteduetoscalabilityreasons• E.g.,importantalertsmaybefilteredduetothesettingsoftheunderlyingIDSs/IPSs
– Howtomanageinaccurateinformation?• E.g.,theexploitedvulnerabilitycouldbemissinginthealertoritcanbeexpressedaccordingtodifferentlabellingsystems
– Howtomanagedynamicityinthenetwork?• E.g.,thetopologyorthesetofvulnerabilitymaychangeovertime
Solving these issues imposes to find the best trade-off between :
• accuracy of the detection (in terms of False Positive)• Timeliness of the detection
Research Center for Cyber Intelligence and information Security
CIS Sapienza
OurResearchDirections• FromtheDetectionPointofview:
– Definingattackgraph-baseddetectionalgorithmsthatareableto:• Copewithmissingandinaccurateinformation• Adapttochanges(inthetopologyandinthevulnerabilitysurface)• Improvingthedetectionprocess(findingagoodtrade-offbetweenaccuracyandtimeliness)
• FromtheAttackModellingPointofview:– Considermixedmodels(e.g.,Diamondmodel+attackgraph)– attackgraphscalability(e.g.adoptingahierarchicalapproach)
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
Q&A
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Credits
• Thankstothefollowingcolleaguesforprovidingpartofthematerial:– Antonella DelPozzo– RiccardoGhera andIvano Giancaterina– ThePANOPTESECConsortium– LucaMontanari
Top Related