Validating and restoring defense in depth using attack graphs

We display these metrics (at the individual, family, and overall levels) in interactive visualizations, showing multiple metrics trends over time.

(project number EPF-14-00341), with George Roelke as MIP Cybersecurity Innovation Area Lead.

The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities.

To more accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack.

Citation Context ..[2][3], attacker exploitation steps relatedsby preconditions and postconditions [4][5], intrusion alertssequences [6][7], logical dependencies for attack goals [8][9],sor host attack reachability =-=[10]-=-[11][12].s Attack graphs havesalso been implemented with the relational model [13].s Wesshow results for the attack graph tool Cauldron [14] as asbaseline of comparison for our much richer model.s A comm... Spark [23], which has an inmemory compute model optimized for iterative computation ons Apache Hadoop [24] clusters.s As input, we build a model ofsthe network environment and events, stored in Mongo DB =-=[25]-=-.s The result of our iterative analysis is a graph of potentialsattack steps and associated network events, which we store in as Neo4j graph database.s Graph databases represent nodesadjacency without in... transitionssleading to attack goals [2][3], attacker exploitation steps relatedsby preconditions and postconditions [4][5], intrusion alertssequences [6][7], logical dependencies for attack goals [8]=-=[9]-=-,sor host attack reachability [10][11][12].s Attack graphs havesalso been implemented with the relational model [13].s Wesshow results for the attack graph tool Cauldron [14] as asbaseline of comparison...

Citation Context ...ventorysagents, and proxy server logs.s For mapping network attacksrelationships we leverage Apache Spark [23], which has an inmemory compute model optimized for iterative computation ons Apache Hadoop =-=[24]-=- clusters.s As input, we build a model ofsthe network environment and events, stored in Mongo DB [25].s The result of our iterative analysis is a graph of potentialsattack steps and associated network ev...

Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration.

Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems.

validating and restoring defense in depth using attack graphs-16validating and restoring defense in depth using attack graphs-47validating and restoring defense in depth using attack graphs-19

Citation Context ...ership that issimplicit in Cauldron.s An advantage of the protection domainsabstraction is that the number of edges among machines in asdomain is linear in the number of machines rather thansquadratic =-=[27]-=-.s Our property-graph representation retains thissadvantage.s However, in Cauldron, the implicit domainsmembership is built into the system, and cannot be changed forscases in which the assumption of fu...

Citation Context ...3], attacker exploitation steps relatedsby preconditions and postconditions [4][5], intrusion alertssequences [6][7], logical dependencies for attack goals [8][9],sor host attack reachability [10][11]=-=[12]-=-.s Attack graphs havesalso been implemented with the relational model [13].s Wesshow results for the attack graph tool Cauldron [14] as asbaseline of comparison for our much richer model.s A common theme...

Citation Context ...rity, developed by MITRE and others,sknown collectively as Making Security Measurable™ [15].s This includes Common Vulnerabilities and Exposuress(CVE)® [16], Common Vulnerability Scoring Systems(CVSS) =-=[17]-=-, Common Weakness Enumeration (CWE)™ [18],s Common Platform Enumeration (CPE)™ [19], Commons Attack Pattern Enumeration and Classifications(CAPEC)™ [20], Cyber Observable e Xpression (Cyb OX)™slanguage [2...

The attack graphs are computed through topological vulnerability analysis, which considers the interactions of network topology, firewall effects, and host vulnerabilities.

Our metrics are normalized so that metric values can be compared meaningfully across enterprises.

Leave a Reply