Security Risk Analysis of Computer Networks: Techniques and Challenges

1
Security Risk Analysis of Computer Networks
Techniques and Challenges

• Anoop Singhal
• Computer Security Division
• National Institute of Standards and Technology
• Simon Ou
• Dept. of Computer and Information Science
• Kansas State University

2
Outline

• Basics of Network Security Risk Analysis
• Threats to Networks
• Common Vulnerability Scoring System (CVSS)
• Attack Graphs, Bayesian Networks and Tools for
  generating Attack Graphs
• Quantifying Security Risk using attack graphs and
  CVSS
• Conclusions

3
Enterprise Network Security Management

• Networks are getting large and complex
• Vulnerabilities in software are constantly
  discovered
• Network Security Management is a challenging
  task
• Even a small network can have numerous attack
  paths

4
Trends for Published Vulnerabilities
5
Enterprise Network Security Management

• Currently, security management is more of an art
  and not a science
• System administrators operate by instinct and
  learned experience
• There is no objective way of measuring the
  security risk in a network
• If I change this network configuration setting
  will my network become more or less secure?

6
Challenges in Security Metrics

• Typical issues addressed in the literature
• How can a database server be secured from
  intruders?
• How do I stop an ongoing intrusion?
• Notice that they all have a qualitative nature
• Better questions to ask
• How secure is the database server in a given
  network configuration?
• How much security does a new configuration
  provide?
• How can I plan on security investments so it
  provides a certain amount of security?
• For this we need a system security modeling and
  analysis tool

7
Challenges in Security Metrics

• Metric for individual vulnerability exists
• Impact, exploitability, temporal, environmental,
  etc.
• E.g., the Common Vulnerability Scoring System
  (CVSS) v2 released on June 20, 20071
• However, how to compose individual measures for
  the overall security of a network?
• Our work focuses on this issue

1. Common Vulnerability Scoring System (CVSS-SIG)
v2, http//www.first.org/cvss/
8
Challenges in Security Metrics

• Counting the number of vulnerabilities is not
  enough
• Vulnerabilities have different importance
• The scoring of a vulnerability is a challenge
• Context of the Application
• Configuration of the Application
• How to compose vulnerabilities for the overall
  security of a network system

9
What is an Attack Graph

• A model for
• How an attacker can combine vulnerabilities to
  stage an attack such as a data breach
• Dependencies among vulnerabilities

10
Attack Graph Example
11
Different Paths for the Attack

• sshd_bof(0,1) ? ftp_rhosts(1,2) ? rsh(1,2) ?
  local_bof(2)
• ftp_rhosts(0,1) ? rsh(0,1) ? ftp_rhosts(1,2) ?
  rsh(1,2) ? local_bof(2)
• ftp_rhosts(0,2) ? rsh(0,2) ? local_bof(2)

12
Attack Graph from machine 0 to DB Server
13

What is ?

• Stands for Common Vulnerability Scoring System
• An open framework for communicating
  characteristics and impacts of IT vulnerabilities
• Consists three metric groups Base, Temporal, and
  Environmental

14
CVSS (Contd)

• Base metric constant over time and with user
  environments
• Temporal metric change over time but constant
  with user environment
• Environmental metric unique to user environment

15
CVSS (Contd)

• CVSS metric groups
• Each metric group has sub-matricies
• Each metric group has a score associated with it
• Score is in the range 0 to 10

16
Access Vector

• This metric measures how the vulnerability is
  exploited.
• Local
• Adjacent Network
• Network

17
Access Complexity

• This metric measures the complexity of the attack
  required to exploit the vulnerability
• High Specialized access conditions exist
• Medium The access conditions are somewhat
  specialized
• Low Specialized access conditions do not exist

18
Authentication

• This metric measures the number of times an
  attacker must authenticate to a target to exploit
  a vulnerability
• Multiple The attacker needs to authenticate two
  or more times
• Single One instance of authentication is
  required
• None No authentication is required

19
Confidentiality Impact

• This metric measures the impact on
• confidentiality due to the exploit.
• None No Impact
• Partial There is a considerable information
  disclosure
• Complete There is total information disclosure
• Similar things for the Integrity Impact and
  Availability Impact

20
Base Score

• Base Score Function(Impact, Exploitability)
• Impact 10.41 (1-(1-ConImp)(1-IntImp)(1-Avail
  Impact))
• Exploitability 20AccessVAccessCompAuthenticat
  ion

21
Base Score Example CVE-2002-0392

• Apache Chunked Encoding Memory Corruption
• BASE METRIC EVALUATION SCORE
• Access Vector Network (1.00)
• Access Complex. Low (0.71)
• Authentication None (0.704)
• Availability ImpactComplete (0.66)
• Impact 6.9
• Exploitability 10.0
• BaseScore (7.8)

22
Attack Graph with Probabilities

• Numbers are estimated probabilities of occurrence
  for individual exploits, based on their relative
  difficulty.
• The ftp_rhosts and rsh exploits take advantage of
  normal services in a clever way and do not
  require much attacker skill
• A bit more skill is required for ftp_rhosts in
  crafting a .rhost file.
• sshd_bof and local_bof are buffer-overflow
  attacks, which require more expertise.

23
Probabilities Propagated Through Attack Graph

• When one exploit must follow another in a path,
  this means both are needed to eventually reach
  the goal, so their probabilities are multiplied
  p(A and B) p(A)p(B)
• When a choice of paths is possible, either is
  sufficient for reaching the goal p(A or B)
  p(A) p(B) p(A)p(B).

24
Network Hardening

• When we harden the network, this changes the
  attack graph, along with the way its
  probabilities are propagated.
• Our options to block traffic from the Attacker
• Make no change to the network (baseline)
• Block ftp traffic to prevent ftp_rhosts(0,1) and
  ftp_rhosts(0,2)
• Block rsh traffic to prevent rsh(0,1) and
  rsh(0,2)
• Block ssh traffic to prevent sshd_bof(0,1)

25
Comparison of Options

• We can make comparisons of relative security
  among the options
• Make no change p0.1
• Blocking rsh traffic from Attacker leaves a
  remaining 4-step attack path with total
  probability p 0.10.80.90.1 0.0072
• Blocking ftp traffic, p0.0072
• But blocking ssh traffic leaves 2 attack paths,
  with total probability p 0.0865, i.e.,
  compromise is 10 times more likely as compared to
  blocking rsh or ftp.

26
Need for a Modeling Tool

• For a large enterprise network that has hundreds
  of host machines and several services we need a
  modeling tool that can
• Generate the attack graph
• Use the attack graph for quantitative analysis of
  the current configuration
• Help the network administrators to decide what
  changes to make to improve security

27
System Architecture
28
Conclusions

• Based on attack graphs, we have proposed a model
  for security risk analysis of information systems
• Composing individual scores to more meaningful
  cumulative metric for overall system security
• The metric meets intuitive requirements
• The metric can be used for making recommendations
  to improve network security