Attack Modeling for Information Security and Survivability
Presented ByChad Frommeyer
Introduction
• Introduction• Attack Trees• Attack Pattern Reuse• Attack Tree Refinement• Conclusions
Introduction
• Problem– Attack Data not used for improving Design
and Implementation– Engineers still not learning from the past– Need a better way to utilize past attack data
• Solution (Attack Trees/Patterns)• ACME Enterprise
Attack Trees
• Definition– a systematic method to characterize system
security based on varying attacks
Attack Trees (Structure/Semantics)
• Root Node• Tree Nodes
– Attack Sub-Goals• AND-Decomposition requires all to succeed• OR-Decomposition requires one to succeed
AND Decomposition
OR Decomposition
Attack Trees
• Intrusion Scenarios– Scenarios that result in achieving the primary
goal– Generated by traversing the tree in a depth-
first manner– Intermediate nodes are not appear
• Branch Refinement• ACME Attack Tree
Attack Trees
• ACME intrusion scenarios• <1.1> , <1.2> , <2.1, 2.2, 2.3, 2.4>• <3.1> , <3.2>• <4.1> , <4.2> , <5.1> , <5.2> , <5.3>• <6.1> , <6.2>
Attack Trees
• Refinement of ACME node 5.3
Attack Trees
• ACME intrusion scenarios (Refined)• <1, 2.1, 3.1, 4.1, 5.1> , <1, 2.2, 3.1, 4.1, 5.1>• <1, 2.3, 3.1, 4.1, 5.1> , <1, 2.1, 3.2, 4.1, 5.1>• <1, 2.2, 3.2, 4.1, 5.1> , <1, 2.3, 3.2, 4.1, 5.1>• <1, 2.1, 3.1, 4.2, 5.1> , <1, 2.2, 3.1, 4.2, 5.1>• <1, 2.3, 3.1, 4.2, 5.1> , <1, 2.1, 3.2, 4.2, 5.1>• <1, 2.2, 3.2, 4.2, 5.1> , <1, 2.3, 3.2, 4.2, 5.1>
Attack Pattern Reuse
• Definition• Components of an Attack Pattern• Pertain to Software and Hardware• Attack Profiles
Attack Pattern Reuse
• Components of an Attack Pattern– Overall Goal– Preconditions/Assumptions– Attack Steps– Post-conditions (true if attack is successful)
Buffer Overflow Attack
Unexpected Operator Attack
Attack Pattern Reuse
• Components of an Attack Profile– Common Reference Model– Set of Variants– Set of Attack Patterns– Glossary of terms and phrases
Attack Reference Model
Attack Tree Refinement
• Refinement Process• Require security expertise• Attack pattern libraries
Attack Tree Refinement
• Profile/Enterprise Consistency• Definition: “Consistency”• Attack Pattern Relevance• ACME Example
– Org = ACME– Intranet = ACME Internet– Firewall = ACME Firewall
Attack Tree Refinement
• Resulting Reference Model
Attack Tree Refinement
• Pattern Application– Show relevance to the attack tree goal
(relevance)– Applying Attack Patterns
Conclusions
• Objective• Documentation via Attack Trees/Profiles• Documentation Reuse• Questions still to answer• Continued Research