System Security Profiling (SSP) Overview
Gary Wright
Along with:Mike HostetterAdam Sawyer
JHU/APL System Security Profiling (SSP)
28 March 2019 2
• Heritage:- Created @ NSA in mid-1990s
Included documentation review and “pentesting” performed under a detailed test plan and procedures (TPP)
TPP completed and approved before testing started Findings and mitigations provided in final report
- Shut down in 2003
• SSP Process Reborn @ JHU/APL in 2015- Expanded menu of capabilities
OSINT performed, partially automated Cyber Table Top Assessments (TTA) Source code analysis TPP automation, generation Mitigations provided before testing (where possible) Cyber risk profiling
SSP Technical Approach OverviewSystem Security
Profiling(SSP)
TestPlanning &
ResultsAnalysis
Design,Source Code, &
Configuration Analysis
OSINT,Table Top
Assessment, &Adversarial Cyber
Assessment
APL System Security Profiling (SSP) Capabilities
Standalone Devices
Standalone/Closed Systems
Networked Systems
Open-SourceIntelligence (OSINT)
[ACA]
Source CodeAnalysis
Scale Core Elements of the ApproachWhite-Box Black-BoxTesting Type
Test Plansand Procedures
Cyber RiskProfiling
SSP TestingPeriod [ACA]
Table-Top Assessment(TTA)
SSP Approach Methodology
28 March 2019 5
Research
Recon
Plan
Test
Mitigate
Report
Open Source Intelligence (OSINT) Overview
28 March 2019 6
Tier 3 (Full-Spectrum)
Negotiated with sponsor
Tier 2 (Direct)Geo-
LocationService Probing
Metadata Extraction Emails Social Web
Analysis
Tier 1 (Indirect)Enumeration of
Network Whois Websites & Content Employees
Source Code Analysis (SCA)
28 March 2019 7
• Requires source code provided by sponsor
SCA
Weak security
mechanisms
Poor coding practices
Potential buffer offer
flows
Bad code structures
Processes large
volumes
Manual verification
Core Aspects of SSP (“Maxwell’s Equations”)
28 March 2019 8
SSP
SUT
Core Aspects of SSP
ReviewPreliminary TPP Document
Documented SUT Environment
Re-usable Test Procedures
Fully Documented Test Plan
SUT Documents
TPP
Engineering Procedures
Core Aspects of SSP Blue Team
Expert Knowledge on SUT
Configuration Analysis of SUT
Verification of Security Mechanisms
Findings and Recommendations
Review
SUT Documents
Core Aspects of SSP Red Team
Penetration Testing Performed
Full Understanding of Solution
Verified Mitigation Plan
TPP SIMSUT
Core Aspects of SSP White Team
QLBFinal Report
Quick Look Briefing
360 Review of SUT
Inside and Out Analysis
Final Report and Mitigation Plan
Test Plan and Procedures (TPP) Generation
28 March 2019 13
PAGE
Test Number
Purpose
Prerequisites &
Procedures
Expected & Actual
Results
Cyber Kill Chain*
Linkages
Mitigations
*Reference: A “Kill Chain” Analysis of the 2013 Target Data Breach, U.S. Senate, MAJORITY STAFF REPORT FOR CHAIRMAN ROCKEFELLER MARCH 26, 2014 / Lockheed Martin Cyber Kill Chain
28 March 2019 14
Cyber “Kill Chain” Framework1
Recon
2Weaponize
3Deliver
4Exploit
5Install
6Command & Control
7Act
Cyber attackers with a target and an objective generally follow the same process.Defenders strive to defeat attacker efforts.
*Reference: A “Kill Chain” Analysis of the 2013 Target Data Breach, U.S. Senate, MAJORITY STAFF REPORT FOR CHAIRMAN ROCKEFELLER MARCH 26, 2014 / Lockheed Martin Cyber Kill Chain
Delay
Deter
Detect
DenyDestroy
Defend
Deceive
28 March 2019 15
SSP Summary
SSPTPP
PAGE
Findings Report &
Mitigations
TTA
SCA
OSINT
28 March 2019 16
SSP
Questions