System Security Profiling (SSP) Overview

Gary Wright

Along with:Mike HostetterAdam Sawyer

JHU/APL System Security Profiling (SSP)

28 March 2019 2

• Heritage:- Created @ NSA in mid-1990s

Included documentation review and “pentesting” performed under a detailed test plan and procedures (TPP)

TPP completed and approved before testing started Findings and mitigations provided in final report

- Shut down in 2003

• SSP Process Reborn @ JHU/APL in 2015- Expanded menu of capabilities

OSINT performed, partially automated Cyber Table Top Assessments (TTA) Source code analysis TPP automation, generation Mitigations provided before testing (where possible) Cyber risk profiling

SSP Technical Approach OverviewSystem Security

Profiling(SSP)

TestPlanning &

ResultsAnalysis

Design,Source Code, &

Configuration Analysis

OSINT,Table Top

Assessment, &Adversarial Cyber

Assessment

APL System Security Profiling (SSP) Capabilities

Standalone Devices

Standalone/Closed Systems

Networked Systems

Open-SourceIntelligence (OSINT)

[ACA]

Source CodeAnalysis

Scale Core Elements of the ApproachWhite-Box Black-BoxTesting Type

Test Plansand Procedures

Cyber RiskProfiling

SSP TestingPeriod [ACA]

Table-Top Assessment(TTA)

SSP Approach Methodology

28 March 2019 5

Research

Recon

Plan

Test

Mitigate

Report

Open Source Intelligence (OSINT) Overview

28 March 2019 6

Tier 3 (Full-Spectrum)

Negotiated with sponsor

Tier 2 (Direct)Geo-

LocationService Probing

Metadata Extraction Emails Social Web

Analysis

Tier 1 (Indirect)Enumeration of

Network Whois Websites & Content Employees

Source Code Analysis (SCA)

28 March 2019 7

• Requires source code provided by sponsor

SCA

Weak security

mechanisms

Poor coding practices

Potential buffer offer

flows

Bad code structures

Processes large

volumes

Manual verification

Core Aspects of SSP (“Maxwell’s Equations”)

28 March 2019 8

SSP

SUT

Core Aspects of SSP

ReviewPreliminary TPP Document

Documented SUT Environment

Re-usable Test Procedures

Fully Documented Test Plan

SUT Documents

TPP

Engineering Procedures

Core Aspects of SSP Blue Team

Expert Knowledge on SUT

Configuration Analysis of SUT

Verification of Security Mechanisms

Findings and Recommendations

Review

SUT Documents

Core Aspects of SSP Red Team

Penetration Testing Performed

Full Understanding of Solution

Verified Mitigation Plan

TPP SIMSUT

Core Aspects of SSP White Team

QLBFinal Report

Quick Look Briefing

360 Review of SUT

Inside and Out Analysis

Final Report and Mitigation Plan

Test Plan and Procedures (TPP) Generation

28 March 2019 13

PAGE

Test Number

Purpose

Prerequisites &

Procedures

Expected & Actual

Results

Cyber Kill Chain*

Linkages

Mitigations

*Reference: A “Kill Chain” Analysis of the 2013 Target Data Breach, U.S. Senate, MAJORITY STAFF REPORT FOR CHAIRMAN ROCKEFELLER MARCH 26, 2014 / Lockheed Martin Cyber Kill Chain

28 March 2019 14

Cyber “Kill Chain” Framework1

Recon

2Weaponize

3Deliver

4Exploit

5Install

6Command & Control

7Act

Cyber attackers with a target and an objective generally follow the same process.Defenders strive to defeat attacker efforts.

*Reference: A “Kill Chain” Analysis of the 2013 Target Data Breach, U.S. Senate, MAJORITY STAFF REPORT FOR CHAIRMAN ROCKEFELLER MARCH 26, 2014 / Lockheed Martin Cyber Kill Chain

Delay

Deter

Detect

DenyDestroy

Defend

Deceive

28 March 2019 15

SSP Summary

SSPTPP

PAGE

Findings Report &

Mitigations

TTA

SCA

OSINT

28 March 2019 16

SSP

Questions