Attack Modeling for Information Security and Survivability

Presented ByChad Frommeyer

Introduction

• Introduction• Attack Trees• Attack Pattern Reuse• Attack Tree Refinement• Conclusions

Introduction

• Problem– Attack Data not used for improving Design

and Implementation– Engineers still not learning from the past– Need a better way to utilize past attack data

• Solution (Attack Trees/Patterns)• ACME Enterprise

Attack Trees

• Definition– a systematic method to characterize system

security based on varying attacks

Attack Trees (Structure/Semantics)

• Root Node• Tree Nodes

– Attack Sub-Goals• AND-Decomposition requires all to succeed• OR-Decomposition requires one to succeed

AND Decomposition

OR Decomposition

Attack Trees

• Intrusion Scenarios– Scenarios that result in achieving the primary

goal– Generated by traversing the tree in a depth-

first manner– Intermediate nodes are not appear

• Branch Refinement• ACME Attack Tree

Attack Trees

• ACME intrusion scenarios• <1.1> , <1.2> , <2.1, 2.2, 2.3, 2.4>• <3.1> , <3.2>• <4.1> , <4.2> , <5.1> , <5.2> , <5.3>• <6.1> , <6.2>

Attack Trees

• Refinement of ACME node 5.3

Attack Trees

• ACME intrusion scenarios (Refined)• <1, 2.1, 3.1, 4.1, 5.1> , <1, 2.2, 3.1, 4.1, 5.1>• <1, 2.3, 3.1, 4.1, 5.1> , <1, 2.1, 3.2, 4.1, 5.1>• <1, 2.2, 3.2, 4.1, 5.1> , <1, 2.3, 3.2, 4.1, 5.1>• <1, 2.1, 3.1, 4.2, 5.1> , <1, 2.2, 3.1, 4.2, 5.1>• <1, 2.3, 3.1, 4.2, 5.1> , <1, 2.1, 3.2, 4.2, 5.1>• <1, 2.2, 3.2, 4.2, 5.1> , <1, 2.3, 3.2, 4.2, 5.1>

Attack Pattern Reuse

• Definition• Components of an Attack Pattern• Pertain to Software and Hardware• Attack Profiles

Attack Pattern Reuse

• Components of an Attack Pattern– Overall Goal– Preconditions/Assumptions– Attack Steps– Post-conditions (true if attack is successful)

Buffer Overflow Attack

Unexpected Operator Attack

Attack Pattern Reuse

• Components of an Attack Profile– Common Reference Model– Set of Variants– Set of Attack Patterns– Glossary of terms and phrases

Attack Reference Model

Attack Tree Refinement

• Refinement Process• Require security expertise• Attack pattern libraries

Attack Tree Refinement

• Profile/Enterprise Consistency• Definition: “Consistency”• Attack Pattern Relevance• ACME Example

– Org = ACME– Intranet = ACME Internet– Firewall = ACME Firewall

Attack Tree Refinement

• Resulting Reference Model

Attack Tree Refinement

• Pattern Application– Show relevance to the attack tree goal

(relevance)– Applying Attack Patterns

Conclusions

• Objective• Documentation via Attack Trees/Profiles• Documentation Reuse• Questions still to answer• Continued Research