1

Security Risk Analysis of Computer Networks: Techniques and Challenges

Anoop SinghalComputer Security DivisionNational Institute of Standards and Technology

Simon OuDept. of Computer and Information ScienceKansas State University

Outline

Basics of Network Security Risk Analysis Threats to Networks Common Vulnerability Scoring System

(CVSS) Attack Graphs, Bayesian Networks and

Tools for generating Attack Graphs Quantifying Security Risk using attack

graphs and CVSS Conclusions

Enterprise Network Security Management

Networks are getting large and complex Vulnerabilities in software are constantly

discovered Network Security Management is a

challenging task Even a small network can have numerous

attack paths

Trends for Published Vulnerabilities

Enterprise Network Security Management

Currently, security management is more of an art and not a science

System administrators operate by instinct and learned experience

There is no objective way of measuring the security risk in a network

“If I change this network configuration setting will my network become more or less secure?”

Challenges in Security Metrics Typical issues addressed in the literature

How can a database server be secured from intruders? How do I stop an ongoing intrusion?

Notice that they all have a qualitative nature Better questions to ask:

How secure is the database server in a given network configuration?

How much security does a new configuration provide? How can I plan on security investments so it provides a

certain amount of security? For this we need a system security modeling and

analysis tool

Challenges in Security Metrics

Metric for individual vulnerability exists Impact, exploitability, temporal,

environmental, etc. E.g., the Common Vulnerability Scoring System

(CVSS) v2 released on June 20, 20071

However, how to compose individual measures for the overall security of a network? Our work focuses on this issue

1. Common Vulnerability Scoring System (CVSS-SIG) v2, http://www.first.org/cvss/

Challenges in Security Metrics

Counting the number of vulnerabilities is not enough Vulnerabilities have different importance The scoring of a vulnerability is a challenge

Context of the Application Configuration of the Application

How to compose vulnerabilities for the overall security of a network system

What is an Attack Graph

A model for

How an attacker can combine vulnerabilities to stage an attack such as a data breach

Dependencies among vulnerabilities

Attack Graph Example

`

AttackerMachine 0

Firewall Router

sshd

DatabaseServer

Machine 2

FTPServer

Machine 1

Different Paths for the Attack

sshd_bof(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2)

ftp_rhosts(0,1) → rsh(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2)

ftp_rhosts(0,2) → rsh(0,2) → local_bof(2)

Attack Graph from machine 0 to DB Server

What is ?

Stands for Common Vulnerability Scoring SystemAn open framework for communicating characteristics and impacts of IT vulnerabilitiesConsists three metric groups: Base, Temporal, and Environmental

CVSS (Cont’d)

Base metric : constant over time and with user environments

Temporal metric : change over time but constant with user environment

Environmental metric : unique to user environment

CVSS (Cont’d)

CVSS metric groups

Each metric group has sub-matriciesEach metric group has a score associated with itScore is in the range 0 to 10

Access Vector

This metric measures how the vulnerability is exploited.

Local Adjacent Network Network

Access Complexity

This metric measures the complexity of the attack required to exploit the vulnerability

High: Specialized access conditions exist Medium: The access conditions are

somewhat specialized Low: Specialized access conditions do not

exist

Authentication

This metric measures the number of times an attacker must authenticate to a target to exploit a vulnerability

Multiple: The attacker needs to authenticate two or more times

Single: One instance of authentication is required

None: No authentication is required

Confidentiality Impact

This metric measures the impact onconfidentiality due to the exploit. None: No Impact Partial: There is a considerable

information disclosure Complete: There is total information

disclosure

Similar things for the Integrity Impact and Availability Impact

Base Score

Base Score = Function(Impact, Exploitability)

Impact = 10.41 * (1-(1-ConImp)*(1-IntImp)*(1-AvailImpact))

Exploitability = 20*AccessV*AccessComp*Authentication

Base Score Example CVE-2002-0392

Apache Chunked Encoding Memory Corruption

BASE METRIC EVALUATION SCOREAccess Vector [Network] (1.00)Access Complex. [Low] (0.71)Authentication [None] (0.704)Availability Impact[Complete] (0.66)Impact = 6.9Exploitability = 10.0BaseScore = (7.8)

Attack Graph with Probabilities Numbers are estimated

probabilities of occurrence for individual exploits, based on their relative difficulty.

The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill

A bit more skill is required for ftp_rhosts in crafting a .rhost file.

sshd_bof and local_bof are buffer-overflow attacks, which require more expertise.

8.0

8.0

9.01.0

9.0 9.0

1.0

8.0

Probabilities Propagated Through Attack Graph

When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(A and B) = p(A)p(B)

When a choice of paths is possible, either is sufficient for reaching the goal: p(A or B) = p(A) + p(B) – p(A)p(B).

60.08.0

8.0

72.09.0

1.0

54.09.0

72.09.0

087.01.0

8.0

Network Hardening

When we harden the network, this changes the attack graph, along with the way its probabilities are propagated.

Our options to block traffic from the Attacker: Make no change to the network (baseline) Block ftp traffic to prevent ftp_rhosts(0,1) and

ftp_rhosts(0,2) Block rsh traffic to prevent rsh(0,1) and

rsh(0,2) Block ssh traffic to prevent sshd_bof(0,1)

Comparison of Options We can make comparisons of relative

security among the options Make no change p=0.1 Blocking rsh traffic from Attacker leaves

a remaining 4-step attack path with total probability p = 0.1∙0.8∙0.9∙0.1 = 0.0072

Blocking ftp traffic, p=0.0072 But blocking ssh traffic leaves 2 attack

paths, with total probability p ≈ 0.0865, i.e., compromise is 10 times more likely as compared to blocking rsh or ftp.

Need for a Modeling Tool

For a large enterprise network that has hundreds of host machines and several services we need a modeling tool that can Generate the attack graph Use the attack graph for quantitative analysis

of the current configuration Help the network administrators to decide

what changes to make to improve security

System Architecture

NetworkConfiguration

HostConfiguration

Security Modeling

Tool

AttackGraphs

VulnerabilityDB

Conclusions

Based on attack graphs, we have proposed a model for security risk analysis of information systems Composing individual scores to more

meaningful cumulative metric for overall system security

The metric meets intuitive requirements The metric can be used for making

recommendations to improve network security