Automatic Quantification and Minimization of Attack Surfaces

Transcription

1 Automatic Quantification and Minimization of Attack Surfaces October Mr. Michael Atighetchi, Dr. Borislava Simidchieva (617) ), Mr. Nathaniel Soule, Dr. Fusun Yaman, Dr. Joseph Loyall Raytheon BBN Technologies Dr. David Last, Dr. David Myers, Capt. Bridget Flatley United States Air Force Research Laboratory 03/23/15

2 Problem Cyber warfare is stacked against the defender Defender: Protect against all the ways that an adversary can potentially compromise security Adversary: Find only a single attack vector to be successful Cyber defenses have become increasingly proactive Moving Target Defenses (MTDs) continuously change attack surfaces to increase adversarial work load and uncertainty. Defense configuration is a poorly understood, non-quantifiable process Add defenses that provide little added value Introduce unacceptable cost or overhead Inadvertently increase the attack surface Cause unintended side effects when combined with other defenses Urgent Need in the DoD : Select and configure cyber defenses for a distributed mission-critical system with a clear quantitative understanding of security properties of the resulting system. 2

3 Motivating Examples Improper randomization frequency IP Hopping MTDs that change addresses at an interval greater than the required time for an attack to complete provide no benefit Invalid defense composition Deploying two IP hopping defenses could cause one to invalidate the other Deploying an OS hopping defense in the presence of a separate defense that relies on a particular OS could cause periodic outages of that defense. Improper dynamism trigger Temporal OS Hopping Changing the OS of a system based on time may have a temporary confusion effect on the adversary, but also opens up the ability for the attacker to wait for a target OS for which they have an exploit Action 3

4 Example: Multiple Moving Target Defenses Example Proactive Defenses: IP Hopping between the client and the Windows-based application server to randomize IP source and target addresses and port information and dynamically reconfigure every X seconds. OS Hopping & Masquerading on the application server, switching between operating systems upon getting notifications that the specific operating system in use is vulnerable in the current deployment. Binary diversity techniques that randomize memory layout either during installation or for each process restart either, e.g., by Address Space Layout Randomization (ASLR) or by the use of multi-compilers to generate diverse binary layouts on disk. Continuous restart of application processes to remove any foothold an adversary might have gained as the result of intermediate points in an attack vector. Example Configuration Problems Misconfiguration of a specific MTD Too slow to be useful, causing too much performance impact Compositional issues across multiple MTDs IP Hopping only supported by Windows OS Hopping/Masquerading supported across multiple OSs 4

5 Attack Surface Reasoning in One Slide Problem: Select and configure cyber defenses for a distributed mission-critical system with a clear quantitative understanding of security properties of the resulting system. Objective: Provide models and algorithms for quantifying and analyzing the attack surfaces of distributed dynamic systems and different cyber defenses Models for attack surfaces that tie together information about systems, defenses, and attack vectors to enable quantitative characterization of attack surfaces Algorithms for evaluating the effectiveness of a set of defenses to (1) reduce the size of attack surfaces so that they enforce least privilege constraints and (2) shift attack surfaces so they appear random to attackers Metrics for characterizing the attack surface of a dynamic, distributed system at the application, operating system, and network layers Significance to Air Force and Impact: ASR enables cyber defenders to quantify the impact of adding or reconfiguring defenses of mission critical applications, providing key metrics for effective and efficient proactive defense. 5

6 Modeling Approach ASR s reasoning operates over a set of sub-models System, Defense, Adversary, Attack, and Mission Semantic modeling approach All models described using the Web Ontology Language (OWL) Ontologies draw from previous work and other existing representations (e.g. Microsoft STRIDE) Model Creation Instance models are currently created by hand new work will enable automated model generation from real systems Numerous model instances of each model category were created in support of testing Models of a three-tiered web application stack Models of IP Hopping, OS Masquerading, and OS Hopping defenses Missions modeled after real military exercises 6

7 Attack Surface Model: Model Composition Mission Attack Library Defense System Adversary The entities that comprise the system in question: e.g. hosts, network interface cards, processes. Employs the Microsoft STRIDE representations as a base ontology. 7

8 Attack Surface Model: Model Composition Mission Attack Library Defense System Adversary Describes the static and dynamic defensive mechanisms available, in particular those aspects of the mechanisms that impact the systems they protect both positively (e.g., additional protection) and negatively (e.g., additional resource usage). 8

9 Attack Surface Model: Model Composition Mission Attack Library Defense System Adversary Describes the potential starting points for an adversary both spatially and in terms of assumed knowledge. 9

10 Attack Surface Model: Model Composition Models types of attacks and their properties such that a given attack surface can be analyzed for susceptibility. Mission Attack Library Defense System Adversary 10

11 Attack Surface Model: Model Composition Models the information flows and requirements of a mission, allowing for determination of non-essential functions and for detection of threshold violation for mission essential elements. Mission Attack Library Defense System Adversary 11

12 System Models Capture aspects of the target compute platform Multi-layered and multi-depth Generic abstractions used by reasoning Inspired by concepts used in Microsoft STRIDE models Processes, Data Flows, Data Stores External Entities, Boundaries Specific abstractions used to communicate with users NICs, Endpoints, Users, Hosts Defined using Semantic Web ontologies Provides a connected graph Can easily be extended to include new concepts Scales to billions of nodes 12

13 Example System Model UAV Client 1 IMS Server 1 VP1 Endpoint3 <Listen> IMS1 Endpoint6 Endpoint8 <Listen> NIC3 VLAN1 NIC4 Admin 1 Endpoint4 Admin Client1 Endpoint1 Endpoint2 <Listen> Endpoint11 <Listen> Endpoint12 NIC6 NIC8 VLAN2 Niki Costa Admin User 1 MNE1 MNE4 MNE2 MNE3 NIC7 Endpoint7 <Listen> NIC9 Eclient 1 Endpoint9 Enterpr Client1 Mobile Network 1 Image DB1 Jane Doe Enterprise User 1 Endpoint10 Attack Client 1 A2 Endpoint13 JTAC Client 1 JTAC1 Endpoint5 <Listen> Data DB Server 1 JTAC User 1 John Smith BackedBy ConnectsTo Process Dataflow Network Dataflow Vertical Boundary Horizontal Boundary Entity Process Layer Entity Network Layer Entity Physical Layer Data Store External Entity 13

14 Defense Models Capture aspects of cyber defense Describes setup requirements, security benefits, and costs Categories security properties into 14 abstract categories Captures dynamic aspects of defenses Randomization space, reconfiguration interval, key sharing 14

15 List of Abstract Defense Capabilities Defense Protect Against Examples Signing Tampering HAIPE, TLS, XML Signature Encryption Information Disclosure HAIPE, TLS, XML Encryption Authentication Spoofing HAIPE, TLS, Passwords Authorization Escalation of Privilege HAIPE, Firewalls, XACML, CDSs Data Filtering Escalation of Privilege Snort, Dirty Word Lists, XML Schema Validation Data Sanitization Escalation of Privilege PDF printer conversion, XSLT Intrusion Detection System Repudiation Bro, HBSS Audit Repudiation Log4j, Linux auditd Randomization Masquerade Tarpitting Tampering, Information Disclosure, Denial of Service, Escalation of Privilege, InformationDisclosure, Elevation of Privilege Tampering, Escalation of Privilege, Denial of Service IP Hopping, OS Hopping, Single Packet Authorization OS Masquerading Labrea, HTTP redirects Data Poisoning Repudiation MS Word macros Isolation Escalation of Privilege Virtualization, VLANs Watchdog Tampering, Denial of Service Linux service daemon, APS watchdogs Replication Tampering, Denial of Service Load Balancing, Crash FT, Byzantine FT 15

16 Current Status of Mission Models Mission model combines: Mission-critical system processes and dataflows Requirements on these system components Cost requirements specify two cost overhead thresholds: low and high, resulting in three banded grades: Security requirements specify three orthogonal dimensions graded on a PASS/FAIL scale with respect to attacks: high low 0 FAIL DEGRADED PASS Availability If any one fails, security fails. 16

17 Adversary Models Attack Step Pre-Condition Post-Condition Start Target Action Privilege required to execute the step Results and side effects of executing the step Specificelement that satisfies the Pre-Condition Specific element that satisfies the Post-Condition STRIDE (+CAPAC) Adversary has Current position: Parts of the system the adversary has access to Goal: A partially instantiated attack step Knowledge: Information or privilege the attacker has, e.g. through insider info Adversary capabilities are not modeled currently We plan to add a skill level for each attack step and adversary Attack Vector Steps Ordered sequence of steps 17

18 Example Attack Steps Currently Modelled Name Type Requires Side Effect Sniff PortScan TCPConFlood OSFingerPrint GetRoot Information Disclosure Information Disclosure Accessto network Network reachability Denial of Service Network reachability & Knowledgeabout the target endpoint Information Disclosure Elevation of Privilege Knowledgeon listening socket on a host Knowledgeon host OS and listening socket ShutDownServer Denial of Service Knowledgeon host OS and listening socket Root privilege on host Knowledge about observed network flows Knowledge about listening sockets Depletes file descriptors at a given rate Knowledgeabout host OS specifics Root privilege on host Server unavailable 18

19 Algorithms: Attack Vector Finding Illustration UAV Client 1 IMS Server 1 VP1 EP1 MNE1 MNE4 EP10 A2 Attack Client 1 EP2 <Listen> EP13 JTAC Client 1 IMS1 Mobile Network 1 (MN1) JTAC1 EP11 <Listen> MNE2 MNE3 EP12 EP5 <Listen> Find all vectors of length 2 or less Achieving the goal: DOS at IMS Server Starting Position Sniff MN1 Info: EP2 EP5 Deplete Resources IMS1 Connected: Mobile Network 1 TCPConFlood EP2 Scan MN1 Info: EP2 EP5 EP11 Deplete Resources IMS1 TCPConFlood EP11 ATTACK VECTORS 1. Sniff MN1, TCPConFlood EP2 2. Probe MN1, TCPConFlood EP2 3. Probe MN1, TCPConFlood EP11 19

20 Algorithms: Attack Vectors with Defense UAV Client 1 IMS Server 1 VP1 IP-Hopping EP2 <Listen> EP1 MNE1 MNE4 EP10 A2 Attack Client 1 EP13 JTAC Client 1 IMS1 Mobile Network 1 (MN1) JTAC1 EP11 <Listen> MNE2 MNE3 EP12 EP5 <Listen> Find all vectors of length 2 or less Achieving the goal: DOS at IMS Server Starting Position Sniff MN1 Info: EP2 EP5 Deplete Resources IMS1 Connected: Mobile Network 1 TCPConFlood EP2 Scan MN1 Info: EP2 EP 5 EP11 Deplete Resources IMS1 TCPConFlood EP11 ATTACK VECTORS 1. Sniff MN1, TCPConFlood EP2 2. Probe MN1, TCPConFlood EP2 3. Probe MN1, TCPConFlood EP11 20

21 Metrics: Aggregates and Drilling into Details Instead of a single number, keep a few very informative scores that allow for comparison System Security Aggregate Security Indexsummarizes security metrics Individual concerns such as length of attack vectors are easily viewed Cost Aggregate Cost Index summarizescost metrics Individual concerns such as latency penalty of defense can be examined Mission Missionsare ranked as pass, degraded, or fail. Lowest score prevails for aggregate mission scores along security, cost, or both Individual concerns such as confidentiality still accessible Individual concerns such as percent of dataflows that fail latency viewable 21

22 Formulation of Aggregate System Metrics Metric Factors Why? Aggregate Security Index (ASI) MinLengthOfAttackVectors^2 NumberOfBoundaries / NumberOfAttackVectors 10 NumberOfBoundaries/ NumberOfEntryPoints 1.75 P(AttackVectorSuccess)/ ShortestAttackVectorDuration 0.5 Attacker Workload 1h Coverage over known attacks Coverage over unknown attacks Probabilistic Vector Impact Aggregate Cost Index (ACI) LatencyImpact (%) 75 KPP ThroughputImpact (%) 25 KPP under load NumberOfImpacted DataFlows 10 Coverage over flows KPP=Key Performance Parameter 22

23 ASR Prototype Web service based implementation allowing: Programmatic interaction (REST API) Browser based GUI interaction Load, visualize, query, and analyze models View analysis results (metrics) View identified attack vectors Heat map comparison of 3 configurations 23

24 ASR User Interface High-Level Security and Cost Metrics Lower-Level Metrics Drill down to find actual attack vectors 24

25 Conclusion Selecting and configuring cyber defenses remains to be difficult and error-prone Operators lack a clear quantitative understanding of security properties of the resulting system Attack Surface Reasoning provides a framework for quantifying and minimizing attack surfaces Models describing systems, defenses, missions, attacks, and adversaries Algorithms for building attack vectors and minimizing the attack surface Metrics for performing relative comparisons for security and cost Prototype web service capability supporting what-if analyses Next steps Improve scalability, automate model construction 25