Quantitative Security Risk Analysis of Enterprise Systems: Techniques and Challenges Tutorial ICISS, December 2014

Transcription

1 Quantitative Security Risk Analysis of Enterprise Systems: Techniques and Challenges Tutorial ICISS, December 2014 Anoop Singhal Computer Security Division National Institute of Standards and Technology Gaithersburg, MD USA 1 Outline Basics of Computer Security Challenges for Enterprise Network Security Risk Analysis Common Vulnerability Scoring System (CVSS) Attack Graphs and Tools for generating Attack Graphs Quantifying Security Risk Analysis Network Forensics Conclusions 1

2 NIST National Institute of Standards and Technology Information Technology Lab Computer Security Division Cryptography standards Guidelines for Federal Agencies in the areas such as Mobile Device Security, Web Security and so on. Research in the area of Cloud Computing, Biometrics, Network Security and so on. About computer scientists My Experience B. Tech IIT Delhi in EE in 1980 Ph.D. in Computer Science in 1985 AT&T Bell Labs (USA) NIST Computer Security Division 2005 to Present Research Interests Security of Cloud Computing Web Security Intrusion Detection and Network Security Data Mining 2

3 A Brief Introduction to Computer Security Host and network-based security Examples of attacks Security mechanisms Security Goals Confidentiality Availability Security Integrity Other Principles: - Recovery - Defense in Depth 3

4 Host-Based Security Usernames/passwords User groups restrictions on access File attributes/permissions Physical security Personnel security Types of Attacks DOS (Denial of Service Attacks) These attacks attempt to shutdown a network, computer or process Examples are smurf, SYN flood and so on Probe Attacker uses network services to collect information about a host such as IP address, what services it offers and so on Compromises example use buffer overflows to gain privileged access to a host Worms/viruses attacks that aggressively replicate on other hosts 4

5 Security Mechanisms IPSec, SSL Host-based protections Firewalls, IDS (network and host) Secure Host Operation Guidelines Keeping up to date with patches Backups Defending accounts (firewalls, IDS) Auditing, logging and forensics 5

6 Firewalls: Overview Control flow of traffic going between networks Network 1 Firewall Network 2 Purpose of Firewalls Block traffic from Internet (ingress filtering) Block traffic to Internet (egress filtering) Monitor communications between networks 6

7 Traditional Packet Filter Firewall Examine each packet to see if it should be let through. Decision based on TCP/UDP header fields: Source IP address: Does the packet appear to come from an address allowed into the network? Destination IP address: Is the packet going to a server that should receive this type of traffic? Source TCP/UDP port: Is the destination host allowed to receive packets from this application? Destination TCP/UDP port: Are internal hosts allowed to access this service? IDS Definition Intrusion detection systems attempt to identify and isolate intrusions against computer systems. An intrusion is an unauthorized usage or misuse of a computer system. Goals: Detect attacks Provide forensic information to help discover origins of an attack 7

8 Host-Based versus Network-Based IDS Host-based IDS systems monitor activity on a single computer system. They look at audits logs provided by the O.S. Shortcoming: they are insulated from network events that occur on a low level (the packet level). Network IDS examine the raw network traffic. They look for suspicious patterns in this traffic Good at detecting attacks using low-level manipulation of the network Can detect attacks against multiple machines Enterprise Network Security Management Networks are getting large and complex Vulnerabilities in software are constantly discovered Network Security Management is a challenging task Even a small network can have numerous attack paths 8

9 Enterprise Network Security Management Currently, security management is more of an art and not a science System administrators operate by instinct and learned experience There is no objective way of measuring the security risk in a network If I change this network configuration setting will my network become more or less secure? Cyber Security Risk Management Identify What are the assets? How is the network configured? Protect Access Control Authentication Data Security Detect Intrusion Detection Systems (IDS) Security Continuous Monitoring 9

10 Cyber Security Risk Management Respond Response Planning Analysis Mitigation Recover Timely recovery to normal operations Recovery Planning NIST Special Publication Managing Information System Risk, March 2011 Challenges in Security Metrics Typical issues addressed in the literature How can a database server be secured from intruders? How do I stop an ongoing intrusion? Notice that they all have a qualitative nature Better questions to ask: How secure is the database server in a given network configuration? How much security does a new configuration provide? How can I plan on security investments so it provides a certain amount of security? For this we need a system security modeling and analysis tool 10

11 Challenges in Security Metrics Metric for individual vulnerability exists Impact, exploitability, temporal, environmental, etc. E.g., the Common Vulnerability Scoring System (CVSS) v2 released on June 20, However, how to compose individual measures for the overall security of a network? Our work focuses on this issue 1. Common Vulnerability Scoring System (CVSS-SIG) v2, Challenges in Security Metrics Counting the number of vulnerabilities is not enough Vulnerabilities have different importance The scoring of a vulnerability is a challenge Context of the Application Configuration of the Application How to compose vulnerabilities for the overall security of a network system 11

12 What is an Attack Graph A model for How an attacker can combine vulnerabilities to stage an attack such as a data breach Dependencies among vulnerabilities Attack Graph Example 12

13 Different Paths for the Attack sshd_bof(0,1) ftp_rhosts(1,2) rsh(1,2) local_bof(2) ftp_rhosts(0,1) rsh(0,1) ftp_rhosts(1,2) rsh(1,2) local_bof(2) ftp_rhosts(0,2) rsh(0,2) local_bof(2) Attack Graph from machine 0 to DB Server 13

14 Stands for Common Vulnerability Scoring System An open framework for communicating characteristics and impacts of IT vulnerabilities Consists three metric groups: Base, Temporal, and Environmental CVSS (Cont d) Base metric : constant over time and with user environments Temporal metric : change over time but constant with user environment Environmental metric : unique to user environment 14

15 CVSS (Cont d) CVSS metric groups Each metric group has sub-matricies Each metric group has a score associated with it Score is in the range 0 to 10 Access Vector This metric measures how the vulnerability is exploited. Local Adjacent Network Network 15

16 Access Complexity This metric measures the complexity of the attack required to exploit the vulnerability High: Specialized access conditions exist Medium: The access conditions are somewhat specialized Low: Specialized access conditions do not exist Authentication This metric measures the number of times an attacker must authenticate to a target to exploit a vulnerability Multiple: The attacker needs to authenticate two or more times Single: One instance of authentication is required None: No authentication is required 16

17 Confidentiality Impact This metric measures the impact on confidentiality due to the exploit. None: No Impact Partial: There is a considerable information disclosure Complete: There is total information disclosure Similar things for the Integrity Impact and Availability Impact Base Score Base Score = Function(Impact, Exploitability) Impact = * (1-(1-ConImp)*(1-IntImp)*(1- AvailImpact)) Exploitability = 20*AccessV*AccessComp*Authentication 17

18 Base Score Example CVE Apache Chunked Encoding Memory Corruption BASE METRIC EVALUATION SCORE Access Vector [Network] (1.00) Access Complex. [Low] (0.71) Authentication [None] (0.704) Availability Impact[Complete] (0.66) Impact = 6.9 Exploitability = 10.0 BaseScore = (7.8) Attack Graph with Probabilities Numbers are estimated probabilities of occurrence for individual exploits, based on their relative difficulty. The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill A bit more skill is required for ftp_rhosts in crafting a.rhost file. sshd_bof and local_bof are buffer-overflow attacks, which require more expertise. 18

19 Probabilities Propagated Through Attack Graph When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(a and B) = p(a)p(b) When a choice of paths is possible, either is sufficient for reaching the goal: p(a or B) = p(a) + p(b) p(a)p(b). MulVAL attack-graph tool-chain Attack graph with metrics NVD adapter MulVAL User information, Threat model, Network reachability adapter OVAL data repository Vulnerability assessment results 38 19

20 Input data sources Threat model attackerlocated(internet). attackgoal(execcode(dbserver, _)). Firewall/netw ork analyzer reachable( internet, webserver, httpprotocol, httpport ). Vulnerability scanner networkserviceinfo( webserver, httpd, httpprotocol, httpport, apache ). vulexists( webserver, CVE , httpd ). vulproperty( CVE , remoteexploit, privescalation ). cvss('cve ', h). NVD 39 The knowledge base execcode(h, Perm) :- vulexists(h, VulID, Software, remoteexploit, privescalation), networkserviceinfo(h, Software, Protocol, Port, Perm), netaccess(h, Protocol, Port). The knowledge is completely independent of any site-specific settings. A set of Datalog rules to capture expert knowledge in reasoning about cyber attacks 40 20

21 Combining attack graphs and CVSS Attack graph presents a qualitative view of security problems It shows what attacks are possible, but does not tell you how bad the problem is. It captures the interactions among all attack possibilities in your system. CVSS provides a quantitative property of individual vulnerabilities It tells you how bad an individual vulnerability could be. But it does not tell you how bad it may be in your system. 41 Example CVE was identified on web server CVE was identified on db server Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the db server User workstations are allowed to access anywhere CVE was identified on user workstations 42 21

22 Possible attack paths

23 Result execcode(dbserver,root): 0.47 execcode(webserver,apache): 0.2 execcode(ws,normalaccount): 0.74 Without Group2: execcode(dbserver,root): 0.12 execcode(webserver,apache): Prioritization Given three hardening options: Patching the web server Patching the db server Patching the workstation Which one would you patch first? 46 23

24 Suppose we patch the web server Before: execcode(dbserver,root): 0.47 execcode(webserver,apache): 0.2 execcode(workstation,normalaccount): 0.74 After: execcode(dbserver,root): 0.43 execcode(webserver,apache): 0 execcode(workstation,normalaccount): Now let s patch the db server Before: execcode(dbserver,root): 0.47 execcode(webserver,apache): 0.2 execcode(workstation,normalaccount): 0.74 After: execcode(dbserver,root): 0 execcode(webserver,apache): 0.2 execcode(workstation,normalaccount):

25 How about patching workstation? Before: execcode(dbserver,root): 0.47 execcode(webserver,apache): 0.2 execcode(workstation,normalaccount): 0.74 After: execcode(dbserver,root): 0.12 execcode(webserver,apache): 0.2 execcode(workstation,normalaccount): 0 49 A Network Forensics Model for Evidence Analysis 25

26 51 Objectives Reconstruct attack scenario in an enterprise network by using evidence including IDS alerts and system logs Provide the explanation when evidence is missing or destroyed 52 A Model for Network Attack Analysis 26

27 53 A Model for Network Attack Analysis-cont. This model extends MulVAL, a tool that uses formal method to generate attack graph by using computer configuration, network topology and vulnerability information. Our extended modules are shown in darker color. o evidence uses MITRE s OVAL database or expert knowledge to convert evidence from the attacked network to corresponding software vulnerability and computer configuration MulVAL takes. o anti-forensics and expert knowledge databases are used to generate explanations for the missing or destroyed evidence. An Example Network 54 Red path: SQL injection attack(cwe-89) Green path: Compromise the workstation by IE to access the database server (CVE ) IDS(Snort) deployed Servers configured for access and query logging Blue path: Compromise admin session id by XSS attack 27

28 55 Existing Vulnerability Machine IP Address: Port Vulnerability Attacker Workstations Webserver 1 Product web service Webserver 2 Portal web service Administrator /185/ : : Database server HTML Objects Memory Corruption Vulnerability (CVE ) SQL Injection (CWE89) Cross Site Scripting Flaw (XSS) 56 IDS Alerts and Log Timestamp 08/13-12:26:10 Source IP Destination IP Content SHELLCODE x86 inc ebx NOOP Vulnerability CVE /13-12:27:37 08/13-14:37:27 08/13-16:19:56 08/13-14:37: SHELLCODE x86 inc ebx NOOP SQL Injection Attempt Cross Site Scripting name='alice' AND password='alice' or '1'='1' CVE CWE89 XSS CWE89 28

29 57 Reasoning Rules and Evidence Evidence and Facts: /*final attack victim*/ attackedhost(execcode(admin,_)). attackedhost(netaccess(dbserver,_,_)). /* network topology and access control policy*/ attackerlocated(internet). hacl(internet, webserver, tcp, 80). /*time stamps used for evidence dependency*/ timeorder(webserver,dbserver, , ). /* configuration and attack information of webserver */ vulexists(webserver, 'CWE89', httpd). vulproperty('cwe89', remoteexploit, privescalation). networkserviceinfo(webserver, httpd, tcp, 80, apache). Rules: interaction_rule( (execcode(h, Perm) :- vulexists(h, _, Software, remoteexploit, privescalation), networkserviceinfo(h, Software, Protocol, Port, Perm), netaccess(h, Protocol, Port)), rule_desc('remote exploit of a server program', 1.0)). interaction_rule( (evidence(h,perm) :- execcode(h,perm), timeorder(zone,h,t1,t2), hold(t1,t2)), rule_desc('evidence with timestamp', 1.0)). Evidence Graph Generation 58 Blue: XSS attack path Red: SQL injection attack path Dark green: Attack paths through compromised workstations Question: is this evidence graph complete and validated? 29

30 The Notations of the Nodes 59 1 execcode(admin,apache) 2 RULE 2 (remote exploit of a server program) 3 netaccess(admin,tcp,80) 4 RULE 6 (direct network access) 5 hacl(internet,admin,tcp,80) 6 attackerlocated(internet) 7 networkserviceinfo(admin,httpd,tcp,80,apache) 8 vulexists(admin,'xss',httpd,remoteexploit,privescalation) 9 netaccess(dbserver,tcp,3660) 10 RULE 5 (multi-hop access) 11 hacl(webserver,dbserver,tcp,3660) 12 execcode(webserver,apache) what if Scenarios 60 Network forensics analysis is not complete without hypotheses testing. o hypotheses are what if propositions made for possible explanations of inconsistencies in preliminary analysis results. Examples o What if the buffer overflow alert between from attacker to a workstation is an irrelevant background artifact? o What if the attacker uses the compromised workstation to log into the database, which has no evidence? 30

31 61 Anti-forensic Database Attackers might have used anti-forensic technique to destroy evidence ID Category Tool Technique Windows Linux Privilege Access Software Effect A1 Attack tool Obfuscate signature All All User remoteclien t SNORT Rule Bypass being detected by rules D1 Destroy data BCWip e Delete file content 98 Above All User localclient Delete data permanently D2 Destroy data.. Remove log file All All User remoteclien t MySql 5.0 above set log off command Set general log off References A. Singhal, S. Ou, Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs, NISTIR 7788, September A. Singhal and X. Ou, Quantitative Security Risk Assessment of Enterprise Networks, Springer Brief Book in Computer Science, December C. Liu, A. Singhal, D. Wijesekara, Using Attack Graphs in Forensics Examination, The Fifth International Workshop on Digital Forensics (WSDF 2012), Prague, August M. Albanese, S. Jajodia, A. Singhal, and L. Wang, An efficient approach to assessing the risk of zero-day vulnerabilities, Proc. 10th International Conference on Security and Cryptpgraphy (SECRYPT 2013), Reykjavik, Iceland, July 29-31, 2013 (Best Paper Award). L. Wang, S. Jajodia, A. Singhal, P. Cheng and S. Noel, K Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities, IEEE Transactions on Dependable and Secure Computing (TDSC) January

32 Conclusions Based on attack graphs, we have proposed a model for security risk analysis of information systems Composing individual scores to more meaningiful cumulative metric for overall system security Future work is how to apply these techniques for security of cloud computing and for moving target defense 32