Towards Unifying Vulnerability Information for Attack Graph Construction

Similar documents
BMC Client Management - SCAP Implementation Statement. Version 12.0

6. Exercise: Writing Security Advisories

How To Use A Policy Auditor (Macafee) To Check For Security Issues

ECS 235A Project - NVD Visualization Using TreeMaps

Pentests more than just using the proper tools

Pentests more than just using the proper tools

An Integrated Network Scanning Tool for Attack Graph Construction

VRDA Vulnerability Response Decision Assistance

Web Application Security. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

3 Web Services Threats, Vulnerabilities, and Countermeasures

A Multi-layer Tree Model for Enterprise Vulnerability Management

Secunia Vulnerability Intelligence Manager

Structuring a Vulnerability Description for Comprehensive Single System Security Analysis

Microsoft Patch Analysis

User s Guide. Skybox Risk Control Revision: 11

CDM Vulnerability Management (VUL) Capability

Software Vulnerability Assessment

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

NIST Interagency Report 7788 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

Q: What is CVSS? Q: Who developed CVSS?

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

Attack Graph Techniques

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Continuous Monitoring

Manage Vulnerabilities (VULN) Capability Data Sheet

ON ATTACK GRAPH MODEL OF NETWORK SECURITY. Hasmik Sahakyan, Daryoush Alipour

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Tracking known security vulnerabilities in third-party components

Federal Desktop Core Configuration (FDCC)

Statistical Analysis of Computer Network Security. Goran Kap and Dana Ali

Enterprise Software Management Systems by Using Security Metrics

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Metrics Suite for Enterprise-Level Attack Graph Analysis

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

VEA-bility Security Metric: A Network Security Analysis Tool

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Risk Analytics for Cyber Security

Cloud Infrastructure Security Management

Is Penetration Testing recommended for Industrial Control Systems?

Cybersecurity Awareness. Part 2

Vulnerability Management Nirvana: A Study in Predicting Exploitability

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

The Importance of Patching Non-Microsoft Applications

Focus on Security Xerox and the P2600 Hardcopy Device and System Security Working Group

The Emergence of Security Business Intelligence: Risk

PAKITI Patching Status System

Vulnerability Management

Security compliance automation with Red Hat Satellite

Technical Report. The KNIME Text Processing Feature:

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

How To Build A Vulnerability Chain

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Metasploit The Elixir of Network Security

How To Monitor Your Entire It Environment

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Models for Cyber Security Analysis

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Data Driven Assessment of Cyber Risk:

Vulnerability Management with the Splunk App for Enterprise Security

Review: McAfee Vulnerability Manager

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Evaluation of Computer Network Security based on Attack Graphs and Security Event Processing

Analysis of the 3S CoDeSys Security Vulnerabilities for Industrial Control System Professionals

A Framework for Analysis A Network Vulnerability

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Copyright Soleran, Inc. esalestrack On-Demand CRM. Trademarks and all rights reserved. esalestrack is a Soleran product Privacy Statement

Security Orchestration with IF-MAP

Network Security and Risk Analysis Using Attack Graphs

Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

A Complete Guide to the Common Vulnerability Scoring System Version 2.0

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures

Date: 9/19/2013 Windows Server 2003 EndoWorks 7 Windows Updates Description Tested Pass/Fail Date

Transcription:

Towards Unifying Vulnerability Information for Attack Graph Construction Sebastian Roschke Feng Cheng, Robert Schuppenies, Christoph Meinel ISC2009-2009-09-08 Internet-Technologies and -Systems Prof. Dr. Ch. Meinel

Outline 2 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

Attack Graph Workflow 3 Attack Graph Workflow Phases Information Gathering, Attack Graph Contruction, Analysis & Visualization Introduction Attack Graph Workflow

Outline 4 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

Vulnerabilty Information 5 Sources of Vulnerability Information

Sources of Vulnerabilty Information 6 Sources of Vulnerability Information Existing databases are either commercial or community-based Commercial: DragonSoft (D.Soft), Secunia, SecurityFocus (S.Focus), Securiteam, and X-Force Community-based: Cooperative Vulnerability Database (CoopVDB), the Department of Energy Cyber Incident Response Capability (DoE-CIRC), the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), and the United States Computer Emergency Readiness Team (US-CERT) Vulnerabilty standardization efforts CVE Common Vulnerabilty and Exposures CVSS - Common Vulnerability Scoring System OVAL - Open Vulnerability and Assessment Language

Vulnerabilty Standardization Efforts 7 Sources of Vulnerability Information Standardization CVE Common Vulnerabilty and Exposures Dictionary providing common names and references for vulnerabilites CVSS - Common Vulnerability Scoring System Metric indicates how critial a vulnerability is Metrics: base metrics, temporal metrics, and environmental metrics Base metrics: access vector and complexity information, degree of Confidentiality, Integrity, and Availability (CIA) violations, and number of required authentication steps OVAL - Open Vulnerability and Assessment Language Detailed and structured description of congurations affected by vulnerabilities Defintion Types: vulnerability definitions, compliance definitions, inventory definitions, patch definitions, miscellaneous type

Sources of Vulnerabilty Information 8 Comparison Sources of Vulnerability Information Comparison

Outline 9 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

Implementation Data Model 10 Data Model Description of vulnerabilities as set of pre- and post-conditions Condition consists of system properties Extraction Tool Data Model (1/3)

Implementation Data Model 11 System Properties Extraction Tool Data Model (2/3)

Implementation Data Model 12 Description Example Extraction Tool Data Model (3/3)

Automatic Vulnerability Extraction 13 Architecture Extraction Tool Architecture Plugin enabled architecture of readers and writers Reader plugins parse VDBs and create internal vulnerability representation (according to introduced data model) Writer plugins use the data model to transform internal representation, e.g., to create AG creator compatible data

Automatic Vulnerability Extraction 14 Extraction Tool Extraction Process Proof of Concept PoC implemented in python with simple web based front end Reader plugins: NVD Reader, OVAL Reader, XML Reader, CVE Reader Writer plugins: MulVAL Writer, XML Writer Extraction Process Main source NVD Utilization of CVSS: CIA impact, access vector Utilization of OVAL: description of environment Extraction based on common patterns and phrases execute arbitrary code" Microsoft Windows 2000 SP4 or later is installed

Correctness 15 Evaluation of Textual Extraction NVD comparison of textual description with CVSS counterpart Extraction Tool Correctness

Outline 16 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

Summary 17 Main contributions Comparison of vulnerability databases Data model to unify vulnerabilities Automatic extraction of vulnerability information Transformation to different attack graph tools, e.g., MulVAL (Ou et al.) Summary - Conclusion Conclusions Vulnerability information often is inconsistent, e.g., CVSS compared to textual description Extraction from textual descriptions applicable (70%-90% correctness)

Open Issues 18 Improve the extraction process Additional plugins to enrich functionality Reader for new VDBs, e.g.,... Writers for different Attack Graph tools Universal vulnerability database providing unified vulnerability information (extracted from multiple databases) at runtime Summary Open Issues Utilization of data model to describe system and network information Attack Graph toolkit focusing on wide range of vulnerability information

Questions 19 Any Questions? Summary - Questions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information