Structured Intrusion Scenario Analysis

1
Structured IntrusionScenario Analysis

• Course 95-750
• Security Architecture and Analysis
• Andrew Moore
• CERT Coordination Center
• Software Engineering Institute
• Carnegie Mellon University
• (412)268-5465
• apm_at_cert.org
• 5 December 2000

2
SNA Process

• STEP 2
• ESSENTIAL CAPABILITY DEFINITION
• Essential service/asset selection/scenarios
• Essential component identification

• STEP 4
• SURVIVABILITY ANALYSIS
• Softspot component (essential
• compromisable) identification
• Resistance, recognition, and
• recovery analysis
• Survivability Map development

• STEP 1
• SYSTEM DEFINITION
• Mission, requirements, environment, and risks
  definition
• Architecture definition and elicitation

• STEP 3
• COMPROMISABLE CAPABILITY DEFINITION
• Intrusion selection/scenarios
• Compromisable component identification

3
Broad Goals of Research
Identify, document, demonstrate techniques that
lessen SNAs dependence on experience, security
expertise

• Develop systematic methods
• Manage complexity
• Integrate risk analysis techniques
• Facilitate populating survivability map
• Determine utility of automation
• Improve repeatability of results

4
Overview of Talk
Focus on improving intrusion scenario analysis

• Attack Trees Introduction
• Enterprise-Level Example
• Reusing Patterns of Attack
• Attack Tree Refinement
• Conclusions

5
Attack TreeIntroduction
6
Attack Trees

• Provides formal, methodical way of describing
  the security of systems, based on varying
  attacks
• Decomposes attacker goal
• AND decomposition describes time-ordered sequence
  of sub-goals
• graphical textual Goal G0
• AND G1
• G2
• OR decomposition describes alternative sub-goals
• graphical textual Goal G0
• OR G1
• G2
• Organizes intrusion scenarios

G0
G0
? G4 ,G5 ? ? G2 ? ? G6 ? ? G8 ,G9 ?
G3
G1
G2
? G3 ,G5 ,G6 ? ? G4 ,G5 ,G6 ?
?
?
G2
G1
G7
G6
G4
G5
G5
G4
G3
G6
G8
G9
7
Opening a Safe
Key
OR
AND
P
Open Safe
P
Pick Lock
Learn Combo
Cut Open Safe
Install Improperly
P
Get Combo From Target
Find Written Combo
I
Threaten
Blackmail
Eavesdrop
Bribe
Listen to Conversation
Get Target to State Combo
Taken from Bruce Schneier, Secrets and Lies,
John Wiley Sons, 2000
8
Special Equipment Required?
Open Safe
SE
SE
NSE
Pick Lock
Learn Combo
Cut Open Safe
Install Improperly
NSE
Get Combo From Target
Find Written Combo
NSE
NSE
NSE
Threaten
Blackmail
Eavesdrop
Bribe
SE
NSE
Listen to Conversation
Get Target to State Combo
SE Special Equipment NSE No Special Equipment
Taken from Bruce Schneier, Secrets and Lies,
John Wiley Sons, 2000
9
Cost of Attack?
10K
Open Safe
20K
10K
30K
100K
Learn Combo
Pick Lock
Cut Open Safe
Install Improperly
20K
75K
Find Written Combo
Get Combo From Target
60K
100K
20K
60K
Threaten
Blackmail
Eavesdrop
Bribe
20K
40K
Listen to Conversation
Get Target to State Combo
Taken from Bruce Schneier, Secrets and Lies,
John Wiley Sons, 2000
10
Enterprise-LevelExample
11
ACME, Inc. Enterprise Structure
Fenced Perimeter
Dumpster
Guard
Front Gate
ACME HQ
Parking
Backbone
Network Services
Remote Dial-up Users
Internet Users
ACME Firewall
ACME Web Server
12
High-Level Attack Tree for ACME, Inc.
Attacker Goal Steal ACME proprietary
secrets OR 1. Physically scavenge discarded items
from ACME OR 1. Inspect dumpsters content
on-site 2. Inspect refuse after removal
from site 2. Monitor emanations (e.g.,
electromagnetic, visual) from ACME machines
AND 1. Survey physical perimeter to determine
optimal monitoring position 2. Acquire
necessary monitoring equipment 3. Setup
monitoring site 4. Monitor emanations from
site 3. Recruit help of trusted ACME insider
OR 1. Plant spy as trusted insider 2.
Use existing trusted insider 4. Physically
access ACME networks or machines OR 1. Get
physical, on-site access to Intranet 2. Get
physical access to external machines 5. Attack
ACME Intranet using its connections with
Internet OR 1. Monitor communications over
Internet for leakage 2. Get trusted process to
send sensitive information to attacker over
Internet 3. Gain privileged access to ACME Web
Server 6. Attack ACME Intranet using its
connections with PTN OR 1. Monitor
communications over PTN for leakage of sensitive
information 2. Gain privileged access to
machines on Intranet connected via Internet
13
Web Server Attack Refinement
Goal 5.3. Gain privileged access to ACME Web
Server AND 1. Identify ACME domain name
2. Identify ACME firewall IP address OR 1.
Interrogate Domain Name Server 2. Scan for
firewall identification 3. Trace route through
firewall to web server 3. Determine ACME
firewall access control OR 1. Search for
specific default listening ports 2. Scan ports
broadly for any listening port 4. Identify ACME
web server operating system and type OR 1. Scan
OS services banners for OS identification 2.
Probe TCP/IP stack for OS characteristic
information 5. Exploit ACME Web Server
vulnerabilities OR 1. Access sensitive shared
intranet resources directly 2. Access
sensitive data from protected account on Web
Server
14
Populating the Survivability Map

• Ask resist, recognize, recover questions at
  attack tree nodes
• Resist blocking branch eliminates scenarios that
  traverse it
• Recognize detecting actions at node help
  recognize intrusion
• Recover once detected steps to continuing
  mission
• Prioritize branches (Threat X Vulnerability X
  Impact)

Attacker Goal Steal ACME proprietary
secrets OR 1. Physically scavenge discarded items
from ACME OR 1. Inspect dumpsters content
on-site 2. Inspect refuse after removal
from site 2. Monitor emanations (e.g.,
electromagnetic, visual) from ACME machines
AND 1. Survey physical perimeter to determine
optimal monitoring position 2. Acquire
necessary monitoring equipment 3. Setup
monitoring site 4. Monitor emanations
from site 3. Recruit help of trusted ACME
insider OR 1. Plant spy as trusted insider
2. Use existing trusted insider 4. Physically
access ACME networks or machines OR 1. Get
physical, on-site access to Intranet 2. Get
physical access to external machines 5. Attack
ACME Intranet using its connections with
Internet OR 1. Monitor communications over
Internet for leakage 2. Get trusted process to
send sensitive information to attacker over
Internet 3. Gain privileged access to ACME Web
Server ...
15
Reusing Patterns of Attack
16
Reuse via Attack Patterns

• attack pattern - an abstract description of a
  specific attack, containing
• attacker goal
• precondition for use
• attack tree segment
• postcondition
• attack profiles - a collection of related attack
  patterns, each containing
• common reference model
• variation points permit instantiation/extension
• set of attack patterns
• glossary

17
Buffer Overflow Attack
Buffer Overflow Attack Pattern Goal
Exploit buffer overflow vulnerability to perform
malicious function PreCondition Attacker can
execute certain programs on the target
system Attack AND 1. Identify program on the
target system susceptible to buffer overflow
vulnerability 2. Identify code that will
perform malicious function when it executes
with the
programs privilege 3. Construct input value
that will force code to be in the programs
address space 4. Execute
program in way that makes it jump to address
where code
resides PostCondition The target system
performs malicious function
program code ... return pointer local variables bu
ffer ...
malicious code ... modified pointer overwritten
values buffer ...
overflow program buffer with malicious input
program invocation
stack growth
buffer growth
activation record
execution stack
18
Internet-Based Enclave Attack Profile
The Org Enclave
Attacker
Reference Model
User
Intranet
Firewall
System
Attack Patterns
Buffer Overflow Attack Pattern Goal Exploit
buffer overflow vulnerability to perform
malicious function PreCondition Attacker can
execute certain programs on System Attack
AND 1. Identify program on System susceptible to
buffer overflow vulnerability 2. Identify code
that will perform malicious function when it
executes with the programs privilege 3.
Construct input value that will force code to be
in the programs address space 4. Execute
program in way that makes it jump to address
where code resides PostCondition System
performs malicious function
Glossary
buffer overflow vulnerability a flaw in a
program that, when executed with excessively long
input values, causes the input to overflow into
another portion of the execution stack. ...
19
Attack TreeRefinement
20
Attack Tree Refinement Process
Enterprise - Mission - Threats -
Architecture
Attack tree more representative of likely attacks?
no
Undo Pattern Application
yes
Acceptable?
Extend attack tree manually
Instantiate pattern based on enterprise
architecture and goal node incorporate pattern
tree at node.
Keep Searching?
Instantiate and Apply Pattern
no
Attack tree refined sufficiently to construct
survivability map?
yes
yes
Search Attack Pattern Library
no
no
Applicable?
Done?
yes
Is there a node of the tree that is an instance
of the patterns goal?
Use attack tree to construct survivability map.
Consider attack profiles whose reference model
represents the enterprise architecture.
21
Aligning Attack Profile to Architecture

• Requires instantiating variation points
• ACME for Org, ACME Firewall for Firewall, ...
• Instantiated attack patterns can then be used to
  refine enterprise-specific attack tree

Dumpster
Guard
Front Gate
ACME HQ
The Org Enclave
Parking
Fenced Perimeter
Attacker
User
Backbone
Intranet
Firewall
Network Services
System
Remote Dial-up Users
Internet Users
ACME Firewall
ACME Web Server
22
Instantiation and Application
Buffer Overflow Attack Pattern (instantiated for
ACME) Goal Exploit buffer overflow
vulnerability to access privileged
account PreCondition Attacker can execute
certain programs on ACME Web Server Attack
AND 1. Identify program on ACME Web Server
susceptible to buffer overflow vulnerability 2.
Identify code that would provide access to
privileged account when executed with
the programs privilege 3. Construct
input value that will force code to be in the
programs address space 4. Execute program in
way that makes it jump to address at which code
resides PostCondition Attacker can access
privileged account
5.3.5.2 Access sensitive data from privileged
account on ACME Web Server AND 1. Get access to
privileged account on ACME Web Server AND 1.
Identify program on ACME Web Server susceptible
to buffer overflow
vulnerability 2. Identify code that would
provide access to privileged account when
executed with the programs privilege 3.
Construct input value that will force code to be
in the programs
address space 4. Execute program in way that
makes it jump to address where code
resides 2. Scan files for sensitive data
23
Applying Attack Patterns
Enterprise Attack Tree
Attack Pattern
Instantiation (i) Differentiation (d)
Resulting Attack Tree
GJ
Leaf Node Application
GR
GJ
...
...



iGR achieves GKi
GKn
...
...
...
GK
GKi
GKn
GS
GSm
GK
GKi
...
iGSm
iGS
Non-Leaf Node Application to OR Decomp
GJ
GR
GJ
...



iGR achieves GJ
iGR
...
GK
GKn
...
GK
GKn
GS
GSm
...
iGSm
iGS
Non-Leaf Node Application to AND Decomp
GJ
GR
GJ



iGR achieves GJ dGJ achieves GJ
...
...
iGR
dGJ
GK
GKn
GS
GSm
...
...
iGSm
GK
GKn
iGS
24
Unexpected Operator Attack Pattern
expected call p(data.txt)
program p (fname string) cmd append
(Open , fname) execute (cmd) ...
malicious call p(data.txt rm -rf )
Unexpected Operator Attack Pattern Goal
Exploit unexpected operator vulnerability to
perform malicious function PreCondition
Attacker can execute certain programs on
System Attack AND 1. Identify program on
System susceptible to unexpected operator
vulnerability 2. Identify (unexpected) operator
that permits composing system calls 3. Identify
system call that would perform malicious function
when executed with programs privilege 4.
Construct unexpected input by composing legal
input value with system call using the
unexpected operator 5. Execute program on
System with unexpected input PostCondition
System performs malicious function
25
Instantiating Unexpected Operator Attack Pattern
Unexpected Operator Attack Pattern (instantiated
for ACME) Goal Exploit unexpected operator
vulnerability to access privileged
account PreCondition Attacker can execute
certain programs on ACME Web Server Attack
AND 1. Identify program on ACME Web Server
susceptible to unexpected operator
vulnerability 2. Identify (unexpected) operator
that permits composing system calls 3. Identify
system call that would provide access to
privileged account when executed with programs
privilege 4. Construct unexpected input by
composing legal input value with system call
using the unexpected operator 5. Execute
program on ACME Web Server with unexpected
input PostCondition Attacker can access
privileged account
26
Application at a Non-Leaf Node
5.3.5.2 Access sensitive data from privileged
account on ACME Web Server AND 1. Get access to
privileged account on ACME Web Server AND 1.
Identify program on ACME Web Server susceptible
to buffer overflow vulnerability 2. Identify
code that would provide access to privileged
account when executed with programs
privilege 3. Construct input value that will
force code to be in the programs address
space 4. Execute program in way that makes it
jump to address where code resides 2. Scan files
for sensitive data
point of application
Apply Unexpected Operator Attack Pattern
5.3.5.2 Access sensitive data from privileged
account on ACME Web Server AND 1. Get access to
privileged account on ACME Web Server
OR 1. Exploit buffer overflow vulnerability
to get access to privileged account AND 1.
Identify program on ACME Web Server susceptible
to buffer overflow vulnerability 2.
Identify code that would provide access to
privileged account when executed with programs
privilege 3. Construct input value that
will force code to be in the programs address
space 4. Execute program in way that makes
it jump to address where code resides 2. Expl
oit unexpected operator vulnerability to get
access to privileged account AND 1. Identify
program on ACME Web Server susceptible to
unexpected operator vulnerability 2.
Identify (unexpected) operator that permits
composing system calls 3. Identify system
call that would provide access to privileged
account when executed with programs
privilege 4. Construct unexpected input by
composing legal input value with system call
using the unexpected operator 5.
Execute program on ACME Web Server with
unexpected input 2. Scan files for sensitive data
27
Auxiliary Attack Patterns
Access Control Discovery Attack Pattern Goal
Identify Firewall access controls PreCondition
1. Attacker knows Firewall IP address Attack OR
1. Search for specific default listening
ports 2. Scan ports broadly for any listening
ports 3. Scan ports stealthily for listening
ports OR 1. Randomize target of scan 2.
Randomize source of scan 3. Scan without
touching target host PostCondition Attacker
knows Firewall access controls
IP Address Discovery Attack Pattern Goal
Identify Orgs Firewall IP address PreCondition
1. Attacker knows Orgs domain name Attack OR 1.
Interrogate Domain Name Server 2. Trace route
through Firewall to Orgs web server 3. Scan
for Firewall IP address PostCondition Attacker
knows Firewall IP address
28
Conclusions
29
What We Can Do

• Generate enterprise-specific attack trees
• Organize SNA intrusion scenarios
• Help populate enterprise survivability map
• Reuse previously developed attack patterns
• Classify attack patterns to promote
  discovery/instantiation

30
Future Work

• Validate practicality/scalability of approach
• Develop/refine broad range of attack profiles
• Assess particular attackers ability to traverse
  attack tree
• Prioritize branches based on enterprise
  mission/vulnerability
• Formalize model of attack tree refinement/analysis
  
• Determine role of automation
• Measure of Success
• Will we use this approach in our next
• full-scale SNA application?