+ How to generate security cameras: Towards defence generation for - - PowerPoint PPT Presentation

how to generate security cameras towards defence
SMART_READER_LITE
LIVE PREVIEW

+ How to generate security cameras: Towards defence generation for - - PowerPoint PPT Presentation

Mar 14, 2024 484 likes •782 views

+ How to generate security cameras: Towards defence generation for socio-technical systems Olga Gadyatskaya (SnT, University of Luxembourg) olga.gadyatskaya@uni.lu ADT2P + Agenda 2 n Socio-technical models and attack generation n

slide-1
SLIDE 1

+

How to generate security cameras: Towards defence generation for socio-technical systems

Olga Gadyatskaya (SnT, University of Luxembourg)

  • lga.gadyatskaya@uni.lu

ADT2P

slide-2
SLIDE 2

+Agenda

n Socio-technical models and attack generation n Challenges for countermeasure generation n Attack-defence model generated from socio-technical model n How to select more countermeasures n Challenges ahead

12/07/15 GraMSec 2015

2

slide-3
SLIDE 3

+Socio-technical system models

n A model that combines a snapshot of infrastructure with

models of agents acting in this infrastructure

12/07/15 GraMSec 2015

3

slide-4
SLIDE 4

+Example

An instance of a system model designed in the TREsPASS notation

12/07/15 GraMSec 2015

4

slide-5
SLIDE 5

+Security controls in the model

12/07/15 GraMSec 2015

5

Money $$$ can be accessed from the ATM A1 with card and PIN.

slide-6
SLIDE 6

+Automated attack generation

n A socio-technical model à an attack model [Ivanova et al.

2015]

n automatically n complete wrt the socio-technical model n reachability-based

12/07/15 GraMSec 2015

6

An example of a generated attack tree [Ivanova et al. 2015]

slide-7
SLIDE 7

+Automated generation of countermeasures: challenges

n <easy> Which format for countermeasure representation?

n Attack-countermeasure trees, attack-defence trees, defence trees,

etc.

n <hard> Generated countermeasures are limited by the socio-

technical model itself

n If the model represents only access control policies – only those

can be generated automatically

12/07/15 GraMSec 2015

7

slide-8
SLIDE 8

+Problem

n Automated countermeasure generation

n How to generate defences automatically {in an optimal way} n How to introduce more countermeasures n How to trace the generated countermeasures back to the ST

model and maintain the traceability through model evolution

n Solution

n Maintain an attack-defence model together with the socio-technical

system model

12/07/15 GraMSec 2015

8

slide-9
SLIDE 9

+Attack-defence model

n The desired attack-defence model should:

n incorporate existing countermeasures (access control policies) n allow to add new defences and consistently maintain traceability

with the socio-technical model

n allow to perform computations and select optimal defence

scenarios

n Attack-defence trees [Kordy et al. 2014] is a suitable notation

to maintain the attacker and the defender views simultaneously

12/07/15 GraMSec 2015

9

slide-10
SLIDE 10

+Simplified attack-defence model

n Given a socio-technical model <N,E>

n N is a set of items in the model n Ni – infrastructure locations n Na – actor locations n No – object locations n E is a set of directed edges among the items

n P is a set of access control policies defined in the model

n dn is a local policy that guards access to item n n each element in dn is <Cred, atLocation, EM> where n Cred is a set of credentials required n atLocation is the location where policy is applied n EM is an enforcement mechanism in the model

12/07/15 GraMSec 2015

10

slide-11
SLIDE 11

+Bundles

n For each element n of the model we generate an attack-

defence bundle access_n

n A bundle succinctly represents an attack where an attacker gets

access to n

n Any attacker n It comprises the attack vectors available in the model and the

defences offered by the enforcement mechanisms for local policies

12/07/15 GraMSec 2015

11

slide-12
SLIDE 12

+Structure of attack-defence bundles I

n Root node: access_n n n can be accessed from any adjacent location in the model

n access_n is OR-decomposed into a collection of nodes

access_from_ni

12/07/15 GraMSec 2015

12

access_$$$

access_from_ATM access_from_account

slide-13
SLIDE 13

+Structure of attack-defence bundles II

n To attack from some adjacent location the attacker needs to

get to that location and circumvent the access control policies checks there

n Bundles access_from_ni are decomposed into attack node

access_i and defence node EM_ni

12/07/15 GraMSec 2015

13

access_$$$

access_from_ATM access_from_account access_ATM EM_$$$ATM

slide-14
SLIDE 14

+Defence nodes decomposition

n Enforcement mechanism can comprise several valid policy

configurations

n defence node EM_ni is AND-decomposed into nodes pol_config_pk

each local policy configuration that guards access to n from i

12/07/15 GraMSec 2015

14 EM_$$$ATM pol_config_cardANDpin

slide-15
SLIDE 15

+Attacking enforcement mechanisms I

n To overcome the defensive mechanism in place, the attacker

needs to circumvent any of individual policy configurations

12/07/15 GraMSec 2015

15 EM_$$$ATM pol_config_cardANDpin attack pol_cardANDpin

slide-16
SLIDE 16

+Attacking enforcement mechanisms II

n The attacker can circumvent the enforcement mechanism by

satisfying the policy (collecting all credentials) or by breaking the enforcement mechanism

n Node attack_pol_pm is OR-decomposed into attack nodes

sat_pol_pm and break_em_ni

12/07/15 GraMSec 2015

16 attack pol_cardANDpin sat_pol_cardANDpin break_EM_$$$ATM

slide-17
SLIDE 17

+Satisfying policies

n Policy can be satisfied if all credentials needed are collected:

n Attack node sat_pol_pm is AND-decomposed into attack nodes

access_credr

12/07/15 GraMSec 2015

17 attack pol_cardANDpin sat_pol_cardANDpin break_EM_$$$ATM access_card access_PIN

slide-18
SLIDE 18

+Attack-defence tree synthesis from bundles I

n Attack node access_n is a basic building block

n Bundles can be put together to form attack-defence trees n Issue: loops

13/07/15 GraMSec 2015

18 access_$$$ access_city access_card access_ATM access_account access_PIN access_Margrete access_house access_Margrete access_house

slide-19
SLIDE 19

+Attack-defence tree synthesis from bundles II

n Solution:

compute what is accessible and evaluate attack-defence trees using bundle values in the the propositional semantics

n Bootstrapping:

n For every element n and actor p

Accessible (n, p) = Reachable (n,p) AND Granted (n,p)

13/07/15 GraMSec 2015

19

slide-20
SLIDE 20

+Attack-defence trees synthesis III

n For a chosen asset t and attacker a

n Set initial value of each bundle as Accessible (t, a) n Synthesize attack-defence trees from individual bundles n Expand each bundle only once n Recompute values

13/07/15 GraMSec 2015

20 access_$$$ access_city access_card access_ATM access_account access_PIN access_Margrete access_house access_Margrete access_city

slide-21
SLIDE 21

+What about other defences?

n Attack-defence bundles form the initial attack-defence

model generated from the socio-technical model

n After the bundles were generated, new controls can be

added into individual bundles

n Consistency is maintained because each single bundle

corresponds to access to a single model element

n Placement of new controls depends on their types:

n Preventive n Detective n Corrective

12/07/15 GraMSec 2015

21

slide-22
SLIDE 22

+New controls: where

12/07/15 GraMSec 2015

22

access_n access_from_nl access_l D_preventive EM_nl Other preventive access_from_nk access_k D_detective/corrective

slide-23
SLIDE 23

+How to select new controls

n Proposals for optimal countermeasure selection exist if

possible options are already known and evaluated by experts [Roy et al. 2012], [Aslanyan et al. 2015]

n BUT how to assist the experts in selecting new controls

consistently from a set of recommended best practices (e.g., NIST 800-53) ?

n Possible considerations:

n Application domain of controls (model element types) n Attributes to be evaluated

12/07/15 GraMSec 2015

23

slide-24
SLIDE 24

+Application domains of controls

12/07/15 GraMSec 2015

24

slide-25
SLIDE 25

+Attributes

12/07/15 GraMSec 2015

25

slide-26
SLIDE 26

+Challenges ahead

n Extending the attack-defence model by using an attack-defence library

n Knowledge how an attacker can break enforcement mechanisms n Knowledge from industry catalogues

n Socio-technical attacks

n Trust policies n More complex models with processes

n Validation

n <usefulness> how suitable is the attack-defence model proposed for maintaining defences

across system evolution?

n <scalability> is it possible to generate meaningful attack-defence trees for realistic socio-

technical models?

n Minimal representation and visualization

n Attack-defence trees generated will require some restructuring for minimizing the size and

excluding redundancies

n Assisted defence selection

n How to guide experts to select optimal countermeasures (to which extent the defences can

be generated)?

13/07/15 GraMSec 2015

26

slide-27
SLIDE 27

+Conclusions

n Defence generation from socio-technical models is limited

by the models themselves

n Attack-defence model consisting of individual attack-

defence bundles can help to select and maintain defences across the system lifecycle

n It is easier to generate attacks than defences

12/07/15 GraMSec 2015

27

slide-28
SLIDE 28

+ Thank you!!!

12/07/15 GraMSec 2015

28