simulated penetration testing from dijkstra to turing test
play

Simulated Penetration Testing: From Dijkstra to Turing Test++ J - PowerPoint PPT Presentation

Jan 24, 2023 •579 likes •2.44k views

What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June 26, 2015 J org Hoffmann Simulated Penetration Testing 1/58 What? Classical

  1. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Simulated Pentesting at Core Security Core IMPACT system architecture: transform Actions Exploits & Attack Modules transform Initial conditions Attack Workspace Pentesting Framework PDDL Description execution Plan Planner → In practice, the attack plans are being used to point out to the security team where to look. J¨ org Hoffmann Simulated Penetration Testing 10/49

  2. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Simulated Pentesting at Core Security “Point out to the security team where to look” J¨ org Hoffmann Simulated Penetration Testing 10/49

  3. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Simulated Pentesting at Core Security “Point out to the security team where to look” J¨ org Hoffmann Simulated Penetration Testing 10/49

  4. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Classical Planning Definition A STRIPS planning task is a tuple �P , A , s 0 , G � : P : set of facts (Boolean state variables). A : set of actions a , each a tuple � pre ( a ) , add ( a ) , del ( a ) , c ( a ) � of precondition, add list, delete list, and non-negative cost. s 0 : initial state; G : goal. J¨ org Hoffmann Simulated Penetration Testing 11/49

  5. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Classical Planning Definition A STRIPS planning task is a tuple �P , A , s 0 , G � : P : set of facts (Boolean state variables). A : set of actions a , each a tuple � pre ( a ) , add ( a ) , del ( a ) , c ( a ) � of precondition, add list, delete list, and non-negative cost. s 0 : initial state; G : goal. Definition A STRIPS planning task’s state space is a tuple �S , A , T, s 0 , S G � : S : set of all states; A : actions as above. T : state transitions ( s, a, s ′ ) s 0 : initial state as above; S G : goal states. → Objective: Find cheapest path from s 0 to (a state in) S G . J¨ org Hoffmann Simulated Penetration Testing 11/49

  6. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Core Security Attack Planning PDDL Actions: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) J¨ org Hoffmann Simulated Penetration Testing 12/49

  7. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Core Security Attack Planning PDDL Actions: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) J¨ org Hoffmann Simulated Penetration Testing 12/49

  8. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Core Security Attack Planning PDDL Actions: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) J¨ org Hoffmann Simulated Penetration Testing 12/49

  9. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Core Security Attack Planning PDDL Actions: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) J¨ org Hoffmann Simulated Penetration Testing 12/49

  10. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Core Security Attack Planning PDDL Actions: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) Action cost: Average execution time. Success statistic against hosts with the same/similar observable configuration parameters. J¨ org Hoffmann Simulated Penetration Testing 12/49

  11. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Core Security Attack Planning PDDL, ctd. Actions: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) Initial state: “connected” predicates: network graph. “has *” predicates: host configurations. One compromised host: models the internet. Goal: Compromise one or several goal hosts. J¨ org Hoffmann Simulated Penetration Testing 13/49

  12. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Remarks History: Planning domain “of this kind” (less IT-level, including also physical actions like talking to somebody) first proposed by [Boddy et al. (2005)]; used as benchmark in IPC’08 and IPC’11. J¨ org Hoffmann Simulated Penetration Testing 14/49

  13. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Remarks History: Planning domain “of this kind” (less IT-level, including also physical actions like talking to somebody) first proposed by [Boddy et al. (2005)]; used as benchmark in IPC’08 and IPC’11. Presented encoding proposed by [Lucangeli et al. (2010)]. Used commercially by Core Security in Core INSIGHT since 2010, running a variant of Metric-FF [Hoffmann (2003)]. J¨ org Hoffmann Simulated Penetration Testing 14/49

  14. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Remarks History: Planning domain “of this kind” (less IT-level, including also physical actions like talking to somebody) first proposed by [Boddy et al. (2005)]; used as benchmark in IPC’08 and IPC’11. Presented encoding proposed by [Lucangeli et al. (2010)]. Used commercially by Core Security in Core INSIGHT since 2010, running a variant of Metric-FF [Hoffmann (2003)]. Do Core Security’s customers like this? I am told they do. J¨ org Hoffmann Simulated Penetration Testing 14/49

  15. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Remarks History: Planning domain “of this kind” (less IT-level, including also physical actions like talking to somebody) first proposed by [Boddy et al. (2005)]; used as benchmark in IPC’08 and IPC’11. Presented encoding proposed by [Lucangeli et al. (2010)]. Used commercially by Core Security in Core INSIGHT since 2010, running a variant of Metric-FF [Hoffmann (2003)]. Do Core Security’s customers like this? I am told they do. In fact, they like it so much already that Core Security is very reluctant to invest money in making this better . . . J¨ org Hoffmann Simulated Penetration Testing 14/49

  16. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Remarks And now: . . . some remarks about the model. J¨ org Hoffmann Simulated Penetration Testing 14/49

  17. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iii) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) → Which of the predicates are static? J¨ org Hoffmann Simulated Penetration Testing 15/49

  18. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iii) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) → Which of the predicates are static? All except “compromised”. J¨ org Hoffmann Simulated Penetration Testing 15/49

  19. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iii) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) → Which of the predicates are static? All except “compromised”. J¨ org Hoffmann Simulated Penetration Testing 15/49

  20. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iv) (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) . . . :effect (and (compromised ?t) (increase (time) 10))) → Are you missing something? J¨ org Hoffmann Simulated Penetration Testing 16/49

  21. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iv) (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) . . . :effect (and (compromised ?t) (increase (time) 10))) → Are you missing something? There are no delete effects. J¨ org Hoffmann Simulated Penetration Testing 16/49

  22. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iv) (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) . . . :effect (and (compromised ?t) (increase (time) 10))) → Are you missing something? There are no delete effects. The attack is monotonic (growing set of attack assets). = delete-relaxed planning. J¨ org Hoffmann Simulated Penetration Testing 16/49

  23. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (iv) (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) . . . :effect (and (compromised ?t) (increase (time) 10))) → Are you missing something? There are no delete effects. The attack is monotonic (growing set of attack assets). = delete-relaxed planning. Metric-FF solves this once in every search state . . . Generating an attack is polynomial-time. Generating an optimal attack is NP -complete. J¨ org Hoffmann Simulated Penetration Testing 16/49

  24. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (v) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) → Which preconditions are not static? J¨ org Hoffmann Simulated Penetration Testing 17/49

  25. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (v) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) → Which preconditions are not static? Just 1: “(compromised ?s)”. J¨ org Hoffmann Simulated Penetration Testing 17/49

  26. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (v) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) → Which preconditions are not static? Just 1: “(compromised ?s)”. 1 positive precondition, 1 positive effect. J¨ org Hoffmann Simulated Penetration Testing 17/49

  27. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (v) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) → Which preconditions are not static? Just 1: “(compromised ?s)”. 1 positive precondition, 1 positive effect. Optimal attack planning for single goal host = Dijkstra. J¨ org Hoffmann Simulated Penetration Testing 17/49

  28. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumption (v) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) → Which preconditions are not static? Just 1: “(compromised ?s)”. 1 positive precondition, 1 positive effect. Optimal attack planning for single goal host = Dijkstra. Fixed # goal hosts polynomial-time [Bylander (1994)]. Scaling # goal hosts = Steiner tree [Keyder and Geffner (2009)]. J¨ org Hoffmann Simulated Penetration Testing 17/49

  29. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Concluding Remarks? Simulated Pentesting at Core Security ≈ Dijkstra in the graph over network hosts where weighted edges are defined as a function of configuration parameters and available exploits. J¨ org Hoffmann Simulated Penetration Testing 18/49

  30. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Concluding Remarks? Simulated Pentesting at Core Security ≈ Dijkstra in the graph over network hosts where weighted edges are defined as a function of configuration parameters and available exploits. Why they use planning & Metric-FF anyway: J¨ org Hoffmann Simulated Penetration Testing 18/49

  31. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Concluding Remarks? Simulated Pentesting at Core Security ≈ Dijkstra in the graph over network hosts where weighted edges are defined as a function of configuration parameters and available exploits. Why they use planning & Metric-FF anyway: Extensibility to more fine-grained models of exploits, socio-technical aspects, detrimental side effects. J¨ org Hoffmann Simulated Penetration Testing 18/49

  32. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Concluding Remarks? Simulated Pentesting at Core Security ≈ Dijkstra in the graph over network hosts where weighted edges are defined as a function of configuration parameters and available exploits. Why they use planning & Metric-FF anyway: Extensibility to more fine-grained models of exploits, socio-technical aspects, detrimental side effects. Bounded sub-optimal search to suggest several solutions not just a single “optimal” one. J¨ org Hoffmann Simulated Penetration Testing 18/49

  33. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Concluding Remarks? Simulated Pentesting at Core Security ≈ Dijkstra in the graph over network hosts where weighted edges are defined as a function of configuration parameters and available exploits. Why they use planning & Metric-FF anyway: Extensibility to more fine-grained models of exploits, socio-technical aspects, detrimental side effects. Bounded sub-optimal search to suggest several solutions not just a single “optimal” one. Quicker & cheaper than building a proprietary solver. J¨ org Hoffmann Simulated Penetration Testing 18/49

  34. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Agenda What is this all about? 1 Classical Planning: The Core Security Model [Lucangeli et al. (2010)] 2 Attack Graphs 3 Towards Accuracy: POMDP Models [Sarraute et al. (2012)] 4 The MDP Middle Ground 5 A Model Taxonomy 6 And Now? 7 J¨ org Hoffmann Simulated Penetration Testing 19/49

  35. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell Community: Application-oriented security. Approach: Describe attack actions by preconditions and effects. Identify/give overview of dangerous action combinations. J¨ org Hoffmann Simulated Penetration Testing 20/49

  36. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell Community: Application-oriented security. Approach: Describe attack actions by preconditions and effects. Identify/give overview of dangerous action combinations. Example model: RSH Connection Spoofing: requires with Trusted Partner: TP; TP.service is RSH; Service Active: SA; SA.service is RSH; . . . . . . provides with push channel: PSC; PSC using := RSH; remote execution: REX; REX.using := RSH; . . . . . . J¨ org Hoffmann Simulated Penetration Testing 20/49

  37. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell, ctd. Brief overview of variants: Who and When? What? Terminology J¨ org Hoffmann Simulated Penetration Testing 21/49

  38. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell, ctd. Brief overview of variants: Who and When? What? Terminology Schneier (1999); Templeton “attack graph” = STRIPS actions and Levitt (2000) action descriptions J¨ org Hoffmann Simulated Penetration Testing 21/49

  39. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell, ctd. Brief overview of variants: Who and When? What? Terminology Schneier (1999); Templeton “attack graph” = STRIPS actions and Levitt (2000) action descriptions “attack graph” = Ritchey and Ammann (2000) BDD model checking state space J¨ org Hoffmann Simulated Penetration Testing 21/49

  40. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell, ctd. Brief overview of variants: Who and When? What? Terminology Schneier (1999); Templeton “attack graph” = STRIPS actions and Levitt (2000) action descriptions “attack graph” = Ritchey and Ammann (2000) BDD model checking state space Ammann et al. (2002) “Attacks are monotonic!” J¨ org Hoffmann Simulated Penetration Testing 21/49

  41. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell, ctd. Brief overview of variants: Who and When? What? Terminology Schneier (1999); Templeton “attack graph” = STRIPS actions and Levitt (2000) action descriptions “attack graph” = Ritchey and Ammann (2000) BDD model checking state space Ammann et al. (2002) “Attacks are monotonic!” “attack graph” = Since then, e. g. Ammann et Relaxed planning relaxed planning al. (2002); Noel et al. (2009) graph J¨ org Hoffmann Simulated Penetration Testing 21/49

  42. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Attack Graphs in a Nutshell, ctd. Brief overview of variants: Who and When? What? Terminology Schneier (1999); Templeton “attack graph” = STRIPS actions and Levitt (2000) action descriptions “attack graph” = Ritchey and Ammann (2000) BDD model checking state space Ammann et al. (2002) “Attacks are monotonic!” “attack graph” = Since then, e. g. Ammann et Relaxed planning relaxed planning al. (2002); Noel et al. (2009) graph → Attack graphs ≈ practical security-analysis tools based on variants of, and analyses on, relaxed planning graphs. → “AI ⇔ attack graphs” community bridge could be quite useful . . . J¨ org Hoffmann Simulated Penetration Testing 21/49

  43. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Dimension (B): Action Model Two major dimensions for simulated pentesting models: (A) Uncertainty Model: Up next. (B) Action Model: Degree of interaction between individual attack components. J¨ org Hoffmann Simulated Penetration Testing 22/49

  44. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Dimension (B): Action Model Two major dimensions for simulated pentesting models: (A) Uncertainty Model: Up next. (B) Action Model: Degree of interaction between individual attack components. Dimension (B) distinction lines: Explicit Network Graph: Actions = “hops from ?s to ?t”. 1 positive precond, 1 positive effect. Subset of compromised hosts. Monotonic actions: Attacker can only gain new attack assests. Installed software, access rights, knowledge (e. g. passwords) etc. General actions: No restrictions (STRIPS, in simplest case). Can model detrimental side effects. J¨ org Hoffmann Simulated Penetration Testing 22/49

  45. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Agenda What is this all about? 1 Classical Planning: The Core Security Model [Lucangeli et al. (2010)] 2 Attack Graphs 3 Towards Accuracy: POMDP Models [Sarraute et al. (2012)] 4 The MDP Middle Ground 5 A Model Taxonomy 6 And Now? 7 J¨ org Hoffmann Simulated Penetration Testing 23/49

  46. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? An Additional Assumption . . . J¨ org Hoffmann Simulated Penetration Testing 24/49

  47. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumptions (i) and (ii) Known network graph: No uncertainty about network graph topology. Known host configurations: No uncertainty about host configurations. J¨ org Hoffmann Simulated Penetration Testing 24/49

  48. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? An Overview Before We Begin . . . Uncertainty Model, Dimension (A): None: Classical planning. → CoreSec-Classical: Core Security’s model, as seen. Assumptions (i)–(v). Uncertainty of action outcomes: MDPs. → CoreSec-MDP: Minimal extension of CoreSec-Classical. Assumptions (ii)–(viii). Uncertainty of state: POMDPs. → CoreSec-POMDP: Minimal extension of CoreSec-Classical. Assumptions (ii)–(vii). J¨ org Hoffmann Simulated Penetration Testing 25/49

  49. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Partially Observable MDP (POMDP) Definition A POMDP is a tuple �S , A , T, O , O, b 0 � : S states, A actions, O observations. T ( s, a, s ′ ) : probability of coming to state s ′ when executing action a in state s . O ( s, a, o ) : probability of making observation o when executing action a in state s . b 0 : initial belief, probability distribution over S . Respectively, some (possibly factored) description thereof. J¨ org Hoffmann Simulated Penetration Testing 26/49

  50. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Partially Observable MDP (POMDP) Definition A POMDP is a tuple �S , A , T, O , O, b 0 � : S states, A actions, O observations. T ( s, a, s ′ ) : probability of coming to state s ′ when executing action a in state s . O ( s, a, o ) : probability of making observation o when executing action a in state s . b 0 : initial belief, probability distribution over S . Respectively, some (possibly factored) description thereof. → I’ll discuss optimization objectives later on. For now, assume observable goal states S g , minimizing undiscounted expected cost-to-goal in a Stochastic Shortest Path (SSP) formulation. J¨ org Hoffmann Simulated Penetration Testing 26/49

  51. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? The Basic Problem J¨ org Hoffmann Simulated Penetration Testing 27/49

  52. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? The Basic Idea [Sarraute et al. (2012)] J¨ org Hoffmann Simulated Penetration Testing 27/49

  53. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? States H0-win2000 H0-winXPsp2 H0-win2000-p445 H0-winXPsp2-p445 H0-win2000-p445-SMB H0-winXPsp2-p445-SMB H0-win2000-p445-SMB-vuln H0-winXPsp2-p445-SMB-vuln H0-win2000-p445-SMB-agent H0-winXPsp2-p445-SMB-agent H0-win2003 terminal H0-win2003-p445 H0-win2003-p445-SMB H0-win2003-p445-SMB-vuln H0-win2003-p445-SMB-agent ”H0”: the host. “winXXX”: OS. “p445”: is port 445 open? “SMB”: if so, SAMBA server? “vuln”: SAMBA server vulnerable? “agent”: has attacker exploited that vulnerability yet? “terminal”: attacker has given up. J¨ org Hoffmann Simulated Penetration Testing 28/49

  54. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumptions (vi) and (vii) Succeed-or-nothing: Exploits have only two possible outcomes, succeed or fail. Fail has an empty effect. → Abstraction mainly regarding detrimental side effects. J¨ org Hoffmann Simulated Penetration Testing 29/49

  55. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Assumptions (vi) and (vii) Succeed-or-nothing: Exploits have only two possible outcomes, succeed or fail. Fail has an empty effect. → Abstraction mainly regarding detrimental side effects. Configuration-deterministic actions: Action outcome depends deterministically on network configuration. → Abstraction only in case of more fine-grained dependencies. J¨ org Hoffmann Simulated Penetration Testing 29/49

  56. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Exploit Actions Same syntax: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) J¨ org Hoffmann Simulated Penetration Testing 30/49

  57. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Exploit Actions Same syntax: (:action HP OpenView Remote Buffer Overflow Exploit :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t) (has OS ?t Windows) (has OS edition ?t Professional) (has OS servicepack ?t Sp2) (has OS version ?t WinXp) (has architecture ?t I386) (has service ?t ovtrcd)) :effect (and (compromised ?t) (increase (time) 10))) . . . but with a different semantics: Consider s a − → s ′ = pre ( a ) , s ′ = appl ( s, a )  s | 1  = pre ( a ) , s ′ = s T ( s, a, s ′ ) = s �| 1 0 otherwise  = pre ( a ) , s ′ = appl ( s, a ) , o = “success”  1 s |  = pre ( a ) , s ′ = s, o = “fail” O ( s, a, o ) = 1 s �| 0 otherwise  J¨ org Hoffmann Simulated Penetration Testing 30/49

  58. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Sensing Actions Example: (:action OS Detect :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t)) :observe (and (when (has OS ?t Windows2000) (“win”)) (when (has OS ?t Windows2003) (“win”)) (when (has OS ?t WindowsXPsp2) (“winXP”)) (when (has OS ?t WindowsXPsp3) (“winXP”))) J¨ org Hoffmann Simulated Penetration Testing 31/49

  59. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Sensing Actions Example: (:action OS Detect :parameters (?s - host ?t - host) :precondition (and (compromised ?s) (connected ?s ?t)) :observe (and (when (has OS ?t Windows2000) (“win”)) (when (has OS ?t Windows2003) (“win”)) (when (has OS ?t WindowsXPsp2) (“winXP”)) (when (has OS ?t WindowsXPsp3) (“winXP”))) Network reconnaissance also satisfies the benign assumption: → Non-injective but deterministic function of configuration. J¨ org Hoffmann Simulated Penetration Testing 31/49

  60. What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? So, we’re done, right? J¨ org Hoffmann Simulated Penetration Testing 32/49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cone Penetration Test MoDOT moving in to the future . Cone Penetration Test (CPT) A method

Cone Penetration Test MoDOT moving in to the future . Cone Penetration Test (CPT) A method

Cone Penetration Test MoDOT moving in to the future . Cone Penetration Test (CPT) A method used to determine the Geotechnical properties of soils and delineating soil stratigraphy. CPT Program @ MoDOT The program got started To

383 views • 26 slides
Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose

Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose

MSc System and Network Engineering Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose of penetration testing auditability? Research questions What are the sources of penetration testing

554 views • 13 slides
Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview of the web Web proxy tool Reporting Gaps in the process app penetration testing process Penetration testing vs vulnerability assessment What

301 views • 17 slides
Visual Turing Test: defining a challenge Mateusz Malinowski Visual Turing Test challenge The

Visual Turing Test: defining a challenge Mateusz Malinowski Visual Turing Test challenge The

Visual Turing Test: defining a challenge Mateusz Malinowski Visual Turing Test challenge The task involves Object detection Ask about the content of the image in front inside left right on Spatial reasoning How many sofas? 3

671 views • 40 slides
Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com

Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com

Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com Outline Common Criteria Evaluation Assurance Levels JHAS Penetration Testing and Countermeasures 2 Design and security of cryptographic

523 views • 40 slides
Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Introduction to Penetration Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking a system to find security vulnerabilities in order to fix them before a malicious party attacks the system Legal if

455 views • 9 slides
Beyond the Asymmetric Turing Test Fintan Mallory Rethinking, Reworking and Revolutionising The

Beyond the Asymmetric Turing Test Fintan Mallory Rethinking, Reworking and Revolutionising The

Prologue Beyond the Asymmetric Turing Test Beyond the Asymmetric Turing Test Fintan Mallory Rethinking, Reworking and Revolutionising The Turing Test August 1, 2019 Prologue Beyond the Asymmetric Turing Test Prologue Wittgenstein: Turing

820 views • 41 slides
Acting humanly: The Turing test Turing (1950) Computing machinery and intelligence:

Acting humanly: The Turing test Turing (1950) Computing machinery and intelligence:

Acting humanly: The Turing test Turing (1950) Computing machinery and intelligence: Can machines think? Can machines behave intelligently? Operational test for intelligent behavior: the Imitation Game Artificial

299 views • 5 slides
Chapter 1 Fundamentals of testing 1. Why is testing necessary? 2. What is testing? 3. Test

Chapter 1 Fundamentals of testing 1. Why is testing necessary? 2. What is testing? 3. Test

Chapter 1 Fundamentals of testing 1. Why is testing necessary? 2. What is testing? 3. Test principles 4. Fundamental test process 5. The psychology of testing 1. Why is testing necessary 1.1 Software system context 1.2 Causes of

567 views • 36 slides
criticisms of the turing test and why you should ignore (most of) them katrina lacurts | 6.893

criticisms of the turing test and why you should ignore (most of) them katrina lacurts | 6.893

criticisms of the turing test and why you should ignore (most of) them katrina lacurts | 6.893 | 12/14/11 what this is not an argument that the turing test will never change what this is an argument that the turing test is a very good test

387 views • 12 slides
Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com <http://www.cymru.com> Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

879 views • 83 slides
Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331:

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331:

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Testing That Digs Deeper Penetration testing is about attempting to exploit as much as possible

516 views • 18 slides
An Introduction to IoT Penetration Testing @libertyunix www.kmco.com The Agenda n IoT Attack

An Introduction to IoT Penetration Testing @libertyunix www.kmco.com The Agenda n IoT Attack

An Introduction to IoT Penetration Testing @libertyunix www.kmco.com The Agenda n IoT Attack Surface l OWASP IoT Top 10 l -1 Ring in IoT n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A 2 Getting Started in IoT

923 views • 52 slides
The Standard Penetration Test: Its origin, evolution and future STUART WAGSTAFF DIRECTOR

The Standard Penetration Test: Its origin, evolution and future STUART WAGSTAFF DIRECTOR

The Standard Penetration Test: Its origin, evolution and future STUART WAGSTAFF DIRECTOR SOIL CONSULTANTS LIMITED The Standard Penetration Test: Its origin, evolution and future Since the start of its use as a design tool back in the

718 views • 14 slides
Web testing Image by C Watts What is web testing? Testing web applications Applications of which

Web testing Image by C Watts What is web testing? Testing web applications Applications of which

Web testing Image by C Watts What is web testing? Testing web applications Applications of which the client runs in a web browser In this lecture on web testing What to test How to test it What to test Back end Front end HTTP (server)

356 views • 31 slides
World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST certified CREST Certified Cronus is the 1 st CREST certified Automatic Penetration Testing vendor One of top 12 tech companies transforming

611 views • 13 slides
Who are you ? How can you identify someone? Certificates, Protocols: Machine to Machine

Who are you ? How can you identify someone? Certificates, Protocols: Machine to Machine

Who are you ? How can you identify someone? Certificates, Protocols: Machine to Machine Human to Machine ? Lets have some suggestions Be creative, not necessarily computer oriented Classification of identification methods

1.37k views • 97 slides
Advice for Finishing that Damn Ph.D. Prof. Daniel M. Berry (dberry a b uwaterloo ca) UCLA,

Advice for Finishing that Damn Ph.D. Prof. Daniel M. Berry (dberry a b uwaterloo ca) UCLA,

Advice for Finishing that Damn Ph.D. Prof. Daniel M. Berry (dberry a b uwaterloo ca) UCLA, USA Technion, Israel University of Waterloo, Canada * August, 2017 * = Current Affiliation 2017 Daniel M. Berry RE 17 Doctoral Symposium

963 views • 83 slides
Margo Gustina Special Projects Librarian, Rural Library Service and Social Wellbeing, Southern

Margo Gustina Special Projects Librarian, Rural Library Service and Social Wellbeing, Southern

Margo Gustina Special Projects Librarian, Rural Library Service and Social Wellbeing, Southern Tier Library System (NY) Eli Guinnee State Librarian, New Mexico State Library Co-founders of Hooray4.org Moving Beyond a Culture of Conformity

534 views • 28 slides
ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.24k views • 66 slides
Austin Military Officers Association of America Its a Dangerous (Cyber) World Dr. Bill Young

Austin Military Officers Association of America Its a Dangerous (Cyber) World Dr. Bill Young

Austin Military Officers Association of America Its a Dangerous (Cyber) World Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: February 19, 2014 at 11:17 Dr. Bill Young: 1 CyberWar What Id Like

836 views • 46 slides
Working with Reconnaissance Teams Post-Earthquake Reconnaissance Workshop PIEPC April 17, 2018

Working with Reconnaissance Teams Post-Earthquake Reconnaissance Workshop PIEPC April 17, 2018

Working with Reconnaissance Teams Post-Earthquake Reconnaissance Workshop PIEPC April 17, 2018 Laurel Nelson EERI Washington Chapter (Seattle Office of Emergency Management) People Infrastructure Environment Culture 2 4/19/2018 Add a

387 views • 10 slides
Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan

Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan

, Faculty of computer science Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan Kpsell 1 Thorsten Strufe 1 1 Chair of Privacy and Data Security TU Dresden firstname.lastname@tu-dresden.de 2 Avast Inc.

652 views • 44 slides
United States Army Security Assistance Command North Alabama International Trade Association

United States Army Security Assistance Command North Alabama International Trade Association

UNCLASSIFIED//FOUO UNCLASSIFIED//FOUO United States Army Security Assistance Command North Alabama International Trade Association (NAITA) Industry Day 2017 Foreign Military Sales: Ready for Today Set Conditions for Tomorrow Go

539 views • 16 slides

More recommend