Federico Tonelli

GVScan: Scanning Networks for Global Vulnerabilities

A global vulnerability is a set of vulnerabilities in one or several nodes of an ICT infrastructure. These vulnerabilities enable some attacks that may be sequentialized so that the privileges that each attack requires are acquired through the previous ones. Current vulnerability scanners cannot discover global vulnerabilities because they analyze each node in isolation, without correlating the vulnerabilities in the same or in distinct nodes. To discover global vulnerabilities, an analysis has to correlate node vulnerabilities according to the architecture and the topology of the infrastructure. After defining a formal analysis to discover global vulnerabilities and the corresponding attack sequences, we present GVScan, a tool to automate the analysis based upon a classification of vulnerabilities. A first application of GVScan to a real infrastructure is described together with an evaluation of its accuracy.

QSec: Supporting Security Decisions on an IT Infrastructure

A global vulnerability of an IT infrastructure is a set of vulnerabilities in its nodes that enables a sequence of attacks where an agent acquires the privileges that each attack requires as a result of the previous attacks in the sequence. This paper presents QSec, a tool to support decision on the infrastructure security that queries a database with information on global vulnerabilities and the corresponding attack sequences. QSec can return information on, among others, global vulnerabilities, the corresponding attack sequences and the infrastructure nodes that are the target of a sequence. This information is fundamental to evaluate in more details the security of the infrastructure and to support decisions on vulnerabilities to be removed.

A Scenario Method to Automatically Assess ICT Risk

We present an assessment of ICT systems that merges a scenario approach and a Monte Carlo method. To automate the assessment, we have developed two tools. The first one builds a formal description of the vulnerabilities in the target system and of the attacks they enable. Starting from this description, the second tool consider each scenario of interest and it simulate several times how intelligent and adaptive threat agents compose these attacks to reach some goals. By collecting samples in these simulations, this tool returns a database to compute statistics of interest for the assessment, such as the success probability of the agents or their average impacts. After outlining the design of the tools, we discuss a test case to show how they are exploited in a real assessment to manage the corresponding risk.

Assessing and Managing Risk by Simulating Attack Chains

Haruspex is a suite of tools to assess and manage the risk posed by an information and communication technology system. The suite is built around the application of a Monte Carlo method to a scenario where intelligent agents implement chains of attacks to reach their goals. Some tools build a description of the agents, the target system, its vulnerabilities and the resulting attacks. Another tool applies a Monte Carlo method to this description, simulates the building of attack chains by the agents and it returns a database with samples it collects in the simulations. Further tools analyze this database to select countermeasures. To validate the suite and verify it truthfully models attackers, it has been adopted in Locked Shield 2014, a network defense exercise with participants from 17 nations. The results of this exercise validate the designs of the tools.

CyVar: Extending Var-At-Risk to ICT

CyVar extends the Value-At-Risk statistics to ICT systems under attack by intelligent, goal oriented agents. CyVar is related to the time it takes an agent to acquire some access privileges and to the one it owns these privileges. To evaluate the former time, we use the security stress, a synthetic measure of the robustness of an ICT system. We approximate this measure through the Haruspex suite, an integrated set of tools that supports ICT risk assessment and management. After defining CyVar, we show how it supports the evaluation of three versions of an industrial control system.

Automating the assessment of ICT risk

We present a pair of tools to assess the risk of an ICT system through a scenario-based method. In each scenario, rational threat agents compose attacks against the system to reach some predefined goal. The first tool builds a description of the target system by automatically discovering and classifying the vulnerabilities in its components and the attacks they enable. Starting from this description and from the one of the agents, the other tool applies a Monte Carlo method to simulate step by step each agent and its attacks. By collecting samples on the agent attacks, the number of times they reach a goal and the corresponding impact this tool returns a database to compute statistics to support the assessment. After describing both tools, we exemplify their adoption in the assessment of an industrial control system that supervises a power production plant.

Security Stress: Evaluating ICT Robustness Through a Monte Carlo Method

The security stress is a synthetic evaluation of how an ICT infrastructure resists to attacks. We define the security stress and show how it is approximated through the Haruspex suite. Then, we show how it supports the comparison of three versions of an industrial control system. Haruspex is a suite of tools that apply a Monte Carlo method and support a scenario-based assessment where in each scenario intelligent agents compose attacks to reach some predefined goals.

Using S-Rules to Fire Dynamic Countermeasures

We present a rule-based system to dynamically deploy countermeasures against privilege escalations where a rule includes some n-grams and a countermeasure. An n-gram consists of n consecutive attacks. A rule deploys the countermeasure as soon as all the attacks in its n-grams are detected. After discussing the discovery of escalations, we show how to compute the rules starting from the escalations to stop and those we may neglect because they cannot reach a goal. We also evaluate the false positive rate and false negative one of attack detection affect the proposed approach. Lastly, we describe a preliminary evaluation using data from an industrial control system.

Sequential Pattern Mining for ICT Risk Assessment and Prevention

Security risk assessment and prevention in ICT systems rely on the analysis of data on the joint behavior of the system and its (malicious) users. The Haruspex tool models intelligent, goal-oriented agents that reach their goals through attack sequences. Data is synthetically generated through a Monte Carlo method that runs multiple simulations of the attacks against the system. In this paper, we present a sequential pattern mining analysis of the database of attack sequences. The intended objective is twofold: (1) to exploit the extracted patterns for the design of attack counter-measures, and (2) for gaining a better understanding of the “degree of freedom” available for the attackers of a system. We formally motivate the need for using maximal sequential patterns, instead of frequent or closed sequential patterns, and report on the results on a specific case study.

An Extension of Haruspex to Cover Vulnerabilities in Application Environments

Haruspex is a suite of tools that assesses ICT risk through a scenario approach. Each scenario includes the target system and some threat agents that compose the attacks enabled by the system vulnerabilities to reach some predefined goals. The suite applies a Monte Carlo method with multiple simulations of the agent attacks against the target system. The simulation applies a formal model of the target system that describes the system nodes, the components with their vulnerabilities, and the logical topology. This paper proposes an extension to model in a more accurate way how the relations and the interactions among applications affect the agent attacks. After introducing this extension, we show how it supports the modeling of web applications. Then, we adopt the new model to assess a critical infrastructure that supervises and manages gas distribution.