Truth or dare : quantitative security risk analysis via attack trees

Abstract

Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities. Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability. To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes. In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner. In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks. Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.