=Paper=
{{Paper
|id=Vol-1788/STIDS2016_A01
|storemode=property
|title=A Holistic Approach to Evaluate Cyber Threat
|pdfUrl=https://ceur-ws.org/Vol-1788/STIDS_2016_A01_Monteiro_etal.pdf
|volume=Vol-1788
|authors=Márcio Monteiro,Thalysson Sarmento,Alexandre Barreto,Paulo C. G. Costa
|dblpUrl=https://dblp.org/rec/conf/stids/MonteiroSBC16
}}
==A Holistic Approach to Evaluate Cyber Threat==
https://ceur-ws.org/Vol-1788/STIDS_2016_A01_Monteiro_etal.pdf
A Holistic Approach to Evaluate Cyber Threat
Márcio Monteiro1 , Thalysson Sarmento1 , Alexandre Barreto1 and Paulo Costa2
1 Instituto de Controle do Espaço Aéreo, São José dos Campos, Brazil
2 C4I Center, George Mason University, Fairfax, USA
E-mails: {contemmcm, thalyssontfs, barretoabb}@icea.gov.br, pcosta@c4i.gmu.edu
Abstract—Several vulnerability databases and standards are
currently available for assessing the degree of security of IT
infrastructures in general. These standards focus on different
aspects of the systems, while generally failing to provide support
for holistic analyses - a key aspect in ensuring a secure IT
infrastructure. This work aims to address this gap by presenting
a new methodology for evaluating the overall security risks of
a networked system that adopts an ontology-based approach we
presented in previous work. We leverage current security stan-
dards and databases, while also considering the human factors
to build a broader and interconnected view. Our methodology is
meant to achieve a more realistic picture of the network security,
hence improving situation awareness for its administrators. To
illustrate our approach, this paper brings a case study applying
the new methodology to a few target networks. The proof of
concept is meant to underscore the methodology’s effectiveness
in assessing the security of the whole network.
I. INTRODUCTION
Cyber security assessment has a importance role in a mod-
ern society. has become more interconnected through computer
systems and networks. It is well-established that cyber threats
can cause on corporations severe economic losses and damages
to their reputation [1]. As a result, investments on cyber
security has been growing significantly, even during market
crises [2].
A basic standard for cyber security assessment is the Com-
mon Vulnerabilities and Exposures (CVE), which is the de
facto standard to report and communicate software vulnerabili-
ties between organizations and entities. Currently, the CVE has
been standardized by the Telecommunication Standardization
Sector of the International Telecommunication Union (ITU- Fig. 1: How secure is this network?
T) [3] and is being heavily used by automatic security assess-
ment tools (e.g., Nessus and OpenVAS) to identify software
vulnerabilities on target hosts.
impact the overall score of the system. In addition, users can
On top of CVE, another standard was established to score
also be considered vulnerabilities of the system, as they could
the vulnerabilities with respect to their severity, impact and
be deceived (or “exploited”) somehow to execute malicious
exploitation capacity. This standard is called Common Vul-
software. Then, security unaware or careless users should also
nerability Scoring System (CVSS). One of the most important
impact the overall score of the system.
CVSS databases is hosted and managed by the National
Vulnerability Database (NVD), which provides the scores for In this work we propose to analyze those aspects (CVE,
most known vulnerabilities. CVSS and human factors) in a unified manner for a target
Although those standards are very efficient in cataloging and network, where vulnerabilities scores are propagated through
prioritizing software vulnerabilities, system administrators are the network’s trusted relationships (intentional or not). This
usually interested in knowing how vulnerable is their entire way, we provide an overall security metric that can be used
network, no only individual hosts. to classify entire networks.
For instance, if a web server is highly protected against This work is organized as follows: Sec. II briefly details
external threats, but vulnerable hosts in the same local area the main attributes of CVE and CVSS; Sec. III presents the
network have open access to the server, this condition should proposed metric; and Sec. IV concludes with final remarks.
STIDS 2016 Proceedings Page 64
� II. OVERVIEW Usually, the CVSS is represented as a vector string, a
A. Common Vulnerabilities and Exposures compressed textual representation of the values used to derive
the score. String (1) below is an example of a CVSS vector
The Common Vulnerabilities and Exposures (CVE) is a
string.
standard for cataloging vulnerabilities of computer systems.
It consists of a list of information of security vulnerabilities CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H (1)
and exposures, mainly reported by the community, aiming
to provide common names for publicly known problems. It The equations adopted to calculate the CVSS base score are
allows to share data about vulnerability capabilities (tools, provided in Sec. III.
repositories, and services). C. Human Factors
The main attributes of a CVE are:
Human factors play an important role in the security of
• CVE identifier number (i.e., CVE-1999-0067);
an organization, since users are used as both targets and
• Vulnerability type: buffer overflow, cross site request
vectors of attacks. Several social engineering methods can
forgery (CSRF), cross site scripting (XSS), directory be employed to obtain key information and select the most
traversal, incorrect access control, insecure permissions, vulnerable employees.
integer overflow, missing SSL certificate validation, SQL In this work we propose to model the users’ “vulnerabili-
injection, XML external entity (XXE), and others or ties” as a CVSS-like metric. In other words, the users would
unknown; also be rated by the impact and exploitability subscores. As
• Vendor of the product(s);
an example, users with high privileges in the network would
• List of vulnerable products and versions;
have a high impact factor, because if they get “compromised”
• Attack type: context-dependent, local, physical, remote,
that would grant intruders deeper access to the network.
other; On the other hand, users unaware of security issues or
• Impact: code execution, denial of service, escalation of
careless about it can be considered highly “exploitable”, that
privileges, information disclosure, other. is, they can be easily deceived to execute malicious software
Currently, the MITRE Corporation is responsible for man- on their computers. There are numerous methods to do so,
aging CVE identifiers generation and publication through its such as telephone calls from fake IT staff, phishing campaigns,
web site [4]. In addition, MITRE also delegates this attribution malicious websites, etc.
to its several CVE numbering authorities (CNAs). To prevent such situations, the staff should perform security
awareness training. Besides, the corporation should have a
B. Common Vulnerability Scoring System
solid information security policy and all means should be
The Common Vulnerability Scoring System (CVSS) is employed to enforce it.
an open framework for describing specific characteristics of
software vulnerabilities. It consists of three metric groups: III. T HE P ROPOSED M ETRIC
base, temporal, and environmental. System administrators usually focus heavily in protecting
The base group represents the intrinsic qualities of a vul- their networks against external cyber attacks. For this reason,
nerability, the temporal group reflects the characteristics of a the insider threats might receive insufficient attention and,
vulnerability that changes over time, and the environmental consequently, the security can be impacted. Considering that
group represents characteristics of a vulnerability that are every host connected to the Internet is a potential attack vector
unique to the user’s environment. through phishing campaigns (someone trying to convince the
In this work, we focus on the base metric, which produces user to execute the malicious code) and applications vulnera-
a score ranging from 0.0 to 10.0. It is composed by the impact bilities (browsers, e-mail and document readers), and that the
subscore (ranging from 0 to 6) and the exploitability subscore protection against known hosts is reduced, then a single host
(ranging from 0 to 4). However, the overall CVSS score of can severely compromise the security of the entire network.
a single vulnerability is also impacted by the temporal and The proposed metric in this work is obtained by a five-
environmental metrics. Readers are encouraged to refer to [5] step approach, each one being required for computing the
for more information on CVSS specifications and formulas. overall security of a given network. The technique involves
The main attributes of CVSS base score are: building a graph representing the overall network as well as
• Attack vector (AV): network (N), adjacent network (A), the relationship between each step. The relative importance
local (L), and physical (P); of each step is assessed using multi-criteria decision analysis
• Attack complexity (AC): low (L), high (H); concepts.
• Privileges required (PR): none (N), low (L), high (H); There are different approaches for building such graph
• User interaction (UI): none (N), required (R); and defining the metric. However, the specific aspects of the
• Scope (S): unchanged (U), changed (C); cyber security domain involving different perspectives (e.g.
• Confidentiality impact (C): none (N), Low (L), high (H); technical, human factor, standards, etc.) naturally led us to
• Integrity impact (I): none (N), Low (L), high (H); reuse/adopt the ontology-based approach previously presented
• Availability impact (A): none (N), Low (L), high (H); in [6]. The general idea is to use semantic techniques in
STIDS 2016 Proceedings Page 65
� Fig. 2: Mission Ontology
supporting the definition of the target mission, its support task, cation destination, and a cell filled with a ‘Y’ informs that such
as well as the services and network configuration required communication is allowed (or that there is nothing forbidding
to accomplish a mission. As in the aforementioned previous such communication).
version, in this work we use the DoDAF Conceptual Data
TABLE I: Trusted relationships between assets (matrix).
Model to represent the concepts involved in the mission.
The difference, however, is that in this work we extend this 1 2 3 4 5 6 7 8 9 10
approach by incorporating time and event descriptions [7]. 1 - Y
2 Y - Y Y Y Y Y
The ontology is presented in Figure 2, which conveys the 3 Y - Y Y Y
queries that can be performed in cyber-situation awareness: 4 - Y Y Y
WHAT (Activity), WHY (Goal and Desire Effect), HOW 5 Y - Y Y
6 Y Y Y Y Y - Y
(Resource and Guidance), WHO (Performer), WHERE (Lo- 7 Y -
cation), and WHEN (Timestamp and Event). 8 Y -
1) Complete inventory: The first step consists in obtaining 9 Y -
10 Y Y -
a complete and detailed asset inventory record of the target
network, including hubs, switches, routers, software list, etc. To generate the aforementioned table, a SPARQL query is
This is fundamental for every security approach and should performed on the Mission Ontology. This greatly simplifies
not be a problem for security aware corporations. the otherwise complex task of discovering and mapping con-
2) Communications: The second step consists in mapping nections, in spite of these being hidden or not.
the communication between the assets (including the users). An alternative representation of Table I can be achieved
If the network contains N assets, this can be mapped into a through directed graphs, as depicted in Fig. 3. The main
N ⇥ N matrix. advantage of this approach is that it makes relatively easier
Taking Fig. 1 as example, we can derive its access matrix as to identify nodes with a higher impact higher to the overall
presented in Table I, where the rows represent the asset with security of the network. Also, it becomes possible to derive
communication initiative, the columns represent the communi- attack chains throughout the network.
STIDS 2016 Proceedings Page 66
� On the sequence, the attack complexity (AC) parameter is
given by (7)
(
0.77, if AC = Low (L),
AC = (7)
0.44, if AC = High (H).
For unmodified scope (S:U), the following equation applies
for the privileges required (PR) parameter:
8
<0.85, if PR = None (N),
>
PR = 0.62, if PR = Low (L), (8)
>
:
0.27, if PR = High (H).
However, for modified scope (S:C), the following equation
applies for PR:
8
<0.85, if PR = None (N),
>
PR = 0.68, if PR = Low (L), (9)
>
:
0.50, if PR = High (H).
Fig. 3: Trusted relationships between assets (graph).
Finally, the user interaction (UI) parameter can be given by
(10):
3) Vulnerabilities assessment: The third step is to obtain (
the CVE IDs and CVSS base vector string for all N hosts of 0.85, if UI = Not Required (N),
UI = (10)
the network. There are many automated tools that can help in 0.62, if UI = Required (R).
obtaining this information, such as the Nessus Vulnerability
Scanner [8] and the Open Vulnerability Assessment System 5) Computing the proposed metric: After computing the
(OpenVAS) [9]. impact sub score (↵) and exploitability sub score ( ), for every
4) Calculating Scores: Once the vulnerabilities are ob- vulnerability found in previous steps we need to assemble a
tained, for every CVSS string we need to compute the impact P matrix, where the first column (pi,1 , 8i) corresponds to
sub score ↵ and the exploitability sub score . the impact sub score (↵), and the second column (pj,2 , 8j)
The impact sub score ↵ can be computed according to (2): corresponds to the exploitability sub score ( ). Then, we need
8 to append three additional points to this matrix such that its
>
<6.42 ⇥ ISCBase , if S = U, final version is according to (11):
↵ = 7.52 ⇥ [ISCBase 0.029] (2)
>
: 15 2 3
3.25 ⇥ [ISCBase 0.02] , if S = C p1,1 p1,2
where 6 .. .. 7
6 . . 7
6 7
6 pN,1 pN,2 7
P =6 7 (11)
ISCBase = 1 [(1 C ) ⇥ (1 I ) ⇥ (1 A )] . (3) 6 0 0 7
6 7
4max(p1,1 , . . . , pN,1 ) 0 5
The confidentiality impact (C), integrity impact (I) and
0 max(p1,2 , . . . , pN,2 )
availability impact (A) parameters are given by:
8 where the function max(· ) returns the maximum value of its
<0.56, if C/I/A = Low (L),
> arguments and N denotes the number of vulnerabilities found
C/I/A = 0.22, if C/I/A = High (H), (4) on previous steps.
>
:
0, if C/I/A = None (N). Finally, we must compute the convex hull of the matrix
P and its 2D area (considering the outmost vulnerabilities
The exploitability sub score can be computed as:
as vertices of the polygon), and divide resulting area by the
highest possible CVSS subscores (6 ⇥ 4 = 24). Conducting
= 8.22 ⇥ AV ⇥ AC ⇥ PR ⇥ UI . (5)
the calculations this way ensures that the proposed metric is
The attack vector (AV) parameter is given by (6): presented as percentage. The results are then used to rate the
8 network security according the intervals presented on Table II.
>
> 0.85, if AV = Network (N),
>
<0.62, if AV = Adjacent Network (A), Fig. 4 depicts an example of a fictitious network composed
(6) of three nodes. The overall vulnerability metrics has been ap-
AV =
>
>
> 0.55, if AV = Local (L), pointed as 70.4476 %, which corresponds to the rating Highly
: Vulnerable, according to Table II. Every marker on this figure
0.20, if AV = Physical (P).
STIDS 2016 Proceedings Page 67
� TABLE II: Ratings multiple-criteria analysis and modeling the human factor as
Min (%) Max (%) Rating CVSS v3 base scores. An example on a fictitious network was
00.00 00.00 None performed in order to demonstrate the practicality of the pro-
00.01 39.99 Low posed metric. Further, the reuse of concepts previously defined
40.00 69.99 Medium
70.00 89.99 High in an existing ontology we had developed suggests that the
90.00 100.0 Critical approach can be generalized to encompass the diverse aspects
that permeate the way different corporations are structured.
4
Net. Vulnerability: 70.4476%
ACKNOWLEDGMENT
Márcio Monteiro, Thalysson Sarmento and Alexandre Bar-
3.5
reto would like to thank the financial support of the Brazilian
3 agencies MCTI and FINEP (Ref. 04/2013/12).
2.5 R EFERENCES
Exploitability
[1] CNN Money, “Cybercrime costs the average U.S. firm $15
2 million a year,” 2015, [accessed 05-Sept-2016]. [Online]. Available:
http://money.cnn.com/2015/10/08/technology/cybercrime-cost-business/
1.5 [2] Reuters, “Cyber security investing grows, resilient to market
Host 1
Host 2
turmoil,” 2015, [accessed 05-Sept-2016]. [Online]. Available:
1 Host 3 http://fortune.com/2015/09/23/cyber-security-investing/
Metric [3] Study Group 17, ITU-T Recommendation X.1520: Common vulnerabili-
0.5 ties and exposures, Std., April 2011.
[4] MITRE, “Common vulnerabilities and exposures – the standard for
0 information security vulnerability names,” [accessed 05-Sept-2016].
0 1 2 3 4 5 6 [Online]. Available: https://cve.mitre.org/
Impact [5] FIRST, “Common vulnerability scoring system v3.0: Specification
document – version 1.7,” [accessed 05-Sept-2016]. [Online]. Available:
Fig. 4: Vulnerability assessment using the proposed metric for https://www.first.org/cvss/specification-document
a highly insecure network. [6] A. Bareto, “Cyber-argus framework – measuring cyber-impact on the
mission,” Ph.D. dissertation, Instituto Tecnológico de Aeronáutica, Brazil,
7 2013.
[7] W. R. e. a. VAN HAGE, “Design and use of the simple event model
corresponds to a CVSS metrics (impact and exploitability sub (sem),” Web Semantics: Science, Services and Agents on the World Wide
scores). Web, vol. 9, no. 2, Sep 2011.
[8] Tenable Network Security.
Likewise, Fig. 5 presents a second network with less se- [9] “Open vulnerability assessment system (OpenVAS),” [accessed 05-Sept-
vere individuals vulnerabilities throughout the nodes of the 2016]. [Online]. Available: http://www.openvas.org
network. Notice that the overall vulnerability was 16.7402 %,
which corresponds to the rating Low, according to Table II.
Net. Vulnerability: 16.7402%
4
Host 1
3.5 Host 2
Host 3
Metric
3
2.5
Exploitability
2
1.5
1
0.5
0
0 1 2 3 4 5 6
Impact
Fig. 5: Vulnerabilities of hosts of the network.
IV. F INAL R EMARKS
This work presented an ontology-based approach for ana-
lyzing the vulnerability of a network in a holistic way, using
STIDS 2016 Proceedings Page 68
�