Truth or Dare: Quantitative security analysis using attack trees

Rajesh Kumar

first promotor: prof. dr. Marielle Stoelinga (UT)
second promotor: prof. dr. Arend Rensink (UT)
University of Twente
Date: 17 October 2018
Thesis: PDF


Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran’s nuclear facilities. Thus, a key challenge for an information security manager is to stay ahead in the ongoing race between attackers and defenders, and identify and order the severest attack scenarios in their damage potential/ likelihood and thereby implement countermeasures within their budgetary constraints.

Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability.

In this thesis, we advance the state-of-the art information security risk management techniques by proposing novel security models and automated quantitative analysis techniques. In particular, we develop model-based quantitative security risk analysis framework using attack trees as an instrument to systematically and graphically represent attack scenarios. Thereafter, we quantify these attack scenarios to obtain several security risk metrics such as the likelihood of attacks over time, optimal attack values such as cheapest/ fastest/ most damaging attacks, constrained optimal attack values such as cheapest attacks executed within minimum time, what-if scenarios, Pareto-optimal solutions, etc., thereby making the cyber-security investment decisions more objective and transparent.

Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes. In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata-theoretic framework and relying on stochastic and statistical model checking. In particular, we provide a multi-parametric and time-dynamic analysis of attack trees, taking into account temporal dependencies, attacker profiles and accidental component failures, which otherwise cannot be analyzed using state-of-the-art techniques. Analytically, we provide a compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner. Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools:  ATCalc obtain the probability of attack over time and  ATtop to systematically translate  attack trees into  automata and derive results using the principles of model-driven engineering.