Threat modeling is becoming more and more common for both application
development and system analysis. However, most threat modeling
approaches remain to be highly manual. Meaning, you must figure out
what the system you are analyzing looks like and what types of threats
that need mitigation. For smaller applications under development this can
be a useful activity, but for larger systems it doesn’t scale.
development and system analysis. However, most threat modeling
approaches remain to be highly manual. Meaning, you must figure out
what the system you are analyzing looks like and what types of threats
that need mitigation. For smaller applications under development this can
be a useful activity, but for larger systems it doesn’t scale.
In order to create a model of an existing system it is suggested to do this
based on available data sources, for instance network and vulnerability
scanners, firewall rules, and asset inventories. By doing it this way you get
an accurate model reflecting the whole system as it actually is
implemented and not the modeler’s dreamy view of it. And you can keep
your model up-to-date in a continuous way.
based on available data sources, for instance network and vulnerability
scanners, firewall rules, and asset inventories. By doing it this way you get
an accurate model reflecting the whole system as it actually is
implemented and not the modeler’s dreamy view of it. And you can keep
your model up-to-date in a continuous way.
With this fresh accurate model of your system, it is now time to figure out
if it is secure or not. And when you realize there are plenty of weaknesses
that can be used by attackers you need to decide what the best mitigation
strategy is. For this, the threat modeling community has been relying on
security experts. However, in a parallel universe other have been using
attack graphs to run simulations answering these types of questions. The
problem for the attack graph community has similarly been the creation of
the graph (the model). Since the systems are large and complex, the
graph also becomes large and complex. So, it is difficult, time-consuming,
and error-prone to create one and the result isn’t very trustworthy.
if it is secure or not. And when you realize there are plenty of weaknesses
that can be used by attackers you need to decide what the best mitigation
strategy is. For this, the threat modeling community has been relying on
security experts. However, in a parallel universe other have been using
attack graphs to run simulations answering these types of questions. The
problem for the attack graph community has similarly been the creation of
the graph (the model). Since the systems are large and complex, the
graph also becomes large and complex. So, it is difficult, time-consuming,
and error-prone to create one and the result isn’t very trustworthy.
The novel idea I am presenting here is to combine threat models with
attack simulations. For this, we have developed the Meta Attack Language
(MAL) [1]. This is an open-source framework [2] that can be used to create
Domain-Specific (Modeling) Languages (DSLs). With MAL you thus
describe what assets you are interested in e.g. computer, network,
software, what attacks these assets can be subjected to, and what
defenses that could mitigate these attacks. With MAL you therefore have
full freedom to create your own threat modeling and attack simulation
language. The fancy thing is, when you instantiate your assets, e.g.
Robert’s MacBook Air running macOS Big Sur v.11.2.3, you also get an
underlying attack and defense graph for it. Thus, when you have your
threat model (assets and how these are connected to each other) you can
automatically run a simulation pinpointing where your weaknesses are
and also suggestions on what mitigations that could be added to decrease
the risks.
attack simulations. For this, we have developed the Meta Attack Language
(MAL) [1]. This is an open-source framework [2] that can be used to create
Domain-Specific (Modeling) Languages (DSLs). With MAL you thus
describe what assets you are interested in e.g. computer, network,
software, what attacks these assets can be subjected to, and what
defenses that could mitigate these attacks. With MAL you therefore have
full freedom to create your own threat modeling and attack simulation
language. The fancy thing is, when you instantiate your assets, e.g.
Robert’s MacBook Air running macOS Big Sur v.11.2.3, you also get an
underlying attack and defense graph for it. Thus, when you have your
threat model (assets and how these are connected to each other) you can
automatically run a simulation pinpointing where your weaknesses are
and also suggestions on what mitigations that could be added to decrease
the risks.
A small example of MAL-code is presented below, this is based on
techniques and mitigations from the MITRE Enterprise ATT&CK Matrix,
taken from a research paper [3].
techniques and mitigations from the MITRE Enterprise ATT&CK Matrix,
taken from a research paper [3].
In this small example we can see two categories of assets namely;
Accounts and Software. Where we have UserAccounts and
AdminAccounts, with WindowsAdmin inheriting from the general
AdminAccount. For the Software category we have Windows and Services.
For each asset, there are attack steps defined. For instance, if an attacker
gets userRights on a UserAccount this could lead to a
userAccessTokenManipulation attack on a Windows machine. The assets
can also have defenses associated with them. For the userRights attack a
possible defense is to have proper userAccountManagement. The
associations between the assets are also defined, e.g. a Windows machine
runs multiple services.
Accounts and Software. Where we have UserAccounts and
AdminAccounts, with WindowsAdmin inheriting from the general
AdminAccount. For the Software category we have Windows and Services.
For each asset, there are attack steps defined. For instance, if an attacker
gets userRights on a UserAccount this could lead to a
userAccessTokenManipulation attack on a Windows machine. The assets
can also have defenses associated with them. For the userRights attack a
possible defense is to have proper userAccountManagement. The
associations between the assets are also defined, e.g. a Windows machine
runs multiple services.
category Account {
asset UserAccount {
| userRights
-> windows.userAccessTokenManipulation
# userAccountManagement
-> windows.userAccessTokenManipulation
}
asset AdminAccount {
| adminRights
# privilegedAccountManagement
}
asset WindowsAdmin extends AdminAccount {
| adminRights
+> windows.adminAccessTokenManipulation
# privilegedAccountManagement
+> windows.adminAccessTokenManipulation
}
}
category Software {
asset Windows {
& userAccessTokenManipulation
info: "Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection."
-> service.exploitationForPrivilegeEscalation
& adminAccessTokenManipulation
-> service.exploitationForPrivilegeEscalation
}
asset Service {
| exploitationForPrivilegeEscalation
}
}
associations {
UserAccount [userAccount] * <--Accesses--> 1 [windows] Windows
AdminAccount [adminAccount] * <--Accesses--> 1 [windows] Windows
Windows [windows] 1 <--Runs--> * [service] Service
}Any MAL-based DSL can be run with the securiCAD tool from foreseeti [4].
This will provide you with more advanced capabilities, for instance nice
graph representations, multi-user environments, APIs for data import, cool
metrics and reports. Foreseeti has DSLs and products based on MAL and
among the more mature and widely-used DSLs you find one for AWS
(securiCAD Vanguard) [5], Azure [6], and on-prem IT [7].
This will provide you with more advanced capabilities, for instance nice
graph representations, multi-user environments, APIs for data import, cool
metrics and reports. Foreseeti has DSLs and products based on MAL and
among the more mature and widely-used DSLs you find one for AWS
(securiCAD Vanguard) [5], Azure [6], and on-prem IT [7].
There are also DSLs for vehicle systems [8] and power systems [9] available. If you don’t want to use these off-the-shelf, you can either tailor it for your needs or create your own from scratch.
Most of the DSLs are open-source and can be reached through the MAL GitHub repository. Imagine a one click tool to get a cyber security analysis of your entire infrastructure. We are not completely there yet. However, with MAL we are not too many clicks away to realize this.
[1] MAL
https://doi.org/10.1145/3230833.3232799 Pontus Johnson, Robert Lagerström, and Mathias Ekstedt. 2018. A Meta Language for Threat Modeling and Attack Simulations. In Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES 2018).
[2] MAL as open-source https://mal-lang.org
[3] Foreseeti https://foreseeti.com
DSLs
[4] AWS — https://foreseeti.com/securicad-vanguard-for-aws/
[5] Azure — https://foreseeti.com/securicad-enterprise/
[6] coreLang — https://doi.org/10.1007/978-3-030-62230-5_4
Katsikeas S. et al. (2020) An Attack Simulation Language for the IT Domain. In Graphical Models for Security. GraMSec 2020. Lecture Notes in Computer Science, vol 12419. Springer.
[7] vehicleLang — https://www.scitepress.org/Link.aspx?doi=10.5220/0007247901750182
Katsikeas, S.; Johnson, P.; Hacks, S. and Lagerström, R. (2019). Probabilistic Modeling and Simulation of Vehicular Cyber Attacks: An Application of the Meta Attack Language. In Proceedings of the 5th International Conference on Information Systems Security and Privacy — ICISSP.
[8] powerLang — https://doi.org/10.1186/s42162-020-00134-4
Hacks, S., Katsikeas, S., Ling, E. et al. powerLang: a probabilistic attack simulation language for the power domain. Energy Inform 3, 30 (2020
[5] Azure — https://foreseeti.com/securicad-enterprise/
[6] coreLang — https://doi.org/10.1007/978-3-030-62230-5_4
Katsikeas S. et al. (2020) An Attack Simulation Language for the IT Domain. In Graphical Models for Security. GraMSec 2020. Lecture Notes in Computer Science, vol 12419. Springer.
[7] vehicleLang — https://www.scitepress.org/Link.aspx?doi=10.5220/0007247901750182
Katsikeas, S.; Johnson, P.; Hacks, S. and Lagerström, R. (2019). Probabilistic Modeling and Simulation of Vehicular Cyber Attacks: An Application of the Meta Attack Language. In Proceedings of the 5th International Conference on Information Systems Security and Privacy — ICISSP.
[8] powerLang — https://doi.org/10.1186/s42162-020-00134-4
Hacks, S., Katsikeas, S., Ling, E. et al. powerLang: a probabilistic attack simulation language for the power domain. Energy Inform 3, 30 (2020
Also published on GitConnected