Lingyu Wang · Sushil Jajodia Anoop Singhal Network Security Metrics Network Security Metrics Lingyu Wang • Sushil Jajodia (cid:129) Anoop Singhal Network Security Metrics 123 LingyuWang SushilJajodia ConcordiaInstituteforInformation CenterforSecureInformationSystems SystemsEngineering GeorgeMasonUniversity ConcordiaUniversity Fairfax,VA,USA Montreal,QC,Canada AnoopSinghal ComputerSecurityDivision,NIST Gaithersburg,MD,USA ISBN978-3-319-66504-7 ISBN978-3-319-66505-4 (eBook) https://doi.org/10.1007/978-3-319-66505-4 LibraryofCongressControlNumber:2017952946 ©SpringerInternationalPublishingAG2017 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. Printedonacid-freepaper ThisSpringerimprintispublishedbySpringerNature TheregisteredcompanyisSpringerInternationalPublishingAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland To mywife, Quan. – Lingyu To mywife, Kamal,with love. – Sushil To mywife, Radha,withlove. – Anoop Preface Today’scomputernetworksare playingthe role of nervesystems in manycritical infrastructures,governmentalandmilitaryorganizations,andenterprises.Protecting sucha mission-criticalnetworkmeansmorethanjustpatchingknownvulnerabili- ties and deploying firewalls and IDSs. The network’s robustness against potential zero day attacks exploiting unknown vulnerabilities is equally important. Many recenthigh-profileincidents,suchastheworldwideWannaCryransomwareattack inMay2017,theattackonUkrainianKyivoblenergoPowerGridinDecember2015, and the earlier Stuxnet infiltration of Iran’s Natanz nuclear facility, have clearly demonstratedthe realworld significance of evaluatingand improvingthe security ofnetworksagainstbothpreviouslyknownattacksandunknown“zeroday”attacks. Oneofthemostpertinentissuesinsecuringmission-criticalcomputingnetworks againstsecurityattacksisthelackofeffectivesecuritymetrics.Since“youcannot improve what you cannot measure,” a network security metric is essential to evaluatingtherelativeeffectivenessofpotentialnetworksecuritysolutions.Tothat end,therehavebeenplentyofrecentworksondifferentaspectsofnetworksecurity metricsandtheirapplications.Forexample,asmostexistingsolutionsandstandards on security metrics, such as CVSS and attack surface, typically focus on known vulnerabilitiesinindividualsoftwareproductsorsystems,manyrecentworksfocus oncombiningindividualmetricscoresintoanoverallmeasureofnetworksecurity. Also,someeffortsarededicatedtodevelopnetworksecuritymetricsespeciallyfor dealingwith zero day attacks, which implylittle or no priorknowledgeis present about the exploited vulnerabilities, and thus most existing approaches to security metricswillnolongerbeeffective.Finally,somerecentworksapplysecuritymetric conceptsto specific securityapplications,suchas applyingand visualizinga suite of network security metrics at the enterprise level, and measuring the operational effectiveness of a cybersecurity operations center. This book examines in detail thoseandotherrecentworksonnetworksecuritymetrics. There currently exists little effort on a systematic compilation of recent pro- gresses in network security metrics research. This book will fill the gaps by providingabigpictureaboutthetopictonetworksecuritypractitionersandsecurity researchers alike. Security researchers who work on network security or security vii viii Preface analytics-relatedareasseekingnewresearchtopics,aswellassecuritypractitioners includingnetworkadministratorsandsecurityarchitectswhoarelookingforstate- of-the-art approaches to hardening their networks, will find this book useful as a reference.Advanced-levelstudentsstudyingcomputerscienceandengineeringwill alsofindthisbookusefulasasecondarytext. More specifically, this book examines recent works on different aspects of network security metrics and their application to enterprise networks. First, the book starts by examining the limitations of existing solutions and standards on securitymetrics,suchasCVSSandattacksurface,whichtypicallyfocusonknown vulnerabilitiesinindividualsoftwareproductsorsystems.Chapters“Measuringthe Overall Network Security by Combining CVSS Scores Based on Attack Graphs and Bayesian Networks”, “Refining CVSS-Based Network Security Metrics by Examiningthe Base Scores” and “Security Risk Analysis of Enterprise Networks UsingProbabilisticAttackGraphs”thendescribedifferentapproachestoaggregat- ingindividualmetricvaluesobtainedfromCVSSscoresintoanoverallmeasureof networksecurityusingattackgraphs.Second,sinceCVSSscoresareonlyavailable for previouslyknownvulnerabilities, the threatof unknownattacks exploitingthe so-calledzerodayvulnerabilitiesisnotcoveredbyCVSSscores.Therefore,chap- ters“k-ZeroDaySafety:EvaluatingtheResilienceofNetworksAgainstUnknown Attacks”,“UsingBayesianNetworkstoFuseIntrusionEvidencesandDetectZero- Day Attack Paths” and “Evaluating the Network Diversity of Networks Against Zero-Day Attacks” present several approaches to developing network security metrics in order to deal with zero day attacks exploiting unknownvulnerabilities. Finally,toaddresspracticalchallengesinapplyingnetworksecuritymetricstoreal world organization, chapter “Metrics Suite for Network Attack Graph Analytics” discusses several issues in defining and visualizing such metrics at the enterprise level, and chapter “A Novel Metric for Measuring Operational Effectiveness of a Cybersecurity Operations Center” demonstrates the need for novel metrics in measuringtheoperationaleffectivenessofacybersecurityoperationscenter. Montreal,QC,Canada LingyuWang Fairfax,VA,USA SushilJajodia Gaithersburg,MD,USA AnoopSinghal Acknowledgements Lingyu Wang was partially supported by Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was partially supported by the Army Research Office grants W911NF-13-1-0421and W911NF-15-1-0576, by the Office of Naval Research grant N00014-15-1-2007, NationalInstitutesofStandardandTechnologygrant60NANB16D287,andbythe NationalScienceFoundationgrantIIP-1266147. ix Contents Measuringthe OverallNetworkSecurityby CombiningCVSS ScoresBasedonAttackGraphsandBayesianNetworks.................... 1 MarcelFrigault,LingyuWang,SushilJajodia,andAnoopSinghal 1 Introduction.................................................................... 1 2 PropagatingAttackProbabilitiesAlongAttackPaths....................... 3 2.1 MotivatingExample .................................................... 3 2.2 DefiningtheMetric ..................................................... 5 2.3 HandlingCyclesinAttackGraphs..................................... 7 3 BayesianNetwork-BasedAttackGraphModel.............................. 10 3.1 RepresentingAttackGraphsUsingBNs............................... 10 3.2 ComparingtothePreviousApproach.................................. 15 4 DynamicBayesianNetwork-BasedModel .................................. 16 4.1 TheGeneralModel ..................................................... 17 4.2 Case1:InferringExploitNodeValues................................. 18 4.3 Case2:InferringTGSNodeValues.................................... 19 5 Conclusion..................................................................... 21 References......................................................................... 23 RefiningCVSS-BasedNetworkSecurityMetricsbyExaminingthe BaseScores........................................................................ 25 PengsuCheng,LingyuWang,SushilJajodia,andAnoopSinghal 1 Introduction.................................................................... 25 2 Preliminaries................................................................... 27 2.1 AttackGraph............................................................ 27 2.2 CommonVulnerabilityScoringSystem(CVSS)...................... 28 2.3 ExistingApproachesandTheirLimitations........................... 30 3 MainApproach................................................................ 33 3.1 CombiningBaseMetrics ............................................... 33 3.2 ConsideringDifferentAspectsofScores .............................. 37 xi xii Contents 4 AlgorithmandSimulation .................................................... 40 4.1 Algorithms .............................................................. 41 4.2 SimulationResults...................................................... 44 5 Conclusion..................................................................... 50 References......................................................................... 51 SecurityRiskAnalysisofEnterpriseNetworksUsingProbabilistic AttackGraphs.................................................................... 53 AnoopSinghalandXinmingOu 1 Introduction.................................................................... 53 2 AttackGraphs ................................................................. 55 2.1 ToolsforGeneratingAttackGraphs ................................... 56 3 PastWorkinSecurityRiskAnalysis......................................... 57 4 CommonVulnerabilityScoringSystem(CVSS) ............................ 59 4.1 AnExample............................................................. 61 5 SecurityRiskAnalysisofEnterpriseNetworksUsingAttackGraphs ..... 62 5.1 Example1 ............................................................... 62 5.2 Example2 ............................................................... 65 5.3 Example3 ............................................................... 67 5.4 UsingMetricstoPrioritizeRiskMitigation ........................... 69 6 Challenges..................................................................... 71 7 Conclusions.................................................................... 71 References......................................................................... 72 k-ZeroDaySafety:EvaluatingtheResilienceofNetworksAgainst UnknownAttacks................................................................ 75 Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, andStevenNoel 1 Introduction.................................................................... 75 2 MotivatingExample........................................................... 76 3 Modelingk-ZeroDaySafety ................................................. 78 4 Applyingk-ZeroDaySafety.................................................. 81 4.1 RedefiningNetworkHardening........................................ 81 4.2 InstantiatingtheModel ................................................. 83 5 CaseStudy..................................................................... 84 5.1 Diversity................................................................. 85 5.2 KnownVulnerabilityandUnnecessaryService ....................... 86 5.3 BackupofAsset......................................................... 88 5.4 Firewall.................................................................. 89 5.5 StuxnetandSCADASecurity.......................................... 90 6 Conclusion..................................................................... 92 References......................................................................... 93