Measuring and Improving the Effectiveness of Defense-in-Depth Postures

Defense-in-depth is an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is 'deep', containing many layers of security, and 'narrow', the number of node independent attack paths is minimized. Unfortunately, accurately calculating both depth and width is difficult using standard graph algorithms because of a lack of independence between multiple vulnerability instances (i.e., if an attacker can penetrate a particular vulnerability on one host then they can likely penetrate the same vulnerability on another host). To address this, we represent known weaknesses and vulnerabilities as a type of colored attack graph. We measure depth and width through solving the shortest color path and minimum color cut problems. We prove both of these to be NP-Hard and thus for our solution we provide a suite of greedy heuristics. We then empirically apply our approach to large randomly generated networks as well as to ICS networks generated from a published ICS attack template. Lastly, we discuss how to use these results to help guide improvements to defense-in-depth postures.

[1]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[2]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[3]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[4]  Richard C. Linger Systematic generation of stochastic diversity as an intrusion barrier in survivable systems software , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[5]  Shimon Even,et al.  Graph Algorithms: Contents , 2011 .

[6]  Shimon Even,et al.  Graph Algorithms , 1979 .

[7]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[8]  Karen A. Scarfone,et al.  The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems , 2007 .

[9]  Harrick M. Vin,et al.  Heterogeneous networking: a new survivability paradigm , 2001, NSPW '01.

[10]  Harish Sethu,et al.  On achieving software diversity for improved network security using distributed coloring algorithms , 2004, CCS '04.

[11]  Mark Fabro,et al.  Control Systems Cyber Security: Defense-in-Depth Strategies , 2006 .

[12]  Peter Mell,et al.  Minimizing Attack Graph Data Structures , 2015, ICSEA 2015.

[13]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[14]  Neal Langerman,et al.  Defense in Depth , 2014 .

[15]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[17]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[18]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .