Methods for modeling attacks based on use cases

Hello! My name is Daniil Neiman, I work at Positive Technologies in the direction of developing information security community initiatives, where I am actively involved in supporting and developing open-source projects and communities.

One of our goals is to promote knowledge sharing between information security professionals. To this end, we explore various methods of expertise standardization to make expert knowledge and best practices available to all professionals in a single format, contributing to the overall development of information security.

In today's world of constantly evolving and increasingly sophisticated cyberattacks, it is difficult for experts to quickly analyze and identify the complex patterns of cybercriminal actions that lead to a successful cyberattack. Well-designed systems that describe all possible actions of an attacker are called attack modeling methods and can solve this problem.

Attack modeling methods (attack modeling techniques), or AMTs, are used to simulate and visualize the sequence of events that lead to a successful cyberattack. A more detailed description of attack modeling techniques can be found in the original articleIn my article I will begin with a brief overview of the methods described in the original article.

AMT can be roughly divided into three categories:

methods based on use case diagrams;
temporal methods (emphasis on the chronological order and sequence of events in a cyber attack);
graph based methods.

In this article, we will look at the first of the three categories: methods based on use case diagrams. The methods in this category are based on the UML language, so before we look at them, we will define the UML language and use case diagrams themselves.

UML (Unified Modeling Language) is a language created in 1995 for the purpose of graphical modeling of software development processes, business processes, etc. In the early 2000s, it began to be actively studied as a possible way of modeling cyber threats.

Scenario diagram use — a diagram that is part of the UML language and reflects the relationships between actors And usage scenariosWhere:

actor — a set of user roles interacting with some entity (system, subsystem, class). It is designated on the diagram by a human figure;
usage scenario — actions performed by the system that lead to results observed by actors. It is indicated on the diagram by a red rectangle with a label. The label can be a name or a description of what the system does.

The main connections between actors and scenarios are:

includes — a dotted arrow with the inscription “include”, highlighting individual scenarios that are part of another scenario (in the example below, a person can use services to view the weather, exchange currency, search on a map, etc.);
allows — a dotted arrow with the inscription “extend”, indicating possible subsequent actions of the user (in the example, the next action of a person after registration may be authorization).

Refinement An example of a scenario diagram showing how users interact with the platform and its various services — An example of a scenario diagram showing how users interact with the platform and its various services

Now that we have the definitions out of the way, we can look at specific methods based on these diagrams.

Misuse cases

The term “misuse case” is a semantic reversal of the term “use case” and involves identifying what should not have happened (i.e., a negative scenario). The method was first proposed back in 2000 as a possible way to involve shareholders in the process of ensuring infrastructure security.

The misuse scenario diagram is created together with the corresponding use case diagram. The following additional elements are used in the model:

attacker conducting an attack (misuser);
a negative action that an attacker can take (misuse case);
a relationship that shows which legitimate user action (use case) can affect a malicious action (misuse case) (threatens);
what user action (use case) can stop or prevent an attacker's action (misuse case) (mitigates).

Refinement Source: https://daneshyari.com/article/preview/550938.pdf

Let's look at an example.

This diagram depicts an attack scenario that begins with an attacker sending a phishing email to a victim, then gaining access to the workstation via a malicious attachment and further escalating privileges.

Below are two attack procedures that aim to gain access to administrator credentials, namely:

Dump NT hash or Kerberos ticket using mimikatz utility.
Retrieving cached credentials from the Windows registry (see the diagram “Retrieving LSA secrets from the registry”).

White shows possible actions of a legitimate user, red shows actions of an attacker. The connections between them show how an attacker can achieve his goals, and how a defender can prevent a successful attack.

For example, you can modify Group Policy settings to:

Disable automatic login to Windows so that authentication data is not stored in the registry.
Disable local storage of NT hashes and restrict use of the NTLM protocol for authentication.

The considered modeling method has the following advantages:

Allows you to focus on security from the very beginning of the infrastructure design process.
Allows you to highlight the top-level attack surface.
Improves communication between specialists and ordinary users due to its simplicity.

But it also has significant disadvantages:

Lack of specificity in the description of the attacker's actions.
Lack of necessary conditions for the attacker to act.

Misuse cases maps

In 2010, an extension to the misuse cases method called misuse cases maps was proposed, expanding the description of the attack by adding various new types of connections with separation of infrastructure elements. This allowed for a more detailed description of the attacker's actions.

Moreover, the authors created a special editor for compiling diagrams, but unfortunately, due to the age of the publication, it was not possible to deploy it. Therefore, it remains only to consider the example they proposed of modeling a real attack on a bank, described in the seventh chapter of the book “The Art of Intrusion”.

Diagram showing the first five steps of attacking a bank

In this case, five stages of an attack on a bank's infrastructure are described:

The attacker found a range of bank IP addresses on the Internet.
He then scanned the bank's IP addresses and found a server running Citrix MetaFrame (remote access software).
Next, he scanned computers connected to the Internet, looking for an open Citrix Terminal Services remote access port (port 1494), through which remote connections occur.
Since no password is required for remote connections by default, the attacker successfully accessed these computers and searched the system for the word “password”, thereby trying to gain access to other parts of the infrastructure. From one of these workstations, the attacker managed to gain access to an edge router that had a default password. On it, the attacker added a rule allowing incoming connections to port 1723 (VPN), which allowed him to connect to the bank's internal flat network.
Further, while exploring the network, the attacker found a server with security analysis documentation. These documents listed all the vulnerabilities of the infrastructure and its services, which allowed them to gain control over all the bank's critical systems.

The advantages of this method compared to misuse cases:

A more detailed description of the attacker's actions.
Separation of different infrastructure components.

Among the disadvantages we can highlight:

A large number of similar-looking links make the diagram difficult to understand.
The method omits possible user actions to prevent the attack.
Only one attack variation can be depicted on one diagram.

Security use cases

There are several variations of this method: the first was proposed in In 2003the second in 2012but the basic idea is the same – to supplement the “Misuse Scenario” model by adding dynamic functions and conditions depending on which they can be executed. This will allow us to describe measures to improve the level of infrastructure security. Let's consider a newer variation, since it, like the previous methods, involves the use of UML diagrams.

Let's supplement the diagram of the previously considered example with mimikatz and LSA secrets by adding restrictions on user actions.

Secure use case diagram for the previously discussed workstation attack scenario example

Authentication can be restricted, for example, by requiring a successful 2FA check and also by setting the allowed countries from which the connection is made.

When creating a domain session, you can set limits on the number of simultaneous sessions and a condition for passing two-factor authentication.

Advantages of the method over misuse scenarios:

Identifying restrictions on actions as additional protective measures.

Flaws:

Same as misuse scenarios.

Misuse sequence diagrams

This method appeared in 2010 as an alternative to misuse cases maps. In this method, two additional entities are defined: an infrastructure element and an attacker. The interaction between the participants of the activity is represented in the form of another UML structure – a sequence diagram, which shows the life cycle of an object and the interaction of the parties within the scenario for a certain set of objects on a single time axis. In this method, the following entities and relationships are distinguished.

Let's try to adapt the example with LSA secrets dump and authentication data dump using mimikatz using this method.

Misuse Sequence Diagram with Workstation Attack Scenario

We see that we can identify specific entities:

a workstation that an attacker gains access to through a malicious attachment;
LSASS process, which stores administrator authentication data;
domain administrator session created by an attacker.

However, this type of diagram does not allow us to specify which actions are required for an attack, since we can obtain user credentials in different ways.

Advantages of the approach:

A convenient visual representation of the attacker's sequential actions over time.
Highlighting concrete elements, not just abstract actions.

Disadvantages of this approach:

Only one attack variation can be depicted on one diagram.
As the number of elements increases, it becomes difficult to maintain the readability and clarity of the diagram, making it difficult to analyze the actions.

CORAS

Developed in 2002, the CORAS project was conceived as a framework for visual and effective risk analysis. The method itself is also inspired by UML, but at the same time identifies its own elements and relationships. The method conceptually includes eight formal steps.

The main goal of the project is to create a diagram in a special editor from certain elements (see the figure below) and the connections between these elements.

Possible relationships between elements:

It is assumed that the attacker is trying to gain access to certain assets in the infrastructure, achieving the implementation of unwanted scenarios.

Let's look at an example that is already familiar to us, presented in the form of the following diagram.

CORAS diagram with workstation attack scenario

In CORAS, the diagram is built from right to left. First, the assets are identified, then the actions that can affect them, the vulnerabilities in the form of locks that implement the threat scenario, and finally the attacker is identified.

In this case, we define the asset as domain integrity, then we indicate that it can lose integrity if the domain administrator is successfully compromised. Next, we determine what credentials will lead to its compromise, namely NT hash, DCC2 and Kerberos ticket. Next, we describe the scenarios for obtaining them – using mimikatz or obtaining LSA secrets. Finally, we identify our attacker.

The advantages of this method:

Convenient high-level analysis of potential risks and ways of compromise.
Ability to define prerequisites for scenarios in the form of vulnerabilities.
The ability to add, supplement various compromise paths by defining new vulnerabilities, scenarios and connections. In this case, the assets generally remain unchanged.

Minus:

There is no definition of which connections are mandatory.

Thus, we have considered all methods based on scenario diagrams. To summarize, they began to appear and gained popularity in the early 2000s as an extension of the UML scenario diagram for analyzing possible cyber threats. After that, various variations were introduced, either complementing the already developed methods or rethinking them with the help of other UML diagrams.

At the same time, interest in UML itself has declined since 2004, mainly due to its redundancy and complexity of use. Also, the methods of describing threats based on scenario diagrams have not found wide application and further research interest among experts.

But this does not mean that active development of attack modeling methods has ceased. Research into these attack modeling methods has been important because they have provided valuable theoretical foundations for understanding attack scenarios, which in turn has contributed to the creation and development of more effective cyber attack modeling methods.

In the next article, I will discuss temporal attack modeling methods, such as the popular Cyber Kill Chain, Diamond Model, and Riskit. They play an important role in modern cyber attack analysis and prevention.

If you are interested in the topic of working with knowledge and creating various information models or have questions about this article, leave comments.