A review of attack graph and attack tree visual syntax in cyber security

Perceiving and understanding cyber-attacks can be a difficult task, and more effective techniques are needed to aid cyber-attack perception. Attack modelling techniques (AMTs) - such as attack graphs, attack trees and fault trees, are a popular method of mathematically and visually representing the sequence of events that lead to a successful cyber-attack. These methods are useful visual aids that can aid cyber-attack perception. This survey paper describes the fundamental theory of cyber-attack before describing how important elements of a cyber-attack are represented in attack graphs and attack trees. The key focus of the paper is to present empirical research aimed at analysing more than 180 attack graphs and attack trees to identify how attack graphs and attack trees present cyber-attacks in terms of their visual syntax. There is little empirical or comparative research which evaluates the effectiveness of these methods. Furthermore, despite their popularity, there is no standardised attack graph visual syntax configuration, and more than seventy self-nominated attack graph and twenty attack tree configurations have been described in the literature - each of which presents attributes such as preconditions and exploits in a different way. The survey demonstrates that there is no standard method of representing attack graphs or attack trees and that more research is needed to standardise the representation

Evaluating practitioner cyber-security attack graph configuration preferences

Attack graphs and attack trees are a popular method of mathematically and visually rep- resenting the sequence of events that lead to a successful cyber-attack. Despite their popularity, there is no standardised attack graph or attack tree visual syntax configuration, and more than seventy self-nominated attack graph and twenty attack tree configurations have been described in the literature - each of which presents attributes such as preconditions and exploits in a different way. This research proposes a practitioner-preferred attack graph visual syntax configuration which can be used to effectively present cyber-attacks. Comprehensive data on participant ( n=212 ) preferences was obtained through a choice based conjoint design in which participants scored attack graph configuration based on their visual syntax preferences. Data was obtained from multiple participant groups which included lecturers, students and industry practitioners with cyber-security specific or general computer science backgrounds. The overall analysis recommends a winning representation with the following attributes. The flow of events is represented top-down as in a flow diagram - as opposed to a fault tree or attack tree where it is presented bottom-up, preconditions - the conditions required for a successful exploit, are represented as ellipses and exploits are represented as rectangles. These results were consistent across the multiple groups and across scenarios which differed according to their attack complexity. The research tested a number of bottom-up approaches - similar to that used in attack trees. The bottom-up designs received the lowest practitioner preference score indicating that attack trees - which also utilise the bottom-up method, are not a preferred design amongst practitioners - when presented with an alternative top-down design. Practitioner preferences are important for any method or framework to become accepted, and this is the first time that an attack modelling technique has been developed and tested for practitioner preferences

Firmware Modification Analysis in Programmable Logic Controllers

Incorporating security in supervisory control and data acquisition (SCADA) systems and sensor networks has proven to be a pervasive problem due to the constraints and demands placed on these systems. Both attackers and security professionals seek to uncover the inherent roots of trust in a system to achieve opposing goals. With SCADA systems, a battle is being fought at the cyber -- physical level, specifically the programmable logic controller (PLC). The Stuxnet worm, which became increasingly apparent in the summer of 2010, has shown that modifications to a SCADA system can be discovered on infected engineering workstations on the network, to include the ladder logic found in the PLC. However, certain firmware modifications made to a PLC can go undetected due to the lack of effective techniques available for detecting them. Current software auditing tools give an analyst a singular view of assembly code, and binary difference programs can only show simple differences between assembly codes. Additionally, there appears to be no comprehensive software tool that aids an analyst with evaluating a PLC firmware file for modifications and displaying the resulting effects. Manual analysis is time consuming and error prone. Furthermore, there are not enough talented individuals available in the industrial control system (ICS) community with an in-depth knowledge of assembly language and the inner workings of PLC firmware. This research presents a novel analysis technique that compares a suspected-altered firmware to a known good firmware of a specific PLC and performs a static analysis of differences. This technique includes multiple tests to compare both firmware versions, detect differences in size, and code differences such as removing, adding, or modifying existing functions in the original firmware. A proof-of-concept experiment demonstrates the functionality of the analysis tool using different firmware versions from an Allen-Bradley ControlLogix L61 PLC

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Optimising a defence-aware threat modelling diagram incorporating a defence-in-depth approach for the internet-of-things

Modern technology has proliferated into just about every aspect of life while improving the quality of life. For instance, IoT technology has significantly improved over traditional systems, providing easy life, time-saving, financial saving, and security aspects. However, security weaknesses associated with IoT technology can pose a significant threat to the human factor. For instance, smart doorbells can make household life easier, save time, save money, and provide surveillance security. Nevertheless, the security weaknesses in smart doorbells could be exposed to a criminal and pose a danger to the life and money of the household. In addition, IoT technology is constantly advancing and expanding and rapidly becoming ubiquitous in modern society. In that case, increased usage and technological advancement create security weaknesses that attract cybercriminals looking to satisfy their agendas. Perfect security solutions do not exist in the real world because modern systems are continuously improving, and intruders frequently attempt various techniques to discover security flaws and bypass existing security control in modern systems. In that case, threat modelling is a great starting point in understanding the threat landscape of the system and its weaknesses. Therefore, the threat modelling field in computer science was significantly improved by implementing various frameworks to identify threats and address them to mitigate them. However, most mature threat modelling frameworks are implemented for traditional IT systems that only consider software-related weaknesses and do not address the physical attributes. This approach may not be practical for IoT technology because it inherits software and physical security weaknesses. However, scholars employed mature threat modelling frameworks such as STRIDE on IoT technology because mature frameworks still include security concepts that are significant for modern technology. Therefore, mature frameworks cannot be ignored but are not efficient in addressing the threat associated with modern systems. As a solution, this research study aims to extract the significant security concept of matured threat modelling frameworks and utilise them to implement robust IoT threat modelling frameworks. This study selected fifteen threat modelling frameworks from among researchers and the defence-in-depth security concept to extract threat modelling techniques. Subsequently, this research study conducted three independent reviews to discover valuable threat modelling concepts and their usefulness for IoT technology. The first study deduced that integration of threat modelling approach software-centric, asset-centric, attacker-centric and data-centric with defence-in-depth is valuable and delivers distinct benefits. As a result, PASTA and TRIKE demonstrated four threat modelling approaches based on a classification scheme. The second study deduced the features of a threat modelling framework that achieves a high satisfaction level toward defence-in-depth security architecture. Under evaluation criteria, the PASTA framework scored the highest satisfaction value. Finally, the third study deduced IoT systematic threat modelling techniques based on recent research studies. As a result, the STRIDE framework was identified as the most popular framework, and other frameworks demonstrated effective capabilities valuable to IoT technology. Respectively, this study introduced Defence-aware Threat Modelling (DATM), an IoT threat modelling framework based on the findings of threat modelling and defence-in-depth security concepts. The steps involved with the DATM framework are further described with figures for better understatement. Subsequently, a smart doorbell case study is considered for threat modelling using the DATM framework for validation. Furthermore, the outcome of the case study was further assessed with the findings of three research studies and validated the DATM framework. Moreover, the outcome of this thesis is helpful for researchers who want to conduct threat modelling in IoT environments and design a novel threat modelling framework suitable for IoT technology

Towards a standardised attack graph visual syntax

More research needs to focus on developing effective methods of aiding the understanding and perception of cyber-attacks. Attack modelling techniques (AMTs) - such as attack graphs, attack trees and fault trees, are popular methods of mathematically and visually representing the sequence of events that lead to a successful cyber-attack. Although useful in aiding cyber-attack perception, there is little empirical or comparative research which evaluates the effectiveness of these methods. Furthermore, there is no standardised attack graph visual syntax configuration, currently more than seventy-five self-nominated attack graph and twenty attack tree configurations have been described in the literature - each of which presents attributes such as preconditions and exploits in a different way. This research analyses methods of presenting cyber-attacks and reveals that attack graphs and attack trees are the dominant methods. The research proposes an attack graph visual syntax which is designed using evidence based principles. The proposed attack graph is compared with the fault tree - which is a standard method of representing events such as cyber-attacks. This comparison shows that the proposed attack graph visual syntax is more effective than the fault tree method at aiding cyber-attack perception and that the attack graph can be an effective tool for aiding cyber-attack perception - particularly in educational contexts. Although the proposed attack graph visual syntax is shown to be cognitively effective, this is no indication of practitioner acceptance. The research proceeds to identify a preferred attack graph visual syntax from a range of visual syntaxes - one of which is the proposed attack graph visual syntax. The method used to perform the comparison is conjoint analysis which is innovative for this field. The results of the second study reveal that the proposed attack graph visual syntax is one of the preferred configurations. This attack graph has the following attributes. The flow of events is represented top-down, preconditions are represented as rectangles, and exploits are represented as ellipses. The key contribution of this research is the development of an attack graph visual syntax which is effective in aiding the understanding of cyber-attacks particularly in educational contexts. The proposed method is a significant step towards standardising the attack graph visual syntax

DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements

Designing a Software Platform for Evaluating Cyber-Attacks on The Electric PowerGrid

abstract: Energy management system (EMS) is at the heart of the operation and control of a modern electrical grid. Because of economic, safety, and security reasons, access to industrial grade EMS and real-world power system data is extremely limited. Therefore, the ability to simulate an EMS is invaluable in researching the EMS in normal and anomalous operating conditions. I first lay the groundwork for a basic EMS loop simulation in modern power grids and review a class of cybersecurity threats called false data injection (FDI) attacks. Then I propose a software architecture as the basis of software simulation of the EMS loop and explain an actual software platform built using the proposed architecture. I also explain in detail the power analysis libraries used for building the platform with examples and illustrations from the implemented application. Finally, I will use the platform to simulate FDI attacks on two synthetic power system test cases and analyze and visualize the consequences using the capabilities built into the platform.Dissertation/ThesisMasters Thesis Computer Science 201