A Methodology for Ranking Cloud System ...

7 downloads 501 Views 439KB Size Report
It starts with vulnerabilities discovery process from our custom cloud web ... which in turn could result in a big security breach. In the end, it is ... any cloud based systems security risk. ... could easily put in action a strong and reliable security measure that will .... attack paths to a reduced number of more likely ones that cause.
A Methodology for Ranking Cloud System Vulnerabilities Patrick Kamongi Computer Science and Engineering University of North Texas Denton, TX 76203, USA [email protected]

Srujan Kotikela Computer Science and Engineering University of North Texas Denton, TX 76203, USA [email protected]

Mahadevan Gomathisankaran Computer Science and Engineering University of North Texas Denton, TX 76203, USA [email protected]

Krishna Kavi Computer Science and Engineering University of North Texas Denton, TX 76203, USA [email protected] Abstract—Nowadays there is a high demand for security assurance within Cloud Computing world. To meet this demand, security practitioners attempt to assess security vulnerabilities that any given cloud system may have, however this task present some challenges when exposed to a complex cloud system. Different security tools have been developed to facilitate the vulnerabilities discovery process. In this paper we propose a new methodology for ranking cloud system vulnerabilities. We have designed and developed a working model. It starts with vulnerabilities discovery process from our custom cloud web application and ends up with a unified and simple view of ranked vulnerabilities mounted on each of the prioritized and generated attack paths.

I.

I NTRODUCTION

Lately, we have been seeing in the news [1], [2], [3] how many financial institutions were hit by devastating security attacks on their online services. Most of the successful attacks were based on the current known systems vulnerabilities that had not been addressed on the victims systems due to different reasons. Some vulnerabilities pose a negligible security threat or that the organization did some trades-off in security practice which in turn could result in a big security breach. In the end, it is still impossible to protect any given system fully. But different approaches have been attempted to overcome this challenge such as managing risk tolerance. Risk tolerance does matter because by setting risk tolerance, it allows an organization to make decisions based on what has been determined to be an acceptable risk [4]. To identify what is the acceptable level of risk to tolerate, it needs to be quantified in an easy and understandable form. Using risk scoring approach, one can provide a level of trust that an organization is operating within the safe tolerable range or not. In terms of cloud system based online services one needs to ensure that their services and cloud environment meets their set acceptable risk level. However this tasks gets complicated due to new security attacks attempts that bypass the old security settings and this require the organization to rethink on their security tolerable risk level. We propose an approach to dynamically track and analyze any cloud based systems security risk. In our attempt, we use currently accepted common vulnerability scoring systems

(CVSS) for quantifying a security vulnerability and attack graphs generation to assess the security risks of the target system. On top of that we devised an extension metric to the CVSS metrics that allow us to collectively assess multiple vulnerabilities that lead to the likely successful attack paths (from the attack graph generated). With this approach, an organization can set their risk tolerance level based on their priority security needs and with that our working model will rank the security threats by their severity order. This practice should always be able to inform the organization dynamically on what are the current threats they are facing, so that they could easily put in action a strong and reliable security measure that will allow them to be within their desired risk tolerable zone. Our contribution in this paper is solely based on the security metrics application and how they can allow us establish a reliable risk tolerance level. Some of the topics of interest we explored in this paper are: 1) 2) 3) 4) 5)

Security Auditing Risk Assessment and Risk Management Vulnerabilities Management Cyber Security Automation Cloud Computing Security

The rest of this paper is organized as follows: In Section II, we discuss some background of our work, while in Section III we present our approach solution; An example workflow of our appraoch is presented in Section IV, in Section V we discuss the related work, and finally, conclusions and further research directions are given in Section VI. II.

BACKGROUND

A. On-Fly Authentication Application On-Fly Authentication Application is a prototype application hosted on Amazon Web Service (AWS) [5]. On AWS, we used the Amazon Elastic Compute Cloud (EC2) [6] service infrastructure cloud which allowed us to deploy and run an amazon instance that support our application. The application is made of two components, the client and server side. The client side provides a webpage form that asks the user to provide:

1) The direct Uniform Resource Locator (URL) of the file that needs to be authenticated i.e: http://goo.gl/y1mge 2) The given Hash Value of the file that needs to be authenticated i.e: b359dd978f6f5eb6f8635d7d78aee306 3) And the used Hash Function of the file that needs to be authenticated i.e: md5 Then, the user submits the form to be processed on our server side. The server end receives the user inputs: 1) It downloads the file linked to the provided URL 2) Using the provided hash function “md5”, the server script computes the file hash value 3) Then, it compares the new hash value to the user provided hash value and return a confirmation message whether there is a match (the file is authentic) or no match (the file has been modified). Throughout this paper we will use this application to illustrate how we could use our new proposed security metrics to rank assessed vulnerabilities. B. Amazon Elastic Compute Cloud (EC2) In this Section, we detail key features of EC2 relevant to our work. Amazon’s Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud [6]. It is provisioned from Amazon Machine Images (AMI) [7] where an AMI is a special type of pre-configured operating system and virtual application software which is used to create a virtual machine (instance) within the EC2 [7]. Our amazon EC2 instance includes Linux 3.2, AWS tools and repository access to multiple versions of MySQL, PostgreSQL, Python, Ruby, and Tomcat. On top of that we installed the Apache HTTP Server (“httpd”) for running any web services on the EC2 instance. The web server is reachable on the two defined ports 80 (http) and 443 (https) over TCP from any source. To access our instance, we allow ssh access (22 TCP) from any source. These rules are defined as part of the security groups [8] setting (firewall configuration). III.

A PPROACH

A. Attack Graph Genearation 1) Specifications: In our approach of producing security metrics that access our cloud application introduced in Section II-A, we have a set of preliminary conditions that needs to be set ahead. We want to know the system specifications either looking from the outside attacker point of view or internal assessment with full access to the entire system. Previous work in acquiring any system specification have been based on the data collected using system security tool like a vulnerability scanner. In our case, we use Nessus [9] scanner to collect our target application network description and any available vulnerability information. This is done from the outside attacker view, to add relevant vulnerability information of any discovered application IT products we use our new VULCAN [10] (Vulnerability Assessment Framework

for Cloud Computing Systems) tool as shown in Figure 1 to gather additional vulnerability details for those IT products. Then we generate a more elaborated system specification for our security assessment. Also, a more detailed profile could be collected for our target application if we receive full specifications from the application design blueprints. For now let us assume a simple network description with a couple of vulnerabilities information acquired using the Nessus scanner. 2) Modeling: The specifications collected in Section III-A1, allows us to create a model baseline for our attack graph generation and analysis work. We utilize one of the current adopted approaches such as Buchi automaton and SPIN model checker to verify if the specifications we acquired thus far are indeed correct and complete otherwise, we should on-fly patch it so that we could produce a stable and reliable model for our attach graph generation [11]. 3) Generation: Once an attack graph model has been produced III-A2 we run our custom scripts to generate an attack graph by using its specifications. Some works have been proposed on how to generate attacks using various models and techniques as clearly detailed in Oleg’s thesis [11]. Other alternative is to rely on the capacity of commercial attack graph generator tools like Cauldron [12] developed by George Mason University group. This tool has features of incorporating all attack graph generations preliminary requirement and ensure a successful attack graph for the targeted application or system. In this work, we base our work on the resulted graph and proceed with the analysis using our extended Common Vulnerability Scoring System (CVSS) metrics algorithms as detailed in the next Section III-A4. 4) Analysis: The attack graph generated in the above Section III-A3 for our application II-A is a result of all possible attack paths that the attacker from a superficial attack point could go from to reach the goal of carrying out successful attack path that would give an authorized access. This approach is very easy to assess when faced with a couple of possible attack paths. What if the attack graph contain a multitude of possible attack paths? To answer this problem we explored all currently known analysis techniques such as the use of Probability Scenario Graph (PSG) as described in Oleg’s work [11]. And some other related techniques have been devised to reduce the amount of attack paths to a reduced number of more likely ones that cause an eminent threat. Our contribution in this work is based on our couple crafted algorithms that uses the concepts of security metrics to answer what is the system or application tolerance level in a quantified representation, in addition we provide the security analyst the means to prioritize attack paths in a ranked fashion. In the next Section III-B we introduce our security metrics version and how it is practically used to rank prioritized attack paths for any given system or our cloud application in this case scenario.

National Vulnerability Database (xml data)

Ontology Knowledge Database (xml/rdf data)

System Classifications (specifications)

Ontology population through extraction of Vulnerability data

Cloud System (specifications)

Cloud system components classified in to IaaS, PaaS, SaaS, APIaaS, etc Indexer (script)

Semantic Natural Language Processor (script)

Vulnerability Class Index (xml data) Cloud System Under Test

Context rich system specific index

Vulnerability List (xml data)

Attack Database (Metasploit Modules)

Specific to the system to be tested

Fig. 1.

V ULCAN Architecture

B. An Overview on Common Vulnerability Scoring System (CVSS) CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities [13]. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. We proposed to add Weighted Average Mean metric to the CVSS one which allow us in return to rank attack paths generated above in Section III-A. We devised an algorithm to implement our solution which has two parts. The first part is the Ranking Algorithm and the second part is a graphical user interface base called Dynamic Input Specification that receive custom user input about the priority metrics to use in ranking the attack graph paths. 1) Part1 - Algorithm 1 for the Weighted Average Mean calculation for each Attack Graph Paths: 2) Part 2 - Algorithm 2 for supplying Algorithm 1 with additional details: The user Dynamic Input Specification approach is illustrated in Algorithm 2. Below are the two examples illustrating the acceptable inputs formats: First example is an attack vector, i.e., “AV:L/AC:M/Au:N/C:N/I:P/A:C”. In this example, a vulnerability with base metric values of “Access Vector:Low, Access Complexity:Medium, Authentication:None, Confidentiality Impact:None, Integrity Impact:Partial, Availability Impact: Complete. ” Second example is for the Weighted Average Mean inputs, i.e.,

Algorithm 1 Ranking Using CVSS metrics Require: An attack graph G with CVE-ID assigned on each node for The given attack graph G do Create a list L of all attack paths from G Display a menu of CVSS metric classes along with their subclasses Prompt the user for dynamic inputs (DI) for The given DI process L do Extract CVE-IDs from each L entry Map CVE-IDs to their reported CVSS metrics that matches the user DI Calculate the Weighted Average Mean and add it to a new list L’ end for Sort L’ in descending order end for Return top ranked attack paths from L’ Ensure: A ranked list of attack paths based on the user dynamic inputs

“BM:0.25/TM:0.25/EM:0.5”. In this case, a vulnerability with assigned Weights for groups of “Base Metric:0.25, Temporal Metric:0.25, Environmental Metric:0.5”. Here we observe that the sum of the weight equals to one. Similar approach of assigning weights to the CVSS metric subgroups, as long as the sum of the weight equals to 1. IV.

E XAMPLE W ORKFLOW

An overview of how our proposed approach works is illustrated in Figure 2.

Algorithm 2 User Dynamic Input Specifications Require: Metrics CVSS Metric Groups 1. Base Metric (BM) 1.1 1.2 1.3 1.4 1.5 1.6

Access Vector (AV) Access Complexity (AC) Authentication (AU) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

2. Temporal Metric (TM) 2.1 Exploitability (E) 2.2 Remediation Level (RL) 2.3 Report Confidence (RC) 3. Environmental Metric (EM) 3.1 Collateral Damage Potential (CDP) 3.2 Target Distribution (TD) 3.3 Security Requirements (CR, IR, AR) Weighted Average Mean (0 - 1) Default values A. Low (0.25) B. Medium (0.5) C. High (0.75) D. Not defined (0) E. Top priority (1)

1) We have developed and deployed a web application II-A in Amazon EC2. 2) Using the application IP address, we gather its information using Nessus [9] scanning tool 3) We have conducted Web App Tests and External Network Scan on our application.

possible attack paths. 10) Then, we request additional dynamic inputs to prioritize and generate attack paths using the ranking algorithm. For a detailed illustration of our approach, please see our Guide [16].

4) Web App Tests are used to discover known and unknown vulnerabilities in the web applications [14].

6) In the External Network Scan, all 65535 ports and known web application vulnerabilities are tested for

Scanner

VULCAN

Framework

EC2

7) In the acquired information, we look for vulnerabilities details and add additional vulnerability information using VULCAN, which uses the specifications obtained from the scanner.

App.

8) The specifications plus the vulnerability information collected above are feed to the attack graph tool customization to interpret the received details and process them. 9) The above tool, produce a complete attack graph. Then using our defined algorithms III-B we extrapolate all

Nessus

AWS

5) External Network Scan is used to scan externally facing hosts [15].

Ranked Attack Paths Fig. 2.

Example Scenario

User Dynamic Input

Attack Graph Tool

Generated Graph

V.

R ELATED W ORK

The metrics we use to model system found vulnerabilities are given in CVSS [13] and Weighted mean [17]. The combination of cvss and weighted mean metrics allows us to generate a collective metric for multiple vulnerabilities that build on the discovered attack paths. In Wang et al. [18] works on attack graph-based probabilist security metrics assign probabilities on each attack paths nodes and using their defined algorithm they are able to compute the cumulative probabilities to reach the attack end goal. However finding probabilities for each attack path nodes is a challenge [11] due to the fact that each vulnerability associated with its node is an individual entity and having it correlate with others is not applicable. In our attempt to overcome this issue, we introduced weighted mean to the given attack path so that a user can provide some additional information that will give more meaning to our reranking algorithm that will compute efficiently the resulting attack paths while conserving each attack node individual metrics. Attack graphs depict ways in which an adversary exploits system vulnerabilities to achieve a desired state [19]. In our attempt to use attack graph modeling to predict all possible paths an attacker can take to compromise a target system, we are building our custom attack graph tool generator to facilitate in the generation process task, which is very demanding in terms of complexity. This automation process is very handy rather than attempting to generate an attack graph manually. In Sheyner and Wing work on Tools for generating and analyzing attack graphs [19] provide a good understanding on how one can go about implement a custom attack generator tool, such as the Cauldron [12] tool. Cauldron is a vulnerability analysis tool that aggregates, correlates, and visually maps attack patterns and possibilities. In our work, we are devising a similar tool that will allows us to produce enough information about attack patterns and possibilities and apply them in our ranking algorithm. Garnet [20] which is a graphical attack graph and reachabilitiy network tool, provides means to analyse the generated graph. The task of interpreting what the generated graph means can be daunting, however with clear guidelines on what you hope to analyse they task become practical. In scenario graphs and attack graphs Sheyner [11] work, they developed game-theoric models for describing systems under attack and show how to generate attack graphs for such models with respect to particular security properties. We use both contributions from Garnet and game-theoric to apply security metric to provide a risk tolerance level based on the user provided security priorities property of their targeted system. Bleikertz et al. [21] presented a novel approach in the security assessment of the end-user configuration of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. Using a similar analogy we developed a web application and deployed it on Amazon EC2. We could easily validate the correct set-up of security policies of our application using different techniques proposed in their work. We took an additional step on gathering vulnerabilities of our application using Nessus [9] and the produced results are processed further toward our end goal of applying security metrics over for risk assessment measure.

To take one more step further of the application of security metric on ranking attack graph paths, we want to use it in penetration testing exercises. Such as one in Mirkovic et al. [22] work on testing a collaborative DDoS defense in a red team/blue team exercise. VI.

C ONCLUSIONS AND F UTURE W ORK

In this paper, we extended our previous work on VULCAN [10], a Vulnerability Assessment Framework for Cloud Computing. In Vulcan we modeled security vulnerabilities, and defined a vulnerability ontology that classifies them. Then, we developed an automated process to instantiate our ontology using the data provided by NVD [23] which resulted into our ontology knowledge base (OKB). Using this rich OKB, we are able to study and assess security vulnerability of individual or component parts of the cloud environment system. We achieve this complete assessment via VULCAN components, such as Semantic Natural Language Process (SNLP), and modules, like System Classifiers and Indexer, see Figure 1 for illustration. In this work we add a very important security layer to our VULCAN; And that is a new methodology for Ranking Cloud System Vulnerabilities. We conceptualize cloud system vulnerabilities as one of the attack paths from our generated attack graph. Each attack paths contains information about the vulnerabilities and their pre and post conditions that needs to be meet for a successful breach of security if the attacker choose to take it. We foresee that this work contribution toward cloud security would assist enterprise in learning about various threats and security vulnerabilities their systems is or could be vulnerable to. In addition, to the organization risk assessment plan, they could use our defined algorithms to dynamically prioritize their security defense and protection mechanism as the threats level change in time and monitor new reported and discovered vulnerabilities. As of now, we have our cloud based prototype application implemented, and run all necessary scans successfully. And now we are in the phase of automating our attack graph generation approach and linking it with our VULCAN framework, and perform standards evaluation of our system. We plan on improving our attack graph tool to be able to monitor and generate attack graphs at runtime for any target system under cyber attack. And this work is potentially applicable into the cyber defense red and blue team training exercises as a learning tool for understanding attack graph generation and analysis and vulnerability assessment for the cloud computing environment. ACKNOWLEDGMENT The authors would like to thank... R EFERENCES [1]

[2]

3 more major US banks report possible cyber attacks. NBCNEWS. 2013. URL: http : / / www. nbcnews . com / technology/technolog/3- more- major- us- banks- reportpossible-cyber-attacks-6126050. Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions. InformationWeek Security. 2013. URL: http : / / www. informationweek . com / security / attacks / bank ddos-attacks-resume-wells-fargo-con/240151825.

[3]

[4]

[5] [6] [7] [8] [9] [10]

[11] [12]

[13] [14] [15] [16] [17] [18]

[19] [20] [21]

[22]

Majority of U.S. Banks Were Hit by DDoS Attacks in 2012. EsecurityPlanet. 2013. URL: http : / / www . esecurityplanet.com/network-security/majority-of-u.s.banks-were-hit-by-ddos-attacks-in-2012.html. The Importance of Setting Acceptable Risk Tolerance. Evantix. 2013. URL: http://www.evantix.com/blog/bid/ 41370 / The - Importance - of - Setting - Acceptable - Risk Tolerance. Amazon Web Services. Amazon. 2013. URL: http://aws. amazon.com/. Amazon Elastic Compute Cloud (Amazon EC2). Amazon. 2013. URL: http://aws.amazon.com/ec2/. Amazon Machine Images (AMIs). Amazon. 2013. URL: https://aws.amazon.com/amis. Amazon EC2 Security Groups. Amazon. 2013. URL: http : / / docs . aws . amazon . com / AWSEC2 / latest / UserGuide/using-network-security.html. Nessus Vulnerability Scanner. Tenable Network Security. 2013. URL: http : / / www. tenable . com / products / nessus. P. Kamongi, S. Kotikela, K. Kavi, and M. Gomathisankaran. “VULCAN: Vulnerability Assessment Framework for Cloud Computing”. In: Proceedings of The Seventh International Conference on Software Security and Reliability. IEEE. 2013. Oleg Mikhail Sheyner. “Scenario graphs and attack graphs”. PhD thesis. Carnegie Mellon University, 2004. NSA-Funded ’Cauldron’ Tool Goes Commercial. DarkReading. 2013. URL: http : / / www . darkreading . com / security / news / 217700162 / nsa - funded - cauldron - tool goes-commercial.html. Common Vulnerability Scoring System. FIRST. 2013. URL : http://www.first.org/cvss. Report: EC2-WebAppTest. Trusted Secure Systems Lab. 2013. URL: http://goo.gl/E3Sxe. Report: EC2-External-Scan. Trusted Secure Systems Lab. 2013. URL: http://goo.gl/p3uRT. Guide: Application of Security Metric for Ranking Cloud System Vulnerabilities. Trusted Secure Systems Lab. 2013. URL: http://goo.gl/jVFqu. Weighted mean. Wikipedia, Article. 2013. URL: http : //en.wikipedia.org/wiki/Weighted mean. Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, and Sushil Jajodia. “An attack graph-based probabilistic security metric”. In: Data and applications security XXII. Springer, 2008, pp. 283–296. O. Sheyner and J. Wing. “Tools for generating and analyzing attack graphs”. In: Formal methods for components and objects. Springer. 2004, pp. 344–371. Leevar Williams, Richard Lippmann, and Kyle Ingols. GARNET: A graphical attack graph and reachability network evaluation tool. Springer, 2008. S¨oren Bleikertz, Matthias Schunter, Christian W Probst, Dimitrios Pendarakis, and Konrad Eriksson. “Security audits of multi-tier virtual infrastructures in public infrastructure clouds”. In: Proceedings of the 2010 ACM workshop on Cloud computing security workshop. ACM. 2010, pp. 93–102. Jelena Mirkovic, Peter Reiher, Christos Papadopoulos, Alefiya Hussain, Marla Shepard, Michael Berg, and Robert Jung. “Testing a collaborative DDoS defense in

a red team/blue team exercise”. In: Computers, IEEE Transactions on 57.8 (2008), pp. 1098–1112. [23] National Vulnerability Database. NIST. 2012. URL: http://nvd.nist.gov/.