Scenario-Based Risk Modeling
We have two papers on security metrics at S4. The first is from Ralph Langner, who wrote the great paper on OPC server resource exhaustion attacks at S4 2007, and Bryan Singer who you all know. They both came in independently with similar abstracts, so it only made sense for them to pair up on this interesting paper.
The classic risk = threat * vulnerability * consequence (impact or damage) equation has not worked in the control system world because we have no hard, statistics on threat. This is unlikely to change in the near future, but we are also interested in projects trying to quantify this threat.
Describing risk in a meaningful way to decision makers is essential, and Ralph and Bryan are taking a different approach - - Scenario-Based Risk Modeling. The paper goes through the methodology of the approach and then models five important and different scenarios. I don’t want to steal their thunder so I’ll leave out the scenario details.
I am fascinated by the Scenario-Based Threat Modeling portion of the paper. This portion of their Risk Model builds on the Scenario-Based Threat Modeling in Snyder and Swiderski’s Threat Modeling book which focuses on the attackers goals.
There is a similar thread of discussion on attacker goals going through the IT security world. Emphasis is shifting to recognize that the criminals and talented attackers are not randomly attacking vulnerable systems. Instead, they are compromising data that can be sold or used. Such as financial system credentials and personal privacy information. Protecting this information of financial value, and identifying and fixing vulnerabilities, found in databases, cached credential stores, and other areas is a priority because this is the attackers goal. Thought leaders are using the attacker goals to prioritize their security resources more wisely.
Langner and Singer discuss the different attacker goals in a control system. It is not typically protecting information, with some exceptions such as recipes. Control system attacker goals are more likely to involve altering the underlying process for a variety of reasons detailed in the paper. What would an attacker do after a compromise?
Each goal is then built into one or more scenarios which includes vulnerabilities, controls and damages.
This brief entry does not do the topic justice. This paper will probably add some clarity to ideas that have been in the back of your head for a while now.
Author: Dale Peterson
Posted: November 28th, 2007 under Calculating Risk, S4.
Comments: 3
Comments
Comment from Richard Bejtlich
Time: December 1, 2007, 2:38 pm
You said “The classic risk = threat * vulnerability * consequence (impact or damage) equation has not worked in the control system world because we have no hard, statistics on threat.”
I agree, but I submit that the equation doesn’t work in the digital security (non-control system world) either for the same reason. Any time I mention that equation, I’m just trying to explain how risk is zero if any of the factors are zero. I don’t use it to create some sort of “number” (at least not anymore!)
Comment from joat
Time: December 3, 2007, 6:49 am
I’m also concerned that scenario-based modeling leads down the risky path of attempting to “enumerate the bad”, a hopeless exercise because the limitation isn’t the ability of the attacker. Rather, the limitation is the evaluator’s imagination. Same goes for evaluating of attacker goals, except you’ve added a bit more abstraction (guessing?) into the evaluation.
Comment from Bryan Singer
Time: December 11, 2007, 5:04 pm
Enumerating badness is definitely a “bad” thing… but I don’t think we are necessarily doing that here… It is more about painting a picture of the plausible rather than just conjecture. I’ve been reading a great book lately entitled, “The Black Swan.” It discusses the impact of the “highly improbable” and how it tends to change lives, and therefor we should think more outside the box and think about what things could really change the game. In these scenarios, we don’t really focus on the ability of the attacker (which enumerates badness), but rather the motivations of the attacker. An attack is opportunity meets means and most important MOTIVE. Risk analysis can tell us the means and the opportunities (threat vectors and vulnerabilities), but often leaves out the why behind the attack. Understanding the why, we can model scenarios and attack vectors in more meaningful ways, quite often.
Write a comment