Abstract
In recent years, we have witnessed rapid growth in the area of large-scale machine-machine communication (M2M), increased automation in smart grid and industrial manufacturing, and self-monitoring via Internet of Things (IoT) devices and cloud-based applications.
While the goal of this industrial revolution is to bring cyber-physical systems closer to reality, it creates many security challenges. Understanding and assessing vulnerabilities of these systems requires expert domain knowledge, making it an expensive endeavor for many businesses.
To address the above challenge, we released a vulnerability assessment tool that can be used by a non-security expert to generate score-based attack paths, validate the attack paths with a level of confidence that they could be successfully executed and collect exploitation evidence for reporting while requiring a minimal set of inputs. The tool has the following contributions:
-
Attack Modelling and Planning The tool ingests system vulnerability information from sources (e.g., Nessus and Nmap scan results, as well as a simplified custom-developed format) and then uses a formal ‘Action with Assignment’ modelling approach referred to as PAP (Precondition, Action, Postcondition). PAP values are built for each capability detected on a host and used to inform the attack path generation process.
-
Attack Path Generation The tool uses network topology and system vulnerability information to intelligently traverse paths through the network and generate a set of scored attack paths that satisfy a predefined goal. The user can then select one of the generated paths that is most likely to be exploited by an attacker and generate a report.
-
Attack Path Execution The report contains, amongst other things, the required steps (for example, as Metasploit commands) to manually execute (with automation planned for a future release) the sequence of actions specified in the selected tree against a target system including post exploitation steps such as pivoting.