How CAULDRON really works (for the techie in you)

To make TVA attack graphs feasible for realistic networks, we need scalable mathematical representations and algorithms. Modeling the attacker’s control over the network as monotonic (increasing over time), we need only represent the dependencies among exploits (preconditions and post-conditions), rather than explicitly enumerating every sequence of exploits. The resulting exploit-dependency attack graphs grow only quadratically (as opposed to exponentially) with the number of exploits, so that it becomes feasible to apply them for realistic networks. The assumption of monotonicity is quite reasonable, corresponding to the conservative assumption that once an attacker gains control of a network resource, he need not relinquish it to further advance the attack. That is, attack behavior is monotonic at a reasonable level of detail.

Based on a given attack scenario, the attack graph can be constrained by specific starting and ending points. The scenario could also be less constrained, such as finding all possible attack starts leading to one or more goals, or finding all possible paths from particular starting points. For example, one may wish to know how a particular critical system can be compromised from all possible starting points. Or, one may want to know all systems that could be compromised from a particular starting point, or even from all possible starting points. Our TVA implementation supports each combination of specified/unspecified attack start/goal.

In their raw non-aggregated form, attack graphs can quickly become too complex for easy understanding. To help manage attack graph complexity, we aggregate the graph to higher levels of abstraction, providing better situational awareness. An important high-level abstraction in TVA is the protection domain, which represents a set of machines that have full access to one another’s vulnerabilities. In a raw (non-aggregated) form, the graph would be fully connected within a protection domain. Instead, we list the machines in a protection domain, along with exploits against each of their vulnerabilities. Then we implicitly rely on the fact that once an attacker takes control of a machine within a protection domain, he can exploit all vulnerabilities on machines within it. We thus need not explicitly list every n2 (fully-connected) exploit dependency within the protection domain.

In TVA, a high-level view displays attack relationships among protection domains, which can be opened individually or in groups for deeper views of attack properties and relationships. In this process, no graph information is lost; one has merely to expand a folder to acquire information at a lower level. A complete listing of exploits and associated details for any selected component is available at all times. This supports in-depth analysis of exploit details, while overall topology and network relationships are kept simple and understandable within the main graph view.

Our TVA tool also emulates the hardening of machines and exploitable vulnerabilities to study the effects of remediation and what-if scenarios. Exploring the attack graph, the analyst is often faced with multiple options for remediation. This involves choosing a machine or set of machines to protect (harden), or identifying specific exploits to protect against. We display the attack graph effects that occur when a specific machine or protection domain is hardened or when a specific exploit is neutralized. Hardened elements are maintained in a log, e.g., for reporting. The TVA tool also generates recommendations automatically, i.e., first layer (from start), last layer (from goal), and minimum set that that separates start from goal.