Reverse Attack Simulations
As a means to develop our business we like to think about and prototype new ideas on how to improve and extend threat modeling, attack simulations and securiCAD. This happens down in the foreseeti mine where our engineers are most happy. We have different shafts with different topics open. This blog series summarizes some of that work.
We are currently participating in an Innovation Project about the next generation SOC. Our task in the project is to develop solutions for empowering SOCs with attack simulation-based information to support more well-informed decisions with respect to protecting enterprise ICT infrastructures. But the project has also made us think bigger, and at least somewhat close to the walls of the famous box. Could we perhaps also help the CSIRT somehow with our attack simulations? Here is a thought.
Introduction Soccrates: SOC & CSIRT Response to Attacks & Threats
securiCAD makes attack simulations looking forward, in principle answering the question how difficult would it be for an attacker to reach to X starting from Y. But sometimes we know that Y was compromised. In that case we could clearly help the SOC with assessing the risk of that breach in terms of estimating how difficult it would be to reach Z (where the really, really sensitive stuff resides). But, moreover, if we assumed that the attackers actually came from X (perhaps the internet), how would they then easiest have gotten to Y?
Wouldn’t it make sense to direct your forensic investigations along that critical path? In principle, yes! But there are caveats… Our attack simulations are not really predicting actual attacker behaviour, we just use them to identify vulnerabilities and risks in the system architecture. The attack simulations are shortest path calculations, most likely our antagonist was not optimal in its behaviour. Moreover, simulations are based on generic attacker profile, it is everybody and nobody, but during an attack clearly the compromise was done by somebody. But then again…
… In a complex environment to start looking along the simulated attack vector is far better than taking a wild guess. And once we know more, we can narrow down simulation scenarios (how do you get from X to W that is preceding Y) or perhaps update simulation probability distributions with information about some specific attacker profile. We hope to be able to deliver something along the lines of these thoughts to the very exciting project (yes, we encourage you to follow the link above to read more about the cool work we and the other partners are doing).
And while the project clock is ticking, we keep scratching our heads about how to add features to securiCAD with respect to this topic. Let us know your thoughts – holler down the mine!