EU-funded researchers have developed working toolset and methodology that support a navigation approach to preventing unwanted system trespassers.

Digital Economy

The complexity of today’s interconnected technical systems, along with the speed that these systems are evolving, have far surpassed our capacity to even imagine – let alone evaluate – potential risk scenarios. As a result, we have entered unchartered waters when it comes to protecting ourselves. To overcome this challenge, new technology-supported methods are needed to identify and manage these always-changing risks – a challenge that the EU-funded TRESPASS project is addressing with its Attack Navigator solution. Start with a map ‘Of course it takes more than just a good metaphor to build a usable risk assessment system, but what the TRESPASS project provides is a working toolset and methodology that support a navigation approach to preventing unwanted system trespassers’, says project researcher and Assistant Professor at the Technical University of Denmark Christian W. Probst. To achieve this ‘navigation effect’, the project turns to the most basic of all navigational tools: the map. Whereas in the real world maps represent cities, streets and points of interest, the maps used by the TRESPASS project are essentially system models – a formal representation of the socio-technical environment intended to be analysed. These system models are based on a number of components, including: actors (human players or processes), assets (items or data), locations (where actors or items may be situated), edges (possible relocation paths between locations), policies (access control), and processes (computer programmes, virtual machines etc.). ‘Unlike in the real world, there are no satellites to provide pictures of a system environment’, says Probst. ‘Instead, the model is the result of a collection of processes that resemble the combination of satellite and geographer.’ Creating attacker profiles Once a system model is built, it’s time for the Attack Navigator to get to work. The TRESPASS Attack Navigator is a graph-based approach to security risk assessment inspired by navigation systems. ‘Based on maps of a socio-technical system, the Attack Navigator identifies possible routes that an attacker might take towards reaching their objective’, explains Probst. ‘By creating attacker profiles, attacker-specific properties, such as skill-level and available resources, can be included within the map, enabling those working to defend a system to explore possible attack scenarios and the effectiveness of defence alternatives.’ Probst notes that this attacker-focused approach represents a fundamental shift from the more usual defender-based approach of other risk assessment methods. Furthermore, just like navigation systems come in different shapes and sizes for different needs, the TRESPASS project also developed tools that work on different kinds of maps, for example where actors with money and service flows are represented to identify possible fraud. Predicting and proactively defending The most important property that influences a possible attack are the properties of the attacker. Similar to a vehicle navigation system, in many current security risk models these attacker properties are implicit. However, the TRESPASS project’s Attack Navigator concept takes this one very important step further by leveraging threat agents as attacker profiles. The tool thus uses a combination of a navigator map and an attacker profile to predict an attacker’s likely goals based on the attacker’s motivation, feasible routes to that goal, and properties of these routes based on the skill and resources from the attacker profile. The attacker profile implies a link between attack navigators and security economics, meaning the actions of both attackers and defenders come with costs and benefits that must be managed within a limited budget. Thus, the Attack Navigator assumes that 1) attackers will seek to optimise their investments, 2) the defender will move before the attacker, and 3) as a result, the attacker will already know what the defender has done. With this information, one can then predict the likely actions of an attacker and therefore proactively develop defence mechanisms. ‘The claim of the Attack Navigator is not a precise prediction of what will happen, but rather a prediction of what is possible or likely, and to what extent countermeasures improve the situation’, adds Probst. ‘Although the exact numbers one would like to have are usually impossible to obtain, our analyses is useful in comparing options, or even in directing our thinking about possible attackers.’

Keywords

TRESPASS, navigation, risk assessment, map, attack navigator, cyber security