Security Monitoring

Chapter:
Security
Version:
Updated:
2015-09-02
Contact Person:
Olivier Bettan / Susana González Zarzosa
olivier.bettan@thalesgroup.com susana.gzarzosa@atos.net
Feedback:

MulVAL Attack Paths Engine

Quick reference guide The Attack Paths Engine is an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. Attack Path Engine comprises a scanner—run asynchronously on each host and which adapts existing tools such as Nessus to a great extent—and an analyzer, run on one host whenever new information arrives from the scanners.
  • Step 1
As the first step, click the link http://secmonitoring.testbed.fi-ware.org/AttackGraphEngine/attackgraph.jsp to launch the application.
  • Step 2
Browse in your local folders in order to get Nessus and Topology files. Firstly you start to get the Nessus file and secondly you get the topology file. You will see an example of file to be downloaded by clicking the link http://catalogue.fi-ware.org/sites/default/files/inputs_for_attackgraph_global_demo.zip
  • Step 3
Once your Nessus and topology files selected, click on Upload files. These files will be uploaded to server and will be processed by Attack Path Engine. The results are sending back directly on the browser. When you click on the first link, you can dispay the PDF file directly on your web browser. When you click on the second link, you can dispay the XML file directly on your web browser. For the integration, you can save as this file in order to add value for your business. Manuals
  • A high-level description of the overall architecture of the MulVAL Attack Paths Engine in the Security Monitoring GE is available at the Architecture Description
  • The description of the MulVAL Attack Paths Engine provided in the Security Monitoring GE is available at the MulVAL Attack Paths Engine Description
  • The provided API of the MulVAL Attack Paths Engine is specified in the API Specification and the Web Application is specified in the Web Application API Specification
  • The installation and administration guide of MulVAL Attack Paths Engine is provided in the Installation and Administration Guide and the Web Application is provided in the Web Application Installation and Administration Guide
  • Tutorials
  • The user and programmer guide of MulVAL Attack Paths Engine is provided in the User and Programmer Guide and the Web Application is provided in the Web Application User and Programmer Guide
  • The tutorial to test the MulVAL Attack Paths Engine is provided in the Unit Testing Plan and the tutorial to test the Web Application is provided in the Web Application Unit Testing Plan
  • Scored Attack Paths

    Quick reference guide The scoring application provides tools to security operators for assessing the risk and impact of attack paths. This application is written in Java and has a client interface provided by Swing Java library. This quick guide explains how to use this application.
    • Step 1
    The main view contains the controls necessary for operating the application, setting the parameters, chosing the desired functions, and obtaining the attack path scores.
    • Step 2
    Next to the main control panel view, can be seen a tree view of the Attack Graph XML file. This view provides in a succint manner the details of the data format, allowing therefore to easily access the data related to a given vertex or an arc.
    • Step 3
    The user inputs a new attack graph file, by clicking on the 'New input file to database'. An dialog opens for the MulVAL file selection, as depicted in the Figure below.
    • Step 4
    Once the file has been selected, the user must load it by means of the 'Load current database' button. A dialog confirms whether the operation succeeded or failed
    • Step 5
    If a file needs to be discarded, the database needs to be reinitialized. In order to do this, the user employs the 'Reset current database'.
    • Step 6
    After having input the MulVAL file, and loaded the XML database of the file, the user needs to select the normalization method, the score formula, and simply click on the 'Score' button. Manuals
  • A high-level description of the overall architecture of the Scored Attack Paths in the Security Monitoring GE is available at the Architecture Description
  • The description of the Scored Attack Paths provided in the Security Monitoring GE is available at the Scored Attack Paths Description
  • The provided API of the Scored Attack Paths is specified in the API Specification
  • The installation and administration guide of Scored Attack Paths is provided in the Installation and Administration Guide
  • Tutorials
  • The user and programmer guide of Scored Attack Paths is provided in the User and Programmer Guide
  • The tutorial to test the Scored Attack Paths is provided in the Unit Testing Plan
  • Remediation

    Quick reference guide The remediation application provides tools to security operators for proposing cost-sensitive remediations to attack paths. This application is written in Java and has a web-interface provided by the Vaadin library. This quick guide explains how to use this web application.
    • Step 1
    Attack path view: The main view contains a representation of the attack path to correct. The first attack path printed is the first ranked (according to the attack paths ranking function). The user can choose another attack path to print in a combo box. The vertices of the attack path have different colours, according to the type of vertex (OR, AND, LEAF or GOAL). The labels of the vertices explain the type of action made by the attacker. A more detailed caption can be found by clicking the "Show caption" button under the attack path view.
    • Step 2
    Attack path topologic view: Next to the attack path view, can be seen a more abstracted and topologic view of the attack path. This view show the different access made by the attacker accross the information system during the attack. This view also show the target machine of the attack and all the compromised machines.
    • Step 3
    Remediation choice: On the bottom of the GUI, the security operator can choice several sets of remediation that can correct the attack path. The remediation set with the lower cost is chosen by default, but the operator can choose another one with the appropriate combo-box. To simulate the application of a remediation and its effects on the attack path, the operator can click on the related checkbox and then reset the applied remediations with the button "Reset remediations". Manuals
  • A high-level description of the overall architecture of the Remediation in the Security Monitoring GE is available at the Architecture Description
  • The description of the Remediation provided in the Security Monitoring GE is available at the Remediation Description
  • The provided API of the Remediation is specified in the API Specification
  • The installation and administration guide of the Remediation is provided in the Installation and Administration Guide
  • Tutorials
  • The user and programmer guide of the Remediation is provided in the User and Programmer Guide
  • The tutorial to test the Remediation is provided in the Unit Testing Plan