Refactoring Software Vulnerability Discovery

[mike1813]

Threats involving exploitation of software vulnerabilities in Host or Process assets are modelled as threat paths composed of simpler steps:

1. Discovery of the vulnerability by a potential attacker, whose effect is to reduce 'Extrinsic TW' attributes of the affected Host or Process. These TW attributes are based on CVSS v2 vulnerability classification metrics (we may update this to v3 in due course).
2. Access to the vulnerability by the attacker, with causes based on CVSS access metrics, reducing an 'Exploit TW' attribute representing an absence of exploitable vulnerabilities.
3. Exploitation of the vulnerability, caused by the Exploit TW attribute combined with CVSS impact metrics, leading to effects like access to the Host, crashing the vulnerable Host or Process, or access to data stored locally and/or used by the vulnerable Process.

For current risk calculations, the discovery threats are skipped. Instead, known (detected) vulnerabilities are modelled by reducing the CVSS-aligned TW attributes appropriately for the affected vulnerabilities.

In future risk calculations, vulnerability discovery is treated as a normal operation process, whose effects can be reduced by operational management policies such as regular, systematic application of software patches. However, this leads to two problems.

Firstly, each of the vulnerability discovery threats is specific to a CVSS metric value or combination of metric values, so discovery of a real vulnerability corresponds to a combination of those threats. When looking for root causes of a downstream effect, one finds multiple root causes, which may confuse system modeller users.

Secondly, software patching (as a normal operational policy) suppresses all vulnerability discover threats. When a risk treatment plan is extracted, the effect of software patching is represented by multiple entries, one for each CVSS-mapped TW attribute. This may also be confusing, but at minimum it means the risk treatment plan is highly repetitive. Moreover, if one then analyses the effect of a software patching policy, one finds it reduces the likelihood of multiple threats, each of which may be an upstream cause of multiple downstream effects. The calculation of residual risk levels is thus rendered a lot more complex.

Software patching reduces the likelihood of vulnerability discovery threats because it reduces the time for which the vulnerability is both known to the attacker and present in the software. Other control strategies seek to reduce the likelihood that vulnerabilities are present to be discovered, e.g., penetration testing, software certification and formal verification. Although these represent different mechanisms, they also give rise to the same problems for residual risk analysis.

To solve these problems, it is proposed that we make two changes:

• Add a new behaviour 'Vulnerability Discovered' for Host and Process assets.
• Add two new threats that cause this new behaviour in Host and Process assets, respectively, with the same control strategies as the existing vulnerability discovery threats.
• Recast all existing (CVSS metric aligned) threats as secondary threats caused by this new behaviour, removing their control strategies at the same time.

The effect of these changes is to move the control mechanism upstream of the bifurcation of threat paths to cover multiple CVSS-aligned TW attributes. The goal is to reduce the size of risk treatment plans and hopefully also reduce the complexity of residual risk calculations - although to what extent can only be determined by running tests.

[mike1813]

Changes as described have been made on branch 139, but some work is needed to produce an adequate test case.

@kenmeacham, @scp93ch or @samuelsenior may wish to merge changes from this branch into their current working branches to see if (a) these changes affect the risk levels (they should not), or (b) these changes simplify system modeller output (root causes or risk reports or residual risk analysis outputs).

I can't do any more today. May get some time to run up a test case over the weekend.

[mike1813]

Tested using four test cases:

• Online Store V11s Basic Security
• Online Store V11s More ecurity
• Steel Mill 1 block
• Steel Mill 2 blocks

The first two are taken from the tutorial last updated in 2022, modelling a simple public website that holds profiles of consumers. These were updated to V11 by replacing a deprecated control assertion (ChipAndPinVerifier no longer applies to physical spaces, having been replaced by a distinct ChipAndPinLock control type), and simplified by making all assets singletons. The last two are models used in a recent publication.

In all four cases, the outcome of risk calculations is unchanged by switching to the refactored vulnerability discovery threats, other than through the inclusion of the new 'Vulnerability Discovered' behaviour. All other misbehaviour sets have the same likelihoods as before.

This confirms that the refactored vulnerability discovery threat paths are working correctly.

[mike1813]

The hope was that refactoring in this way would reduce the complexity of the risk treatment plan. It turns out this is the case, as the asset behaviours corresponding to CVSS-aligned TW attributes are no longer subject to threats that have control strategies. However, these behaviours are still included in the risk treatment plan by system modeller v3.6.0-test, so at this point it doesn't lead to a reduction in the size of the risk treatment plan report.

For example, in the case of 'Online Store V11s More Security', the first asset class shown in the risk treatment plan is ClientBrowser, which includes the following behaviours when validated using domain model v6a5-1-2:

Consequence	Impact	Likelihood	Risk	Direct Causes	Treatment Method	Status	Controls
LossOfExtrinsic-A-TW	Negligible	Low	Very Low	Vulnerability (A) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-AU-TW	Negligible	Low	Very Low	Vulnerability (AU) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-C-TW	Negligible	Very Low	Very Low	Vulnerability (C) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-I-TW	Negligible	Very Low	Very Low	Vulnerability (I) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-M-TW	Negligible	Low	Very Low	Vulnerability (M) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-QI-TW	Negligible	Low	Very Low	Vulnerability (QI) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-U-TW	Negligible	Low	Very Low	Vulnerability (U) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-VA-TW	Negligible	Low	Very Low	Vulnerability (VA) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-VL-TW	Negligible	Low	Very Low	Vulnerability (VL) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-VN-TW	Negligible	Low	Very Low	Vulnerability (VN) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-W-TW	Negligible	Low	Very Low	Vulnerability (W) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-XS-TW	Negligible	Low	Very Low	Vulnerability (XS) discovered at "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)

Once the vulnerability discovery threat path has been refactored in the domain model, this changes to:

Consequence	Impact	Likelihood	Risk	Direct Causes	Treatment Method	Status	Controls
LossOfExtrinsic-A-TW	Negligible	Low	Very Low	Vulnerability (A) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-AU-TW	Negligible	Low	Very Low	Vulnerability (AU) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-C-TW	Negligible	Very Low	Very Low	Vulnerability (C) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-I-TW	Negligible	Very Low	Very Low	Vulnerability (I) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-M-TW	Negligible	Low	Very Low	Vulnerability (M) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-QI-TW	Negligible	Low	Very Low	Vulnerability (QI) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-U-TW	Negligible	Low	Very Low	Vulnerability (U) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-VA-TW	Negligible	Low	Very Low	Vulnerability (VA) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-VL-TW	Negligible	Low	Very Low	Vulnerability (VL) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-VN-TW	Negligible	Low	Very Low	Vulnerability (VN) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-W-TW	Negligible	Low	Very Low	Vulnerability (W) discovered at "ClientBrowser"	n/a	n/a
LossOfExtrinsic-XS-TW	Negligible	Low	Very Low	Vulnerability (XS) discovered at "ClientBrowser"	n/a	n/a
VulnerabilityDiscovered	Negligible	Low	Very Low	Vulnerabilities discovered in process "ClientBrowser"	Mitigate	In Place	SoftwarePatching at ClientPC (Safe)

Evidently, the report could be made much shorter by filtering out behaviours with threats that have no control strategies. In this particular case, this should also make the system model easier for users to understand, by removing the individual CVSS-aligned behaviours and replacing them with a simpler concept.

The domain model updates are now on branch 139. An issue has been created for system modeller, see Spyderisk/system-modeller#182.

[mike1813]

Branch 139 has now been merged by pull request #143, so this can now be closed.