Modeling Reality: Vulnerability Chaining
Modeling Reality is a series of blog posts describing how real world scenarios are modeled by our software. This is the fourth installment.
Last week we briefly glossed over the idea that an attacker may have to chain together multiple vulnerabilities in order to reach their target. This week we will look at that process in more detail.
Vulnerability chaining is necessary because of the existence of trust boundaries. Trust boundaries delineate the potential layers of security within an operation. We model four trust boundaries:
* External: Outside the operation, anywhere on the internet
* Internal: Within the perimeter of the operation
* Adjacent: On the same network system as the target
* Local: On the same host system as the target
The attacker starts with external access and must cross all of the trust boundaries to achieve local access to the target, causing a breach.
Point of Entry
As mentioned previously, targeted attacks are categorized by their mode of entry. The mode of entry determines how we go about processing an attack.
Some attackers attempt to gain access to an operation by attacking its users. We model five user roles: unauthenticated users, authenticated users, authorized users, application managers, and system administrators. Unauthenticated users have access to the operation but no privileges, so they give the attacker internal access if breached. Authenticated users have limited privileges within the operation, so they give the attacker adjacent access if breached. Authorized users, application managers, and system administrators all have full privileges to access sensitive data, so they give the attacker local access if breached. When attacking a particular user, the attacker doesn’t know its role in the operation, so their likelihood of breaching each user role is determined by the proportion of users in the user community with that role.
Third-party services are services that are performed outside the operation, but have a direct communication link to the operation. Breaching a third-party service usually gives the attacker internal access to the operation, but may give better access in certain circumstances.
If the attacker attacks the operation directly using software vulnerabilities, no entry point preprocessing is necessary, and we can just use reverse-off-target chaining to determine the point of entry.
Once the attacker has gained access to the operation, the only way to improve their access is by exploiting software vulnerabilities. Once we’ve determined the level of access achieved by the attacker through their point of entry, we start working backward from the target to build a chain of vulnerabilities from entry to target. Vulnerabilities in the National Vulnerability Database (NVD) are each associated with a trust boundary which they can be exploited from. The NVD uses external, adjacent, and local trust boundaries, but not internal. Vulnerabilities with local access can be chained with any vulnerability in the same host system. Vulnerabilities with adjacent access can be chained with any vulnerability in the same network system. Vulnerabilities with external access do not require additional chaining. We start with vulnerabilities in the target itself, sorted by their access level, and work outward until we have a vulnerability chain that can be exploited from the access level obtained by the attacker’s entry point.
Tags: breach, cybersecurity, modeling, vulerability