• DocumentCode
    3407777
  • Title

    Validating and Restoring Defense in Depth Using Attack Graphs

  • Author

    Lippmann, Richard ; Ingols, Kyle ; Scott, Chris ; Piwowarski, Keith ; Kratkiewicz, Kendra ; Artz, Mike ; Cunningham, Robert

  • Author_Institution
    MIT Lincoln Lab., Lexington, MA
  • fYear
    2006
  • fDate
    23-25 Oct. 2006
  • Firstpage
    1
  • Lastpage
    10
  • Abstract
    Defense in depth is a common strategy that uses layers of firewalls to protect supervisory control and data acquisition (SCADA) subnets and other critical resources on enterprise networks. A tool named NetSPA is presented that analyzes firewall rules and vulnerabilities to construct attack graphs. These show how inside and outside attackers can progress by successively compromising exposed vulnerable hosts with the goal of reaching critical internal targets. NetSPA generates attack graphs and automatically analyzes them to produce a small set of prioritized recommendations to restore defense in depth. Field trials on networks with up to 3,400 hosts demonstrate that firewalls often do not provide defense in depth due to misconfigurations and critical unpatched vulnerabilities on hosts. In all cases, a small number of recommendations was provided to restore defense in depth. Simulations on networks with up to 50,000 hosts demonstrate that this approach scales well to enterprise-size networks
  • Keywords
    SCADA systems; authorisation; business communication; computer network reliability; graph theory; telecommunication security; NetSPA; SCADA; attack graph; defense in depth restoration; enterprise network; firewalls; supervisory control-data acquisition subnet; vulnerability; Contracts; IP networks; Internet; Laboratories; Local area networks; Planning; Process control; Protection; SCADA systems; US Government;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Military Communications Conference, 2006. MILCOM 2006. IEEE
  • Conference_Location
    Washington, DC
  • Print_ISBN
    1-4244-0617-X
  • Electronic_ISBN
    1-4244-0618-8
  • Type

    conf

  • DOI
    10.1109/MILCOM.2006.302434
  • Filename
    4086659