Bow Tie for Cyber Security Series:
0x01 - How to Tie a Cyber Bow Tie
0x03 - Attack Path of Least Resistance? <-- You are here.
In the last installment of this series, we took a look at a Bow Tie diagram of a PI Coresight deployment and walked through some basic evaluation of the coverage. In this installment, we’ll talk about how Bow Tie diagrams fit into visualizing attack paths and the cyber kill chain concept!
For the uninitiated, the cyber kill chain is a concept defined by Lockheed Martin which describes the process that a miscreant must go through in order to achieve their desired effects on a system. You can check out Lockheed Martin’s dedicated page on the cyber kill chain for a rigorous discussion of the topic. The SANS Institute published an excellent White Paper [PDF] that discusses the Cyber Kill Chain within the context of ICS.
Let’s start with a simple network architecture. We have a business zone with several client machines and a web server, a DMZ with a database server and a single workstation, and finally a control zone with an interface node and our control system (yes, profoundly generic, I know). We’re going to explore a scenario where a miscreant sabotages the control system to cause physical damage and potential human hazards.
Two possible attack paths traversing our simplified network to the control system are drawn in the figure below. For each node in the attack path, a miscreant must:
- Perform Reconnaissance
- Identify an exploitable vulnerability
- Exploit the vulnerability to gain a foothold on the system
- Escalate privileges where necessary
- Pivot and begin the next attack
If we can detect and block these activities, then we can halt their advance before they reach the crown jewels, our precious control system.
The first attack path begins with an attack from the outside world to a client machine in the DMZ. This could result from a firewall configuration issue, stolen VPN credentials or perhaps infected removable media. Once the client node is compromised, the attacker must then go through the steps in the cyber kill chain in order to pivot and attack the next component in the network. During reconnaissance the miscreant determines the client is running PI ProcessBook, and from the machine it can connect to the PI Data Archive, which would bring them one step closer to their ultimate goal, the control system. Once they successfully escalated privilege and pivoted to the PI Data Archive machine, they again must progress through steps in the kill chain to pivot and attack the interface node. Finally, once the interface node has been compromised, the miscreant can mount an attack on the soft and chewy control system, which is now in striking distance.
In the case of the second attack path, the attacker is not able to compromise a client node in the DMZ. Perhaps that workstation is properly isolated and the controls with respect to removable media are being followed. In this case, the attacker has to start with a client in the business network. The attacker could gain their foothold on one of these clients with any number of methods, including phishing or a watering hole attack. The next closest node that the business network workstations can communicate with is the web server. Similar to the previous path, at each node, the miscreant must go through the steps of the cyber kill chain to pivot and mount the next attack deeper in the network.
Hopefully a few things stand out from these example paths:
- There is benefit in building a defendable architecture. If the control system has components connected to the internet or the business network machines can make direct connections to machines on the restricted network, then the work of an attacker is simplified dramatically.
- Attacking even a fairly simple system can become a complex challenge! There is a reason that the world doesn’t end when a CVSS 10.0 is discovered. A single exploit can give you a foothold on a machine, but identifying relative position in the network, escalating privilege, and mounting attacks deeper into the network all while maintaining communication externally and evading detection is another challenge entirely. Even in this brave new world of APTs, there are still opportunities for defense to win.
- Lastly, in the second attack path, there was an additional layer that the attacker needed to progress through, the web server. That layer offers many defenses and impact reductions (highlighted in Hardcore PI Coresight Hardening) that could stop an attacker from completing the steps in the cyber kill chain and progressing.
In a few discussions I’ve had with system administrators and security professionals regarding this topic, they’ve indicated that there are plenty of other machines on their network, some of which may be remotely accessible. Since this approach is modular, this revelation does not interfere from a modeling standpoint.
If there are other machines on the network that are either internet connected or subject to poor controls that could allow compromise through removable media or foreign devices connected to them, these other machines could allow shorter paths to the high value target of the control system. If we have a Bow Tie for each component, we can use the superposition of Bow Ties in a given path to evaluate the defenses relative to other paths identified. By looking at the security posture within the context of the full attack paths, we can target weaknesses within the context of the system and prioritize defenses to fortify them.
In the next installment of the series, I’ll discuss some of the implications of this path based approach and how we believe it can provide a common language between the opposing sides of the “IT/OT civil war”. In the meantime:
- This example centered around a control system as the high impact target. What other high impact consequences should we reverse off of to generate paths?
- Are there any other methodologies you use to evaluate the path of least resistance?
Update: Replaced broken link for Cyber Kill Chain.