Information Security Defensives with Graph Database Approaches against Attack Paths
The Information Security Analytics
shares how Graph Databases can manage an ‘entire defensive infosec posture’.
I’m very excited to finally be able to talk about a technology that I’ve been working on for some time. I have figured out how to connect all aspects of defense: architecting and securing systems (I’ll call it ‘engineering’), gathering intelligence on what attackers are doing, and detecting and responding to incidents (I’ll call this ‘operations’).
I’ve assessed risk for years and it has never felt ‘right’. At a fundamental level, I’m not sure we even knew what risk we were assessing. A vulnerability wasn’t a risk. A control definitely wasn’t a risk. Additionally, nothing quite seemed right when it came to determining risk likelihood. I’ve seen every approach under the sun. Many were repeatable, but simply obscured analysts’ decisions behind various weights and ‘classifications’ (like calling a vulnerability exploitable by outsiders or insiders).
I came to realize risk was a path, as I’ve previously blogged. Others have come to this conclusion as well, sometimes referring to these paths as kill chains. I make the path distinction since, as a coworker and Lockheed pointed out, kill chains tend to be a specific number of steps. Attack paths are fairly flexible and arbitrary. A kill chain is an attack path, but not necessarily vice versa.
The next question becomes how to aggregate these paths. The Lockheed paper begins to address it, but a much better approach is the use of graph theory! I won’t claim to be the first to use graph theory for this. Many have, and I intend to publish a research paper giving full credit to all those whose works I built upon. However, what I am doing is fundamentally different.
By combining attack paths from analysts with graph theory, we now have something that closely resembles how we think about risks happening. An attacker can do A, then B, then C to cause us consequences. And if we block B, they still have the option of doing D in it’s place. By using Bayesian math, the combination of risk can be aggregated. Additionally, risk can be tied to threats and their specific attributes. (The explanation of this is something that’ll have to wait for the research paper.)