| UP | DOWN | ||
|---|---|---|---|
| Validating and Restoring Defense in Depth Using Attack Graphs | |||
| Lippmann,Richard | MIT Lincoln Laboratory | ||
| Scott,Chris | MIT Lincoln Laboratory | ||
| Piwowarski,Keith | MIT Lincoln Laboratory | ||
| Kratkiewicz,Kendra | MIT Lincoln Laboratory | ||
| Ingols,Kyle | MIT Lincoln Laboratory | ||
| Cunningham,Robert | MIT Lincoln Laboratory | ||
| Artz,Mike | MIT Lincoln Laboratory | ||
| Defense in depth is a common strategy that uses layers of firewalls to protect Supervisory Control and Data Acquisition (SCADA) subnets and other critical resources on enterprise networks. A tool named NetSPA is presented that analyzes firewall rules and vulnerabilities to construct attack graphs. These show how inside and outside attackers can progress by successively compromising exposed vulnerable hosts with the goal of reaching critical internal targets. NetSPA generates attack graphs and automatically analyzes them to produce a small set of prioritized recommendations to restore defense in depth. Field trials on networks with up to 3,400 hosts demonstrate that firewalls often do not provide defense in depth due to misconfigurations and critical unpatched vulnerabilities on hosts. In all cases, a small number of recommendations was provided to restore defense in depth. Simulations on networks with up to 50,000 hosts demonstrate that this approach scales well to enterprise-size networks. | |||
| Richard P. Lippmann received a B.S. degree in Electrical Engineering from the Polytechnic Institute of Brooklyn, in 1970 and a Ph.D. degree in Electrical Engineering from the Massachusetts Institute of Technology, in 1978. From 1978 to 1981 he was Director of the Communications Engineering Laboratory of the Boys Town Institute for Communication Disorders in Children, Omaha, NE working on speech perception, speech training aids for deaf children, sound alerting aids for the deaf, and signal processing for hearing aids. In 1981 he joined Massachusetts Institute of Technology, Lincoln Laboratory, and is currently a Senior Staff Member in the Information Systems Technology Group. Recent research interests include applying neural network and statistical pattern classifiers to computer security, protecting computer networks using attack graph analyses, discovering vulnerabilities in software through automated testing, and prioritizing alerts from intrusion detection systems using attack graphs and other information about protected networks. | |||