When designing, operating, and maintaining complex cyber security systems for large companies, it is challenging to make sound security decisions that will keep the companies safe from attackers.
Their research will be built on a previously developed method, ADversary VIew Security Evaluation (ADVISE), which has been implemented into the prototype tool Möbius-SE
(Mobius Security Edition) and is used by security modeling experts and scientists. Möbius-SE is a modeling and solution tool, which quantifies system security by considering both the vulnerabilities in the system represented by an attack execution graph and the ability and inclination of attackers to exploit those vulnerabilities represented by an adversary profile. Companies can use the tool to simulate potential attacks on their system to find out where they are most vulnerable.
While some computer security experts are already using Möbius-SE, Sanders and Keefe are working to develop a simplified ADVISE modeling method that will attract more users in the computer security field. The goal of this project is to make the tool more widely accessible to a broader range of users and to demonstrate its use in several critical infrastructure sectors.
“ADVISE is useful to companies because it can help them make decisions on how they want to design future security systems or how to spend money to make changes to existing systems,” Keefe said. “ADVISE will give you a relative measure of overall system security and, if you do have attackers, it will give you an idea of the common ways attackers are getting into your system.”
A chart of the proposed Möbius-SE tool that companies can use the tool to simulate potential attacks on their system to find out where they are most vulnerable.
Sanders and Keefe are developing several improvements on earlier versions of ADVISE. They previously did an alpha trial with six companies and 12 university participants and found that there was a certain degree of security and domain expertise that was required to use ADVISE. As this severely limits their user base, they are working to build a library of adversarial attack options, as well as simplify the system for the user.
“The program was a little too difficult to dig into if a company wants to use the model themselves,” Keefe said. “We want to build a layer on top of it to allow just domain experts to be able to snap together different systems they want to study and have a generator that builds the attack execution graph and then the user can choose from a library of existing attacks.”
Sanders and Keefe originally developed ADVISE to offer a very rich set of options and features and those features will still be available for users that want more control over their setup.
The pair will be working with Cyber Defense Agency, Inc. to help build the adversary library, as the company has previously developed a method that looks at different types of adversaries and how they attack different systems. To test the system, GE Global Research will apply it to their electric power distribution and water treatment supplies and provide feedback on the usability. Sanders and Keefe hope to make Möbius-SE available for commercial use as soon as possible.
“Cyber security is becoming more important every day,” Keefe said. “This would be one of the few tools of its kind available and the only commercially viable tool that would allow you to study these types of attacks and how it affects a system in a general enough way that most people could use it. Almost any company of significant size would have use for it because they all have a target on their back from different kinds of attacks.”