Attack Navigator Map: Analysis results dashboard

The Attack Navigator Map tool unites a large part of the TREsPASS tool chain (model creation, attack tree creation, analysis, visualisation) in one user interface. The analysis results visualisation dashboard is the last step in the tool chain, and will appear as a different view on top of the regular ANM user interface. It gathers all the results of the analysis (and other intermediate tools) and makes them available as download, and visualises them as attack trees. Next to this the dashboard also offers alternative visualisations, that are derived from the attack tree. If needed it also displays additional visualisations, that are specific for the output format of individual tools, for instance the Attack Cloud visualisation and the tree map view.

Integrated and stand-alone

The TREsPASS visualisations are developed as single, loosely coupled components – entirely independent of one another. By avoiding interdependence we can ensure complete modularity, which in turn allows us to use the components as building blocks for applications like the ANM analysis results dashboard, with the option to easily replace components with compatible alternatives, if needed).

At the same time it is also entirely possible to take a single visualisation component, and –with only a thin layer of application logic around it– package it and distribute it as a standalone (desktop) application.

How it works

The javascript framework that is used is react, where components take required or optional inputs (very similar to function arguments in programming), called “props” (short for properties). The input data must be provided in a certain format, which can be a common format shared among similar visualisation types (attack trees, for instance), or specific to the output of individual analysis tools (for instance ATEvaluator). Best practices dictate to build components that only contain a minimum amount of logic themselves. The task(s) of parsing and preparing the input data is therefore handed over to the host application, whose responsibility it is to provide the component with the right data.

All of the preparation and pre-processing routines are outsourced into an external library, and available as reusable utility functions. The trespass.js library has sub modules for working with the TREsPASS socio-technical model format, different “flavours” of attack trees, and the output formats of the analysis tools that are part of the TREsPASS family of tools.

Visualisation explorations of analysis tools

Most of the analysis tools provide outcomes comparable to a `top 10′, but all do that in slightly different ways. The visualisation of the outcomes of these tools are presented with small charts on the left and a sub set of the attack tree on which the analysis is applied to on the right, and they are always linked to each other. This makes it easy for a user to look for the most vulnerable attack traces.

analyzer-1
ATAnalyzer presents the attack traces with the highest utility for an attacker. In this example a user hovers over the highest utility (utility=1000, cost=600).
evaluator-1
ATEvaluator calculates pareto efficient solutions for the attack tree. Hovering over the pareto frontier highlights the involved attack traces in the sub set of the attack tree on the right.
atcalc-big-1
ATCalc displays the likelihood of attack over time, as well as which leafs become more probable at a certain point in time. The two small graphs on the left plus the sub set of the attack tree on the right interact with each other so that a user can quickly explore the results of the analysis tool.
atcalc
Detail of the two parts of the visualisation of the ATCalc results. Each time step allows explorations and visualises in the graph under it which leaf nodes are involved.

 

screen-shot-2016-11-01-at-09-17-39
Visualisation of an attack tree generated from a map that was build in the Attack Navigator Map.


Watch the visualisation dashboard in action on Vimeo

screen-shot-2016-11-01-at-09-18-28
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map.
screen-shot-2016-11-01-at-09-18-46
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map. Colours indicate similar actions, grey actions are unique actions.

 

screen-shot-2016-11-01-at-09-19-08
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map. The list on the right is ordered on label frequency, how many times the same label appears in the tree.

 

The Attack Navigator Map

The Attack Navigator Map (ANM) is a tool that predicts and prioritises attack scenarios based on a model of the system or organisation concerned. It can also be used to judge the effect of countermeasures, by re-running the analysis with an adapted model. The model takes the form of a navigator map and a set of attacker profiles.

The Attack Navigator Map represents the system cartographically, displaying connections between the elements as potential steps that an attacker could take. These steps are annotated with relevant variables such as difficulty and cost.

A map created in the ANM. The user hovers over the asset "access card" and is prompted that the item can be dragged onto the map. The colour of assets is based on how potentially dangerous the asset is. For "door" red means very weak, for an actor type red means vulnerable.
A map created in the ANM. The user hovers over the asset “access card” and is prompted that the item can be dragged onto the map. The colour of assets is based on how potentially dangerous the asset is. For “door” red means very weak, for an actor type red means vulnerable.

The attacker profile collects relevant characteristics of an attacker, such as skills, resources, motivations / goals, and initial access. By combining a map and attacker profile, the system will calculate routes for the attacker across the map that provides utility to the attacker.

Typically, this will involve gaining access to certain assets and compromising their confidentiality, integrity or availability, which may cause damage to the organisation. The routes with the highest utility for the attacker constitute the highest risk with respect to the selected attacker profile.

Various tools analyse the various routes, and the results are visualised in a dashboard for inspection. On the basis of the outcomes, a user can implement counter-measures and rerun the analysis, until satisfied.

Interface concept

As the structure of elements in an Attack Navigator Map can become complicated very quickly, a wizard-like structure is applied, that guides users through the various steps that need to be taken. Users can draw or import floor plans (for physical and digital environments), apply those to multiple floors and drag-and-drop items  as assets and actors onto the map. These assets, actors, and many more items come from libraries, where the user can also save its own library items, add items, and adjust the properties.

The basic building blocks for constructing a model come from libraries of single components, or of prefabricated model fragments (groups of components with relations), such as the model pattern library. These libraries will contain commonly used patterns, that can be used as templates to rapidly build the basic structure, which can then be refined and tweaked. The underlying data structure is a directed graph of nodes (components with properties) and edges (relations between those components).

 

screen-shot-2016-10-25-at-09-06-58
Diagram describing a typical work-path for a user of the ANM. The individual steps taken within the ANM are shown in grey boxes, and the preparatory and finalising steps are shown in purple boxes. Each step is part of a different phase of work, beginning with Definition of the problem to be worked on, moving through into several stages of Analysis, and finally into Visualisation and Evaluation, shown in yellow circles.

 

03_drag-drop-mov
Animation showing how one can drag and drop files onto the map

 

02_merge-file-mov
Animation showing how to merge files in the ANM

 

04_left-right-click-mov
Animation showing the various contextual functions available when a user user left and right-clicks. Nodes, edges, groups, etc. all have different contextual menus.

 

06_connections-mov
Adding connections.

 

05_move-pan-zoom-reset-mov
How to move, zoom, pan en reset the map view.

 

07_custom-relationships-mov
Editing custom relationships

 

Missing parameters of an asset, actor or location are indicated in the validate layer. The ANM specifies exactly what is missing, for instance if an asset is located somewhere. Also under Run Analysis these problems are indicated, and the analysis can only be done once these problems are resolved. Other examples of warnings are missing attacker, missing value of asset, etc..
Missing parameters of an asset, actor or location are indicated in the validate layer. The ANM specifies exactly what is missing, for instance if an asset is located somewhere. Also under Run Analysis these problems are indicated, and the analysis can only be done once these problems are resolved. Other examples of warnings are missing attacker, missing value of asset, etc..

See the article on the visualisation dashboard for details

 Read the full manual

 Go to the Attack Navigator Map (log-in required)