Attack Navigator Map: Analysis results dashboard

The Attack Navigator Map tool unites a large part of the TREsPASS tool chain (model creation, attack tree creation, analysis, visualisation) in one user interface. The analysis results visualisation dashboard is the last step in the tool chain, and will appear as a different view on top of the regular ANM user interface. It gathers all the results of the analysis (and other intermediate tools) and makes them available as download, and visualises them as attack trees. Next to this the dashboard also offers alternative visualisations, that are derived from the attack tree. If needed it also displays additional visualisations, that are specific for the output format of individual tools, for instance the Attack Cloud visualisation and the tree map view.

Integrated and stand-alone

The TREsPASS visualisations are developed as single, loosely coupled components – entirely independent of one another. By avoiding interdependence we can ensure complete modularity, which in turn allows us to use the components as building blocks for applications like the ANM analysis results dashboard, with the option to easily replace components with compatible alternatives, if needed).

At the same time it is also entirely possible to take a single visualisation component, and –with only a thin layer of application logic around it– package it and distribute it as a standalone (desktop) application.

How it works

The javascript framework that is used is react, where components take required or optional inputs (very similar to function arguments in programming), called “props” (short for properties). The input data must be provided in a certain format, which can be a common format shared among similar visualisation types (attack trees, for instance), or specific to the output of individual analysis tools (for instance ATEvaluator). Best practices dictate to build components that only contain a minimum amount of logic themselves. The task(s) of parsing and preparing the input data is therefore handed over to the host application, whose responsibility it is to provide the component with the right data.

All of the preparation and pre-processing routines are outsourced into an external library, and available as reusable utility functions. The trespass.js library has sub modules for working with the TREsPASS socio-technical model format, different “flavours” of attack trees, and the output formats of the analysis tools that are part of the TREsPASS family of tools.

Visualisation explorations of analysis tools

Most of the analysis tools provide outcomes comparable to a `top 10′, but all do that in slightly different ways. The visualisation of the outcomes of these tools are presented with small charts on the left and a sub set of the attack tree on which the analysis is applied to on the right, and they are always linked to each other. This makes it easy for a user to look for the most vulnerable attack traces.

analyzer-1
ATAnalyzer presents the attack traces with the highest utility for an attacker. In this example a user hovers over the highest utility (utility=1000, cost=600).
evaluator-1
ATEvaluator calculates pareto efficient solutions for the attack tree. Hovering over the pareto frontier highlights the involved attack traces in the sub set of the attack tree on the right.
atcalc-big-1
ATCalc displays the likelihood of attack over time, as well as which leafs become more probable at a certain point in time. The two small graphs on the left plus the sub set of the attack tree on the right interact with each other so that a user can quickly explore the results of the analysis tool.
atcalc
Detail of the two parts of the visualisation of the ATCalc results. Each time step allows explorations and visualises in the graph under it which leaf nodes are involved.

 

screen-shot-2016-11-01-at-09-17-39
Visualisation of an attack tree generated from a map that was build in the Attack Navigator Map.


Watch the visualisation dashboard in action on Vimeo

screen-shot-2016-11-01-at-09-18-28
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map.
screen-shot-2016-11-01-at-09-18-46
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map. Colours indicate similar actions, grey actions are unique actions.

 

screen-shot-2016-11-01-at-09-19-08
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map. The list on the right is ordered on label frequency, how many times the same label appears in the tree.

 

Attack Tree component visualiser

The TREsPASS visualisations are developed as single, loosely coupled components – entirely independent of one another. By avoiding interdependence we can ensure complete modularity, which in turn allows us to use the components as building blocks for applications like the ANM analysis results dashboard, with the option to easily replace components with compatible alternatives, if needed).

At the same time it is also entirely possible to take a single visualisation component, and –with only a thin layer of application logic around it– package it and distribute it as a standalone (desktop) application.

The Attack Tree component visualiser visualises attack trees from XML files, including countermeasures (green). It automatically detects which flavour of Attack Tree (for instance ADTool outputs a different style of Attack Tree XML as TreeMaker). The user can zoom-in and out, to inspect details and change view, from tree structure to circular. It can also visualise similarity for the nodes.

Try out the Attack Tree component visualiser

Download example XML file to load in visualiser

Workshop results: ATM case study

September 2016, a TREsPASS  Data Visualisation workshop was organised in liaison with WTHX, a one-day mini-festival around the topics Peace, Justice, Security + Code. The data visualisation workshop focused on how to make visualisations around security that create impact, lead by Paolo Ciuccarelli, Michele Mauri from DensityDesign, and LUST. The 35 participants were security practitioners, data visualisation specialists, students interaction and graphic design, journalists, etc..

The participants (in groups of 5-6) worked with data from the ATM case study, the geographical data set on ATMs in Lisbon, their attacks and all kinds of social data around this. In the introduction to the workshop, the goals were made clear and many tools for quickly getting visual insight in data sets were introduced. During the day, the participants presented updates and ideas on the narrative that they found in the data set.

Conclusions from the advanced visualisation workshop

The different groups all had very different perspectives on the data set, and many interesting narratives were created. One interesting example was the extraction of the number of victims per ATM that was attacked, in one case more than 145 victims that got skimmed. Their narrative tried to make the abstract data personal again by relating it to humans again. Also the difference between visualisations that were geographically-based and others that were more graph-based made very clear that data that has geographical qualities does not always need to be visualised geographically to get most impact.

It was very clear that from the participants, the security practitioners had the most difficulty in visualising the data. As they were not used to thinking in visual strategies they stayed closer to the data and could not easily create a narrative out of it that could lead to truly new insights. The cooperation with other professional fields helped getting them out of their comfort zone.

This group came up with a narrative that tried to make the attack personal again. From the data, they could calculate the number of victims per attacked ATM. They visualised each victim as a person, and showed how many were victimised by organised crime or just common thieves, as well as how many victims were made per ATM. See animation on top of this post.
This group came up with a narrative that tried to make the attack personal again. From the data, they could calculate the number of victims per attacked ATM. They visualised each victim as a person, and showed how many were victimised by organised crime or just common thieves, as well as how many victims were made per ATM. See animation on top of this post.

where
This group focused on where attacks were taking place and if there was a relation with external factor, as income in the neighbourhood, population density, and so on.
where2
This group presents an alternative view on vulnerability information, by putting it back on the streets. The bottom image represents a game-like first person visualisation of various ATM types.

 

This group investigated the gross loss versus the indirect loss and first plotted this on a map.
This group investigated the gross loss versus the indirect loss and first plotted this on a map.
A further exploration as result from the research what was found in the previous figure, it became clear that the geographical aspect was not the most important aspect to visualise. In this figure, the loss is visualised per bank, with differentiation between manual and logical attacks.
A further exploration as result from the research what was found in the previous figure, it became clear that the geographical aspect was not the most important aspect to visualise. In this figure, the loss is visualised per bank, with differentiation between manual and logical attacks.

Visualising password cracking

Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. As a topic, password cracking remains a major focus of security researchers in the area of usability and security. The time to crack a password is related to bit strength, which is a measure of the information entropy of the password. Most methods of password cracking require the computer to produce many candidate passwords, each of which is individually checked. The range of tools available for cracking password are complex because the selection of the tool is intricately connected to the social context and the focus of use for each password. One example of password cracking is ‘brute-force’ cracking, in which a computer tries every possible key or password until it succeeds. More common methods of password cracking, such as ‘dictionary attacks’, ‘pattern checking’, ‘word list substitution’, and others, attempt to reduce the number of trials required and will usually be attempted before brute force is decided upon. Higher password bit strength increases exponentially according to the number of candidate passwords that must be checked, on average, to recover the password and re- duces the likelihood that the password will be found in any cracking dictionary. Using a ‘leaked’ list of fourteen million passwords from the RockYou website, we explored a number of approaches, in order to gain better understanding of such bigger data sets and how they may be interpreted. These tests focussed on visualising processes through which it might be possible to crack passwords and demonstrated the complexity of tools involved in one single attack goal. In this context the focus is on the potential of such visualisations to inform about social practices in connection with password usage, not only the user of the TREsPASS tools but also a broader audience, and thus to create a critical awareness of how to improve password-related practices. By default, a contextually thin dataset can still feed into the research of wider social patterns, even social trends.

Flows that show the amount of generated guesses on leaked hashes (shown as a grey gradient). This allows for visual approximation of the efficiency of each rule. The elements in this figure consist of the word list (on the left), a rule set (in the middle) and the passwords that can be cracked by applying the various rule sets (right).
Flows that show the amount of generated guesses on leaked hashes (shown as a grey gradient). This allows for visual approximation of the efficiency of each rule. The elements in this figure consist of the word list (on the left), a rule set (in the middle) and the passwords that can be cracked by applying the various rule sets (right).

Visualisations can be used to abstract the different cracking method types into technique groups and to align and compare the technique groups. Such visualisation techniques therefore combine abstraction with the use of different views to reduce the complexity and improve the cognitive load for the viewer. As an example, the figure above shows different ‘rules’ modifying dictionary words to reach observed passwords. The colour of the flows highlight nicely which rules are most successful in identifying passwords, thereby informing users about the most common rules that therefore rather should be avoided when creating new passwords. Although passwords are a contextually thin material to work with, it is still possible to distill a context from them. It is possible to derive abstractions from them and to then use a large amount of this data to determine contextual patterns. In this particular case, the fourteen million password list was mapped against the categories inside of Wikipedia. Each found word, fits in a certain category, and that category is often again to be found in another category. In this way, it is possible to visualise which types of passwords people choose over certain times.

Visualisation of a first ontology of 14 million passwords. Each password in the list was mapped against all categories of Wikipedia, recursively, to build this ontology.
Visualisation of a first ontology of 14 million passwords. Each password in the list was mapped against all categories of Wikipedia, recursively, to build this ontology.

 

Detail of the previous figure.
Detail of the previous figure.

It will also possible to use similar techniques in order to build ontologies, that can for instance be used to automatically detect actions, locations, or assets in the Attack Navigator, and thus to figure out its own context. This is one way in which visualisations can use the information that they convey to structure a general framing of analysis.

Download PDF for all visualisation experiments on cracking passwords.