Working with Critical National Infrastructure (CNI) organisations and government agencies as clients, we understand that the cyber landscape is always scaling and evolving. That’s why we continually test our solutions, within many use cases and scenarios, with the aim of identifying ways to optimise the process.
Jenny Seaborne, Senior Software Engineer at Riskaware, explains how the cyber team have been employing innovative programming techniques to enhance the performance of Riskaware’s industry-leading attack path analytics.
CyberAware Resilience is a system that models the potential impact of cyber attacks on businesses. It provides insight into how cyber attacks could impact operations, enabling organisations to assess their resilience and mitigate network threats.
One of our core functionalities is weakest attack path analysis of a network. This allows users to prioritise and target their software patching, and other mitigation strategies, on the attack points that are most vulnerable to exploitation.
CyberAware Resilience uses a sophisticated algorithm to determine the most exploitable attack paths from the logical locations assumed for any threat actors, including insider threats, to any asset defined as business-critical within the network.
Here are some of the key factors the algorithm takes into account to achieve this:
- Network topology
- Vulnerabilities mapped during network attack surface modelling
- Prerequisites and postconditions to exploiting vulnerabilities
Using this data, CyberAware Resilience can calculate an adversary’s ability to traverse across the network, leading to a determination about the most exploitable attack paths.
Our Original Approach
Our original method of weakest attack path analysis used a graph representation of the network. First, CyberAware Resilience would create the graph by analysing the network’s vulnerability to multi-step attacks. The solution would then analyse each potential attack path in turn by further exploring the vulnerabilities and calculating which attack path was the weakest.
This gave users a clear visual representation of multi-step attacks and how they traversed the network from the initial entry point of a threat actor to their final target, whether this is a phone, laptop, or server.
A limiting factor of this approach was speed. For large networks with many devices, the graph proved to require significant amounts of memory which in turn slowed down analysis.
For the benefit of enterprise and large agency users, who consistently rely on large-scale infrastructure, we wanted to solve this issue. To do so, we innovated a new way of representing the network and solving weakest attack paths.
Creating a New Approach
Our primary aim was to create a solution that performed weakest attack path analysis more efficiently than the original graph approach. We achieved this by using an array-based representation of the network that, although fundamentally displaying the same infrastructure, was much more succinct in the majority of cases. This was especially true for networks that were highly connected, such as subnets.
We have been able to deliver the same results at much quicker speeds by using this more efficient array-based representation as well as exploiting the performance benefits of array-oriented programming. This enables us to optimise the analysis by using the following:
- Avoiding costly iterations
- Using sophisticated slicing and indexing techniques
- Calling functions that can operate across whole or selected parts of the array in a single line of code
- Optimising code by specifying data types of contents
The new approach aims to generate all weakest attack paths from a target device simultaneously, without the need to create the graph. Instead, a simpler approach to setting up the array-based representation of the network is used which analyses the connections between devices, the software on them and their vulnerabilities. This allows a simple solver to be applied which calculates all the weakest attack paths on the network from a given starting device. As such, subsequent analysis, such as network hardening, can be performed much more quickly without the need to solve any additional attack paths.
As a result of the new array-based approach, weakest attack paths can be calculated for much larger networks with huge performance benefits by utilising sophisticated techniques on an array-based representation of the network. Achieving equivalent results to those in the graph representation, the attack paths can still be displayed with the same clear visual representation of multi-step attacks.
Now networks up to 40,000 devices can be processed on a simple laptop using 8Gb memory – the setup stage takes an hour, then solving for all weakest attack paths only takes 1 minute. The previous graph approach could only scale to 5000 devices which took 2 hours to map vulnerabilities and 5 minutes for each weakest attack path. A massive improvement in performance!
The benefits for CyberAware Resilience users
By optimising performance and enhancing speed, users can reveal weakest attack paths much quicker than before. This means more organisations can leverage proactive analysis of multi-stage threats to target their cyber defence activities.
The impacts can be quickly mitigated, meaning organisations save on the resources needed to recover from an attack and keep their sensitive assets secure. By taking a more proactive approach such as this, organisations can better build resilience against cyberattacks.
Download our CyberAware Resilience product sheet for more information on this solution or get in touch if you want to know more.