Combining Ontologies and MulVAL to Generate Attack Bayesian Networks

In today’s interconnected digital world, assessing and managing cybersecurity risks, especially in the landscape of enterprises, becomes fundamental to equally protect human rights and business. Enterprises are by definition the best playhouse for cyber attackers, since information leakages or asset compromise could lead to catastrophic impacts over people and companies. Considering the enormous technological improvement of capabilities and assets, and their spreading all over the sectors, makes this task even more challenging. Modern IT infrastructures continue growing in complexity, while cyber threats are constantly evolving to exploit vulnerabilities and find ways to spread across the interconnected assets within a system. This constant change makes it hard, even for experts, to study the companies' attack surfaces in order to predict, counter, and mitigate cyber threats from internal and external malicious actors. Security analysts are required with more and more efforts to correctly assess cybersecurity risk and to apply suitable countermeasures. Moreover, nowadays the huge amount of information to handle makes it almost impossible, or at least insufficient, to produce consistent predictions with modern tools, that usually make use of Intrusion Detection System's (IDS) logs to perform their jobs. This thesis will present threat propagation and, more in detail, the semi-automatic detection of possible attack paths that can be followed by an attacker to reach a target. Many ideas and works exist in the literature regarding threat propagation, but all of these works focus only on specific steps of the process and often do not consider the synergy between them, which is crucial to improve both the efficiency and the effectiveness of the entire risk assessment process. With this work, I want to open the door to possible implementation of a pipeline that consider three main steps: using ontology-based methods to model the IT infrastructure, with particular reference to the ThreMA project; using the open source tool MulVAL, which is able to create attack graphs starting from properly converted infrastructure files and the provided rules for modeling attacks; and finally taking advantage of the Bayesian Network (BN) properties to build a structure, called Attack BN, that, given the appropriate probability inputs, can infer the propagation of an attack from a starting point to the target through the various intermediate nodes. This solution does not eliminate the need for human support, as the presence of experts feeding the tool is considered fundamental. The work of this thesis focused on the realization of an initial Proof-of-Concept of the Attack BN, focusing on part of the proposed pipeline and the generation of attack graphs using MulVAL. This will provide a starting point for future studies and improvements leveraging already existing AI engines or reasoners that, along with other technologies, could fully automate the proposed pipeline.