Understanding the business processes that cyber-attackers use is one way in which enterprises can understand and combat the threats that they face.
In the same way that cyber attackers are targeting and disrupting your business processes and value creation chains businesses must understand the processes and motivations employed by cyber intruders in order to prepare well founded security practices that can protect your enterprise.
Crime is a business like any other and taking a security approach to systems design to disrupt the ‘working practices’ of your opponents through design cuts the cost and impact of an attack and limits the scope of an attacker to cause havoc in your organisation.
The modelling approaches listed below can be employed to visualise and counteract the processes of cyber attackers using the standard UML and BPMN notation. All that is required is to shift the emphasis from ‘How will I do that?’ to ‘How would I Hack That?’
Combining abuse/misuse cases to well-known attacker processes enables companies to anticipate their opponents’ value chain moves and take action to prevent damage through proactive measures.
System Use Cases
Creating system use cases is part of the daily work of systems analysts and architects, to elicit and uncover the requirements for software implementation. They are used to model business scenarios through what are essentially structured stories and scenarios that guide the implementation of business systems and software design.
The output (depending on the method used) are user stories or use cases that are used to guide implementation.
System Misuse Cases
For each and every use case identify the opposite misuse case, utilising the opposite meaning to the intention of the system designer and place it on the same diagram.By describing functionality that the designer does not wish to occur it allows participants to visualise the behaviours an external attacker would take to subverting the system capabilities by extending the proposed usage of the system to that of a bad actor.
The advantage of using this approach means that it is possible to capture security requirements and think about the implications and vulnerabilities of design early in the system lifetime, reducing the attack surface and thus preventing costly rework.
Misuse case modelling is visual and is used to generate communication between system stakeholders and can be used as part of showing a ‘Privacy by Design’ approach to compliance with legislation like GDPR.
Using misuse cases allows system designers to add in controls so that actions can be described to counteract the threat from external actors. It allows, like a game of chess, to allow designers to model the best moves that their system can take to mitigate vulnerability or dampen the threats posed.
The advantage and disadvantage of this approach is in its’ simplicity and the further analysis work that is required to plan and implement controls.
System Abuse Cases
Closely related to misuse cases is the concept of using abuse cases to model the mitigating measures necessary by describing “a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system” (see details here)
Abuse cases extend UML notation by creating a separate abuse case diagram that is associated to a use case. In the abuse case, the designer identifies the actions open to an attacker trying to subvert a system use case. Although the notation is very similar, abuse cases include a description of the attackers’ resources, skills and objectives.
In abuse cases the effect of compromised, but not abused systems behaviour is not fully taken into account, whereby systems may be compromised but not modelled until the abuse has taken place.Misuse case modelling is interesting because it places both cases on the same diagram, allowing the interplay of actions and counteractions to be modelled.
A good in depth comparison of the strengths and weaknesses of the two modelling viewpoints is given here.
System Attacker Business Processes
Although the use of the techniques is an interesting use of industry notation they do not fully appreciate the processes by which attackers gain entry, and the motivations and processes that they employ in real world attacks.
Although the majority of cyber-attacks are ‘off the shelf’ hacks that are available to any interested party, the most damaging and persistent threats to complex systems comes from attack mechanisms backed by processes, the major ones are listed below:
| Ransomware | |
| Objective | To encrypt enterprise data and elicit a ransom. |
| Process | Attacker Research; Social Engineering; Encryption & Malware infection; Ransom; Decryption |
| Motivation | Cash |
| Business Model | Extortion |
| Actors | Organised Crime |
| Sophistication | Average |
| Advanced Persistent Threats | |
| Objective | To infiltrate the enterprise and exfiltrate information using host processes. |
| Process | Attacker Research; Social Engineering; Remote Command; Lateral Movement; Exfiltration; Audit tampering; Data Exposure |
| Motivation | IP, Data, sometimes cash. |
| Business Model | longer term covert sting operation |
| Actors | Government, Industrial Espionage |
| Sophistication | High |
| Distributed Denial of Service | |
| Objective | To deny users access to the system or website. |
| Process | Recruit Botnet network; Identify high profile target; Attack Website; Probe for weaknesses; Ransom |
| Motivation | Cash, Website Crash, Disrupt business operations |
| Business Model | Extortion or Service Denial |
| Actors | Organised Crime, Hacktivists or hackers. |
| Sophistication | Low |
| Hacktivism | |
| Objective | To publicise conflicting activities or values of an organisation. |
| Process | Research or Insider Knowledge; Lateral Movement; Privilege Escalation; Exfiltration; Publication |
| Motivation | Publicity or Political Protest |
| Business Model | Publicity |
| Actors | Political Groups, Motivated/malicious insiders |
| Sophistication | Variable, trusted insider threat |
By using BPMN methods the attacker processes shown can be modelled. This will give insight into the protective measures that may be taken by organisations who may be facing the greatest threats. It will help businesses to visualise the attack threat vectors and prepare defences against them.
Summary
Using BPMN to direct the Misuse or Abuse cases informs business analysts through their prior knowledge of the techniques used and can aid the visualisation where process is used to amplify the effect of an attacker and ‘trust points’ allow entry into a system.
Although this approach does not confront processes we are not yet aware of, or zero day vulnerability attacks it helps to frame the process of attack in the same view as that of the business.
The ‘stepwise’ decomposition of attack actions fails to take into account the advantage that attackers take of the system as a whole and how they make many of the same moves, not all possible moves open to them.
Taking a blended modelling and process approach allows business analysts to mitigate the specific threats posed to their organisation by understanding the nature and vector of attack, and can use system abuse/misuse cases to highlight areas where enterprises can identify attacks in progress, take remedial action and prepare resilience plans.
As systems mature and interactions between them increase it falls to enterprise architects and those who take a full systems view to identify the gaps and vulnerabilities in process and value chains using metamodelling techniques to prevent opportunistic attackers using your process to aid theirs.
Information with Insight 