How CAULDRON works:
In the most simple terms – CAULDRON does three things: we aggregate data that you already have; we correlate that data against the known vulnerability data sets; we provide an modeling environment for “what if” analysis and visualization.
We begin with Network Capture - building a model of the network, in terms of relevant security attributes. Vulnerability Database represents a comprehensive repository of reported vulnerabilities, with each vulnerability record listing the affected software (and hardware). The Exploit Conditions encode how each vulnerability may be exploited (preconditions) and the result of its exploitation (postconditions). Network Capture represents data collection for a network to be defended, in terms of corresponding elements in Vulnerability Database and Exploit Conditions. Together, all these inputs are used to build an Environment Model for multi-step attack graph simulation. The Graph Engine uses the Environment Model to simulate multi-step attacks through the network, for a given user-defined Attack Scenario. This engine analyzes vulnerability dependencies, matching exploit preconditions and postconditions, thus generating all possible paths through the network (for a given attack scenario). The system then provides sophisticated capabilities for interactive Visual Analysis of attack graphs. It also computes Optimal Counter
Measures, e.g., minimum number of network changes to thwart the attack scenario.
CAULDRON integrates with Nessus, Retina, and FoundScan vulnerability scanners for populating its network model. It also processes data from the Sidewinder firewall to capture network connectivity to vulnerable host services.
We have investigated Altiris Inventory Solution, which also incorporates asset inventory technology. CAULDRON then matches host configuration information gathered through asset inventory with a database of reported vulnerabilities. The result is an enumeration of vulnerabilities associated with each host. There are a number of vulnerability databases available, maintained by the government, commercial companies, and the security community. Examples include NIST’s National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), and the Common Vulnerabilities and Exposure (CVE) referencing standard.
Once the attack model (network and potential exploits) is defined, our CAULDRON system generates an attack graph for a given user-defined attack scenario. The scenario may define particular starting and/or ending points for the attack, so that the graph is constrained to lie between them, or may be completely unconstrained (all possible starting and ending points).
Attack graphs can also guide the placement of intrusion detection sensors, correlate intrusion alarms, handle missed alarms, and filter false alarms. It has been suggested that worst-case complexity for this kind of attack graph analysis is O(n4) or even O(n6), for n hosts in the network model. However, we have made improvements that reduce worst-case complexity to O(n2). Using a host-centric representation, we do not search blindly for dependency edges from among a flat set of exploits.