FAQ: securiCAD Professional and securiCAD Enterprise

Here are some of the frequently asked questions foreseeti receives regarding securiCAD Professional and securiCAD Enterprise.

Business case & Management

What is the business benefit of securiCAD?

securiCAD gives the user the ability to:

1: test designs of IT architectures before they are put in production and

2: get an overview of structural risks in current infrastructure

securiCAD gives holistic and quantitative information about the resilience of current or planned IT environments, expressed in clear KPIs and illustrations such as Time To Compromise (TTC) and Critical Path of attack to sensitive assets.

What are the use cases?

Use cases include:

1: Comparing proposals for IT-security investments to ascertain which is the best from a cost and security perspective

2: Risk assessments of implementation proposals (from contractors or internal development units)

3: Risk assessments of existing environments (e.g. factory production lines, SCADA infrastructure, etc.)

Does securiCAD also factor in costs for different mitigations?

No – that has to be done outside of the software.

Does securiCAD include sign-off functionality for models

It is possible to route a model to a specific user for review, but the sign-off has to be recorded outside of securiCAD.

Do you offer project support/training/consultancy?

Yes – everything from Proof-of-concept projects to on-site support.

Can securiCAD create be integrated with other reporting and issue tracking tools?

Yes, securiCAD Enterprise features an API for access to simulation results, issues and report data.

Who are the customers?

Potentially anyone with at least moderately complex IT infrastructure. Currently our customers include Financial institutions, airports, defense forces, consultants, power companies. We also use it ourselves.

 


 

Using securiCAD

How does it work?

When constructing a bridge, manufacturing a new car or an airplane, blueprints are being used instead of designing these based-on gut feeling. These design specifications and blueprints are often created and tested using Computer Aided Design (CAD) tools. Besides just presenting a description these tools can often also simulate and analyze important aspects of the product under design.

foreseeti takes this thinking into the IT and Information Security field. In securiCAD, a model of the existing or planned architecture is created. The model is usually created manually, similar to drawing an architecture in Visio. The model can be enriched with existing data sources, such as vulnerability scanners or logs, but it is not necessary to have all the details in place in the model before the first simulation is run.

Once the model is created, a hypothetical attacker is placed somewhere in the model. Where the attacker is placed depends on what kind of attacker the user wishes to study. It could be, e.g. an external attacker coming from the Internet, or a disgruntled employee with legitimate access to the internal network and a laptop.

When the attacker has been placed in the model, the user runs attack simulations by a simple click. securiCAD will then simulate every possible path from the attacker to the targets that the user wants to protect. A target could be e.g. a database with sensitive information or access to a protected network.

securiCAD will report a number of data points after the simulation has been run, such as:

1: Time to Compromise – how long will it take the attacker to reach the target, expressed in days.

2: A critical attack path, showing the least resilient path, or “kill chain” that the attacker will use to get to the target, along with other possible but less likely attack path.

3: Critical chokepoints – weak linkshat are frequently exploited by the attackers often go through to reach the high value targets

Based on the results, the user can explore the effects of potential mitigations and design suggestions in the model by re-running the simulation for various scenarios. The simulation usually takes seconds or minutes to perform. For a very large environment, the simulation could take a few hours, depending on which hardware is used.

The results can be exported in .xml or other formats to be used in other applications (e.g. risk reporting tools, presentations etc.)

Do I have to know every detail of my environment before I get value? / How long does it take to create a model? / What level of abstraction is valid?

No, that is not necessary, but securiCAD will deliver different types of value depending on how much detail the model contains.

High-level model:
A high-level model can be created with minimum training in approximately 4-8 hours. The model is created by drag-and-dropping objects into securiCAD Professional and connecting them to each other. securiCAD provides default values for all parameters, e.g. patching, FW rules etc. are automatically applied. If all components are not known, it is possible to make “generalizations” in the model, e.g. by representing all clients as one, even though there may be differences in configurations in real life.

The High-Level model will answer the following questions for the user: 1) what are the general weaknesses in my architecture. 2) what happens to my security if I do X change (e.g. invest in firewalls compared to investing in IDS/IDPs) 3) What will the likely consequences be if the attacker is internal/external/superuser etc.

Manually adjusted model
To get more specific in modelling, the next step is to manually adjust the model. That means adding more details, but also trimming the model by setting parameters for defenses that are relevant to the users environment (such as admin, patching levels and other defenses). It is also possible to model proprietary systems/applications that only exist in the users environment (e.g. SCADA systems or vehicle systems).

The most efficient way of doing this is to look closer at the path of attack from the High-Level model and trim the components involved in the attack path. Doing this step can take anywhere from hours to weeks, depending on how much complexity is involved in the architecture that the user wants to model. The results from this step are mainly 1) more specific knowledge related to the users environment. 2) the ability to model specific scenarios, such as high-risk changes.

Fully imported
If the client has access to data sources, these can be automatically imported into the model. However, it takes quite a few data sources to give a full image of an environment and the best way to approach the import functionality is to see it as an enrichmentof the model that has already been created, rather than an automatic creation of a full model in itself.

Having a fully enriched model will give more certainty, for example by dealing with actual values for defenses, rather than probabilities. This will give you a current snapshot of exact attack paths and present vulnerabilities. It is also possible to make continuous threat modelling as the model changes. By connecting securiCAD to a communication software, such as Slack, it is possible to get real-time alerts when risks exceed a certain level, which can be useful for e.g. DevOps teams.

How long does it take to learn how to use securiCAD?

There are different levels of handling securiCAD. foreseeti and its partners offer a two-day training that will give proficiency for making basic models. Making more advanced models requires some self-studies in combination with an extra two days of training. Like the board game Mastermind, securiCAD takes a short time to learn, but a lifetime to master.

To reach the “Certified securiCAD Consultant”-level you have to pass an examination containing a day of repetition of the theoretical basis and optimized usage of securiCAD modules “pro” and “enterprise” and another day of testing modelling knowledge and framework for approved consultants.

How can securiCAD know the attack paths if the environment is not correctly represented?

securiCAD builds attack paths on the known variables (see above). securiCAD assumes configurations and properties if not stated explicitly, which means that every detail does not need to be known.  Once the first simulation has been run, it is possible to tailor the information further, along the path identified.

How big environments can be built and analyzed in securiCAD?

Currently there is a limit of 10,000 objects, but that limit is being expanded continuously. It is also possible to model groups of objects as one object, e.g. 10,000 managed workstations can be modelled as one object since they have roughly the same properties. Thereby, it is possible to model very large environments.

Can you represent both insider attacks and external threats?

Yes, securiCAD can represent insiders and external threats, as well as everything in between. This is done by choosing where to place the attacker. An insider will, for example, already have access to a managed workstation and possibly have legitimate access to databases, network zones etc. An external attacker is placed in the “Internet” zone and thus has to compromise the perimeter protection before gaining access to internal resources.

Can you simulate different skill levels of the attackers? (script-kiddies, mafia, nation-state etc.)

Yes, the attacker’s abilities can be customized to align with all types of attackers. The attacker can also be given pre-defined legitimate access to user accounts and credentials to simulation e.g., an insider attack.

Do I have to put in the probabilities myself?

For the attacks, the probabilities are predefined, based on the research that underlies securiCAD, but you can always override those probabilities if you want. For the configuration of objects and defenses in the model, there is a possibility to input probabilities, but it is not necessary in the first step, as the model is already pre-populated with default values (e.g. patching levels and typical protections).

How do I update my securiCAD-environment after changes in the real environment?

It depends on what version and setup for securiCAD you have. For securiCAD professional, it has to be updated manually. For securiCAD Enterprise, it can be auto-imported if the data sources allow it.

Can I model <Insert proprietary system> in securiCAD?

Yes. Anything that has basic IT system properties (hardware, software, access and traffic protocols) can be modelled. foreseeti has – in the past – modelled proprietary SCADA systems, as well as car IT environments.

How do I handle parts of my environment I do not have information about?

By making assumptions and informed guesses. Since the attack path is based on probabilities it is not necessary to know all variables before getting value from the simulations.

What do you typically see in your projects?

We typically see recurring problems in the architecture, such as:

1: Flat networks – No segregation between production and access networks

2: Clear single-points-of-failure (Ex. Active directory, Business applications with wide accesses)

3: Unpatched production systems with forgotten accesses (often in SCADA environments)

4: Reusing admin accounts and passwords

5: Good segmentation – but short-circuited by management (“I need to have access to that data from home”

6: Structural vulnerabilities – vulnerabilities that seem mild in isolation but combined make an inroute for attackers.

 


 

Security

Will securiCAD have any effect on our real environment?

No, securiCAD simulates in a virtual environment.

How safe is it to put in confidential/sensitive information into securiCAD?

securiCAD professional is run offline. The security is handled by the client itself.

securiCAD Enterprise is offered as an AWS based cloud service. foreseeti applies high security to its delivery. Details around foreseeti’s security management are available on request.

It is also possible to run all versions of securiCAD on-site in the customers own datacenters without external connections

Can I install securiCAD air-gapped?

Yes