Attack Surface Reasoning

The cyber security exposure of resilient systems is frequently described using the metaphor of an attack surface. A larger surface area indicates more exposure to threats and hence a higher risk of compromise. As dynamic proactive defenses are added to increase the resilience of distributed systems, it is easy to inadvertently change the attack surface in undesirable ways that can lead to cyber friendly fire, a condition in which adding or misconfiguring cyber defenses unintentionally reduces security and harms mission effectiveness. Examples of cyber friendly fire include opening up new vulnerabilities due to unintentional increases of the attack surface, unknown interaction effects between existing and new defenses causing brittleness and unavailability, and new defenses causing significant performance impact leading to mission failure through timeliness violations in information sharing.

The objective of the ASR project is to develop a prototype service capability for creating semantic models of attack surfaces and using those models to (1) automatically quantify and compare cost and security metrics across multiple surfaces, covering both mission and system aspects, and (2) automatically identify opportunities for minimizing attack surfaces, e.g., by removing interactions that are not required for successful mission execution.

Attack Surface Reasoning Ontology

We have made the ontology underlying the attack surface quantification work available through Distribution A release. The following documents fully describe the ontology:

Thrusts