Frequently Asked Questions

How does it work?

securiCAD is an automated tool that performs its analysis continuously, but you can think about it as a three step process:

1. Model generation. The attack simulations are conducted on models of IT-environments. These models are automatically generated based on data from your environment or manually created in our modeling tool.

2. Attack simulations. securiCAD performs attack simulations on these models i.e., simulates what an attacker might be able to do to your environment based on your current environment as well as what-if-scenarios (e.g., what could happen if a password is stolen).

3. Analysis. Based on the simulations, securiCAD will calculate the most likely attack paths, quantify the success rate, report on exploitable vulnerabilities, top threats and suggested mitigations.

What is the theory behind it?

“Reasoning with uncertainty” is a large and active subfield of AI research. A system that can reason about uncertainty typically provides semantic explanation about the origin and nature of the uncertainty, a way to represent it in a formal language and a set of rules to draw conclusions from the uncertainty. securiCAD uses probability theory and attack graphs to represent and process uncertainty and assesses the time it takes for a highly capable adversary to compromise different assets in your architecture by generating attack graphs from a model of an IT architecture. The attack graphs are populated with probability distributions that specifies the amount of time it would take the attacker to traverse the steps in the attack graph.

The logic of the model and attack graphs used in the attack simulations are defined in the Meta Attack Language (MAL). MAL is a framework for specifying assets and associations of models as well as the attack steps, defenses and probabilities of the attack graphs. Monte Carlo simulations are then used to sample the distributions of all attack steps in the model. securiCAD provides insight to the attack times as a probability distribution – a Time to Compromise (TTC) -distribution and most probable attack paths.

The simulation engine builds on an implementation of the shortest path problem which is a classical network optimization problem which arises in many practical situations. The algorithm exists in many variations and the most common variant, Dijkstra’s Single-Source Shortest Path Algorithm, marks a node as source and finds the shortest path from the source node to all other nodes.

How are probabilities and the attack logic derived?

Statistics (probability distributions) and logic (generation and connection of attack steps) in the tool is based on research and development continuously ongoing within foreseeti and KTH Royal Institute of Technology, but also other researchers’ study results.

All statistics, logic and data employed in securiCAD are derived from scientific studies, experiments, surveys, expert judgement and vulnerability data as a part of continuously ongoing research within foreseeti and KTH Royal Institute of Technology, but also other researchers’ study results (previous work includes studies on vulnerability discovery (including zero days), arbitrary code execution exploits, denial of service attacks, intrusion detection effectiveness, network scanner effectiveness, phishing, configuration faults and unknown entry points, password cracking and guessing).

The collected data is aggregated and represented as logical necessities or distributions on attack steps to denote the probability over time for a successful attack. All sources are publicly available or available through journals or scientific publications. Probabilities are customizable and can be edited by the user to represent special cases, incorporate more detailed knowledge about defense mechanisms or non-standard attack.

How are probabilities and the attack logic updated?

securiCAD is continuously revised and updated with the methods mentioned above. Furthermore, securiCAD is continuously validated and benchmarked against security experts from a wide variety of industries in Turing tests. In the Turing tests, domain experts within IT security have investigated and estimated the security aspects of a given system and network architecture. The same architecture has also been modelled and analyzed using securiCAD.

The results of the experts and securiCAD have then been anonymized and blended together and finally the results have been compared and judged to find out how well securiCAD is conforming with the domain experts’ assessments. With the tests, it has been scientifically established that securiCAD performs on par with the sharpest minds in cyber security.

Can I edit/update the probabilities and logic myself?

Yes, the logic of the model and attack graphs used in securiCAD are defined in the Meta Attack Language (MAL) and can be edited and updated freely. MAL is an open-source framework for specifying assets and associations of models as well as the attack steps, defenses and probabilities of the attack graphs.

Can I generate models automatically by importing data?

securiCAD can be integrated with most tools that contain data that describes any part of an IT architecture, from infrastructure to vulnerabilities and users. Some sources are supported natively, and custom or proprietary sources can be used via the securiCAD SDK and APIs. Multiple complementary sources can also be used together to generate a more comprehensive model. Conflicts and matches between sources are handled automatically by securiCAD. Below are a few examples of data sources previously used with securiCAD:

Can I create my own integration?

Adding support for new data sources is an ongoing project for our professional services team and we can typically create valuable models from a new data source within hours of receiving it. Our developers use the same SDK and API as we provide to our customers and community and we can provide training, support and tutorials if you wish to develop your own parsers.