Host
Purpose
A Host object is used to represent the kernel of a running operating system. The particular operating system release/software/distribution is defined by connecting a SoftwareProduct object to the Host object. Network related applications that are not part of the operating system kernel shall be modeled using either Clients or Services.
Connections
Object | Connection | Description | Function |
|---|---|---|---|
Access control | Authorization | Provides login prompt for the Host. | A missing AccessControl association leads to instant PrivilegeEscalation and Compromise. |
Service | Root Application Execution | The Service run by the Host is run as root/administrator/superuser but provides no remote operating system login functionality. If a general purpose application is also capable of offering some "shell escape" functionality to the user, please consider it being a "shell application" instead. | A missing service can reduce the risk of UserAccess and Compromise. |
Service | Root Shell Execution | The Service run by the Host is run as root/administrator/superuser and provides remote operating system login functionality. | A missing service can reduce the risk of UserAccess and Compromise. |
Service | Non-Root Application Execution | Same as with Root Application Execution, but the Service is run on the Host by a non-privileged user. | A missing service can reduce the risk of UserAccess and Compromise. |
Service | Non-Root Shell Execution | Same as with Root Shell Execution, but the Service is run on the Host by a non-privileged user. | A missing service can reduce the risk of UserAccess and Compromise. |
Vulnerability Scanner | Authenticated Scan | A VulnerabilityScanner with a Authenticated Scan connection has login credentials to the Host and can perform an internal scan for known vulnerabilities. | A missing Vulnerability Scanner increases the risk of finding an UnknownService, as well as unpatched software on the Host. |
Vulnerability Scanner | Unauthenticated Scan | A VulnerabilityScanner (e.g., Nessus, Qualys Guard) with an Unauthenticated Scan can only perform an external scan without logging in. | A missing Vulnerability Scanner increases the risk of finding an UnknownService, as well as unpatched software on the Host. |
Vulnerability Scanner | Excluded From Scan | A VulnerabilityScanner can be connected to a Network stating that all hosts connected to that Network is being monitored by the VulnerabilityScanner. However, if there are exceptions to this (all Hosts in a Network zone are scanned except for a few non-compatible ones), making an Excluded From Scan connection between the VulnerabilityScanner and the Host will show this. | A missing Vulnerability Scanner increases the risk of finding an UnknownService, as well as unpatched software on the Host. |
Client | Non-Root Client Execution | A Client is run by a non-privileged/standard user on the Host. | A missing Client can reduce the risk of Compromise, UserAccess and client side attacks. |
Client | Root Client Execution | A Client is run by a privileged/root/administrator user on the Host. | A missing Client can reduce the risk of Compromise, UserAccess and client side attacks. |
Datastore | Database Execution | Represents a database, directory or any data located on or accessible data through the host. | A Datastore has no impact on Host security. |
IDS | HIDS Execution | Provides protection on the Host through intrusion detection which attempts to recognize unauthorized or malicious use of resources. | A missing IDS enables direct bypass of the IDS via exploits or USB. |
Network | Connection | Association to a Network denotes that the host has an IP address on that Network. | A missing network association reduces the risk of an attacker finding unknown services or getting access to services, client, access control on the host. |
Physical zone | Physical Access | Connection to a Physical Zone means that an attacker can obtain physical access to the Host. | Reduces the risk of UIAccess. |
Keystore | Keystore Execution | A connection to a Keystore object denotes that the Keystore is hosted by the Host. | A missing connection to a Keystore prevents Read access on a Keystore through Hosts. |
Software product | Software Properties | A Host always needs to be connected to a Software Product which denotes what operating system it is running e.g. Windows 10. | This association is mandatory. |
Attack Steps and Defenses
Attack Step | Description | Leads to |
|---|---|---|
ARPCachePoisoning | The possibility to inject false information to the Address Resolution Protocol information list. Tricking the host to communicate with unintended hosts. | Service: Dataflow.Access |
BypassAntiMalware | The possibility for malware to pass the anti-malware software undiscovered. It also includes the possibility to trick the user into disabling the anti-malware software. | Host: Compromise |
BypassIDS | Same as above but for the host’s Intrusion Detection System. | Host: BypassAntiMalware |
Compromise | The possibility to control/own it. | Network: Compromise |
DenialOfService | The possibility to block the host. | Service: DenialOfService |
DeployExploit | The possibility to introduce and use a vulnerability. | Host: BypassIDS |
FindExploit | The possibility to find an exploitable vulnerability. | Host: DeployExploit |
PhysicalAccess | The possibility to access the host's login prompt via physical access. | Host: Compromise |
PrivilegeEscalation | A regular non-privileged user bypassing the AccessControl to become a privileged root/admin user. | Host: Compromise |
USBAccess | The possibility to access the host using USB/portable media related attacks. | Host: BypassIDS |
UserAccess | Using normal user operations. Qualified user credentials are being used to access the Host. | AccessControl: Access \newline Host: FindExploit |
Defense | Defense Description | Impact | Default |
|---|---|---|---|
ASLR | Address space layout randomization (ASLR) is used to fortify hosts against buffer overflow attacks by introducing address space randomization. | DeployExploit can be delayed with ASLR enabled. | On |
AntiMalware | Antimalware software is an effective way to detect, remove and deter malware attacks. | An enabled Antimalware reduces the risk of it being bypassed from 100% to 90% | Off |
DEP | Data execution prevention (DEP) is a Host based defense against buffer overflow attacks to make the buffer areas non-executable. | DeployExploit can be delayed with DEPenabled. | On |
Hardened | Hardening involves procedures e.g. disabling unused ports, services and hardware outlets which is often recommended practice. This defense denotes the presence of such procedures on Hosts. | Hardened prevents the attacker from finding Unknown (to the user) Services on the Host. | Off |
HostFirewall | A Host level (or personal) firewall aims to block or allow certain services and data flows between hosts on the same Network e.g. the Windows firewall. | The probability of identifying an UnknownService can be lowered with Host firewall enabled. | Off |
Patched | Denotes whether the Host has all applicable software security patches implemented. | Prevents an attacker from obtaining exploits to patchable vulnerabilities in the host software. | 0.5 |
StaticARPTables | An ARP table maps IP addresses to physical MAC addresses. Static ARP Tables have static mappings which prevents ARP spoofing. | Prevents ARP cache poisoning. | Off |
UnknownService
A system which has not been hardened has a certain probability of having unknown services, not known to the system administrator and/or modeler. In securiLang this is modeled by adding one unknown service for each network the host is connected to, given that the host defense Hardened is set to Off. (Additionally, there is a 50% probability that a host with a vulnerability scanner is classified as Hardened given that the administrator is made aware of extraneous services via reports).
The unknown service also includes an unknown access control and an unknown software product (with the default settings of the unknown service).
Updated about 1 year ago