Create an Attack Graph to Find System Vulnerabilities

    After a system has been exploited, IT security staff may attempt to recreate the attack to help determine exactly where the vulnerabilities were located. Some IT organizations may even try to lay out their system configurations to determine whether any issues or potential attack areas exist. To do this can be challenging, since there are so many components and paths where an attack could take place.

    Determining attack paths after or prior to an actual intrusion involves using forensic examination techniques. One such approach involves drawing out a graphical representation of potential exploits.

    To help you understand and use such techniques, read our IT Download, “Using Attack Graphs in Forensic Examinations.” In this document, the authors explain in detail how to develop attack graphs to examine possible vulnerabilities in your systems. According to the publication:

    Independently, attack graphs specify preconditions and post conditions of each act that can be used to create an attack. Combining them in a directed graph where the preconditions of a step are enabled by the post conditions of prior executed steps, it would create an attack. Therefore, given a set of vulnerabilities in a system, an attack graph analysis provides investigators with potential attack scenarios. Finding evidence that matches one or many such paths would then facilitate re-creating the attack.

    In the download, the authors describe how to use an attack graph to find forensic evidence after a cyberattack. The paper also tells how hackers can use anti-forensic activity to “clean up evidence left behind by an attack.” The authors also discuss the National Vulnerability Database (NVD) and its role in assisting with forensic investigations even if anti-forensics tools were implemented in the attack.

    This educational download can help enterprise IT security staff learn more about their own network vulnerabilities. It may even help mitigate damage from an attack, find evidence from an intrusion or show possible open issues with current network setups.

    Latest Articles