Two types of dynamics are important when modeling cyberattacks: how adversaries chain together techniques across systems and how they change the target systems. Attack graphs are prominent within research communities for automatically mapping and chaining together actions. Modeling adversary-driven system changes is comparatively unexplored, however. One reason could be that modeling adversarial change dynamics poses a blend of problems where the typical attack graph approaches could produce state-space explosions and infinite graphs. Therefore, this work presents the core modeling aspects of the Dynamic Meta Attack Language (DynaMAL), a project to lazily generate attack graphs by combining attack graph construction and simulation methods. DynaMAL lets users declare domain-specific modeling and attack graph generation languages. Then, the attack graphs are generated one step at a time based on the actions of an adversary agent. By only generating what is explicitly requested, DynaMAL can demonstrably change the system model as the attack graph grows while sidestepping typical state-space explosions and graph re-calculation problems. Shifting to a lazy generation process poses new challenges, however. Nevertheless, there is likely a point where lazy approaches will prevail when analyzing large and complex systems.

ICT infrastructures are getting increasingly complex, and defending them against cyber attacks is cumbersome. As cyber threats continue to increase and expert resources are limited, organizations must find more efficient ways to evaluate their resilience and take proactive measures. Threat modeling is an excellent method of assessing the resilience of ICT systems, for example, by building Attack Graphs that illustrate an adversary's attack vectors. Previously, the Meta Attack Language (MAL) was proposed, which serves as a framework to develop Domain Specific Languages (DSLs) and generate Attack Graphs for modeled infrastructures. coreLang is a MAL-based threat modeling language that utilizes Attack Graphs to enable attack simulations and security assessments. In this work, we present the first release version of coreLang in which MITRE ATT&CK tactics and techniques are mapped onto to serve as a validation and identify strengths and weaknesses to benefit the development cycle. Our validation showed that coreLang does cover 46% of all the techniques included in the matrix, while if we additionally exclude the tactics that are intrinsically not covered by coreLang and MAL, the coverage percentage increases to 64%.

The complexity of ICT infrastructures is continuously increasing, presenting a formidable challenge in safeguarding them against cyber attacks. In light of escalating cyber threats and limited availability of expert resources, organizations must explore more efficient approaches to assess their resilience and undertake proactive measures. Threat modeling is an effective approach for assessing the cyber resilience of ICT systems. One method is to utilize Attack Graphs, which visually represent the steps taken by adversaries during an attack. Previously, MAL (the Meta Attack Language) was proposed, which serves as a framework for developing Domain-Specific Languages (DSLs) and generating Attack Graphs for modeled infrastructures. coreLang is a MAL-based threat modeling language that utilizes such Attack Graphs to enable attack simulations and security assessments for the generic ICT domain. Developing domain-specific languages for threat modeling and attack simulations provides a powerful approach for conducting security assessments of infrastructures. However, ensuring the correctness of these modeling languages raises a separate research question. In this study we conduct an empirical experiment aiming to falsify such a domain-specific threat modeling language. The potential inability to falsify the language through our empirical testing would lead to its corroboration, strengthening our belief in its validity within the parameters of our study. The outcomes of this approach indicated that, on average, the assessments generated by attack simulations outperformed those of human experts. Additionally, both human experts and simulations exhibited significantly superior performance compared to random guessers in their assessments. While specific human experts occasionally achieved better assessments for particular questions in the experiments, the efficiency of simulation-generated assessments surpasses that of human domain experts.

Flexibility markets are crucial for balancing the decentralised and renewable-driven energy landscape. This paper presents a security evaluation of a flexibility market system using a threat modelling approach. A reference architecture for a typical flexibility market system is proposed, and attack graph-driven simulations are performed to analyse potential attack pathways where malicious actors might infiltrate the system and the vulnerabilities they might exploit. Key findings include the identification of high-risk areas, such as the Internet links between market actors. To mitigate these risks, the paper proposes and evaluates multiple protection scenarios in reducing the identified attack vectors. The findings underline the importance of multi-layered security strategies to safeguard flexibility markets from increasingly sophisticated cyber threats.

The substation automation system consists of many different complex assets and data flows. The system is also often externally connected to allow for remote management. The complexity and remote access to the substation automation system makes it vulnerable to cyber attacks. It also makes it difficult to assess the overall security of the system. One method of assessing the potential threats against a system is threat modeling. In this paper we create a language for producing threat models specifically for the substation automation systems. We focus on the method used to create the language where we review industry designs, build the language based on existing languages and consider attack scenarios from a literature study. Finally we present the language, model two different attack scenarios and generate attack graphs from the threat models.

Software bills of materials (SBOMs) promise to become the backbone of software supply chain hardening. We deep-dive into six tools and the SBOMs they produce for complex open source Java projects, revealing challenges regarding the accurate production and usage of SBOMs.

When protecting the Industrial Control Systems against cyber attacks, it is important to have as much information as possible to allocate defensive resources properly. In this paper we estimate the Time-To-Compromise of different Industrial Control Systems attack techniques by MITRE ATT&CK. The Time-To-Compromise is estimated using an equation that takes into consideration the vulnerability data that exists for a specific asset and category of vulnerability. The vulnerability data is derived from an Industrial Control Systems specific vulnerability dataset. As a result, we present the mapping of the attack techniques to assets and categories of vulnerability, which makes it possible to apply specific vulnerabilities to the technique. We also present the method of how to estimate the Time-To-Compromise of the techniques and finally the values of Time-To-Compromise. After mapping the attack techniques to assets and category of vulnerability we are able to estimate the Time-To-Compromise and discuss its trustworthiness.

Modern software applications are virtually never built entirely in-house. As a matter of fact, they reuse many third-party dependencies, which form the core of their software supply chain [1]. The large number of dependencies in an application has turned into a major challenge for both security and reliability. For example, to compromise a high-value application, malicious actors can choose to attack a less well-guarded dependency of the project [2]. Even when there is no malicious intent, bugs can propagate through the software supply chain and cause breakages in applications. Gathering accurate, upto- date information about all dependencies included in an application is, therefore, of vital importance.

Nowadays, IT infrastructures are involved in making innumerable aspects of our lives convenient, starting with water or energy distribution systems, and ending with e-commerce solutions and online banking services. In the worst case, cyberattacks on such infrastructures can paralyze whole states and lead to losses in terms of both human lives and money.One of the approaches to increase security of IT infrastructures relies on modeling possible ways of compromising them by potential attackers. To facilitate creation and reusability of such models, domain specific languages (DSLs) can be created. Ideally, a user will employ a DSL for modeling their infrastruc-ture of interest, with the domain-specific threats and attack logic being already encoded in the DSL by the domain experts.The Meta Attack Language (MAL) has been introduced previously as a meta-DSL for development of security-oriented DSLs. In this work, we define formally the syntax and a semantics of MAL to ease a common understanding of MAL's functionalities and enable reference implementations on different tech-nical platforms. It's applicability for modeling and analysis of security of IT infrastructures is illustrated with an example.

IT systems pervade our society more and more, and we become heavily dependent on them. At the same time, these systems are increasingly targeted in cyberattacks, making us vulnerable. Enterprise and cybersecurity responsibles face the problem of defining techniques that raise the level of security. They need to decide which mechanism provides the most efficient defense with limited resources. Basically, the risks need to be assessed to determine the best cost-to-benefit ratio. One way to achieve this is through threat modeling; however, threat modeling is not commonly used in the enterprise IT risk domain. Furthermore, the existing threat modeling methods have shortcomings. This paper introduces a metamodel-based approach named Yet Another Cybersecurity Risk Assessment Framework (Yacraf). Yacraf aims to enable comprehensive risk assessment for organizations with more decision support. The paper includes a risk calculation formalization and also an example showing how an organization can use and benefit from Yacraf.