Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased the attack surface. To proactively address these security issues in enterprise systems, this paper proposes a threat modeling language for enterprise security based on the MITRE Enterprise ATT&CK Matrix. It is designed using the Meta Attack Language framework and focuses on describing system assets, attack steps, defenses, and asset associations. The attack steps in the language represent adversary techniques as listed and described by MITRE. This entity-relationship model describes enterprise IT systems as a whole; by using available tools, the proposed language enables attack simulations on its system model instances. These simulations can be used to investigate security settings and architectural changes that might be implemented to secure the system more effectively. Our proposed language is tested with a number of unit and integration tests. This is visualized in the paper with two real cyber attacks modeled and simulated.

Successfully developing domain-specific languages (DSLs) demands language engineers to consider their organizational context, which is challenging. Action design research (ADR) provides a conceptual framework to address this challenge. Since ADR’s application to the engineering of DSLs has not yet been examined, we investigate applying it to the development of threat modeling DSLs based on the Meta Attack Language (MAL), a metamodeling language for the specification of domain-specific threat modeling languages. To this end, we conducted a survey with experienced MAL developers on their development activities. We extract guidelines and align these, together with established DSL design guidelines, to the conceptual model of ADR. The research presented, aims to be the first step to investigate whether ADR can be used to systematically engineer DSLs.

Cyber attacks on IT and OT systems can have severe consequences for individuals and organizations, from water or energy distribution systems to online banking services. To respond to these threats, attack simulations can be used to assess the cyber security of systems to foster a higher degree of resilience against cyber attacks; the steps taken by an attacker to compromise sensitive system assets can be traced, and a time estimate can be computed from the initial step to the compromise of assets of interest.

Previously, the Meta Attack Language (MAL) was introduced as a framework to develop security-oriented domain-specific languages. It allows attack simulations on modeled systems and analyzes weaknesses related to known attacks. To produce more realistic simulation results, probability distributions can be assigned to attack steps and defenses to describe the efforts required for attackers to exploit certain attack steps. However, research on assessing such probability distributions is scarce, and we often rely on security experts to model attackers’ efforts. To address this gap, we propose a method to assign probability distributions to the attack steps and defenses of MAL-based languages. We demonstrate the proposed method by assigning probability distributions to a MAL-based language. Finally, the resulting language is evaluated by modeling and simulating a known cyber attack.

Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased the attack surface. To proactively address these security issues in enterprise systems, a threat modeling language for enterprise systems called enterpriseLang was proposed. It is a domain-specific language (DSL) designed using the Meta Attack Language (MAL) framework and focuses on describing system assets, attack steps, defenses, and asset associations. The threat models can serve as input for attack simulations to analyze the behavior of attackers within the system. However, whether and to what extent the functionality of these threat modeling languages is achieved has not been addressed. To ensure the correct functionality of threat modeling languages, this paper proposes a method to assess the quality of such languages and illustrates its application using enterpriseLang.

Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased the attack surface. To proactively address these security issues in enterprise systems, a threat modeling language for enterprise systems called enterpriseLang was proposed. It is a domain-specific language (DSL) designed using the Meta Attack Language (MAL) framework and focuses on describing system assets, attack steps, defenses, and asset associations. The threat models can serve as input for attack simulations to analyze the behavior of attackers within the system. However, whether and to what extent the functionality of these threat modeling languages is achieved has not been addressed. To ensure the correct functionality of threat modeling languages, this paper proposes a method to assess the quality of such languages and illustrates its application using enterpriseLang.

Information technology (IT) systems are growing in complexity and are becoming more and more connected. Such connected systems can increase flexibility and productivity while also introducing security threats. Recent years have witnessed some of the largest, most sophisticated, and most severe cyber attacks on IT systems, which can have severe consequences for individuals and organizations, from water or energy distribution systems to online banking services. Therefore, security is a top priority for IT systems.

To address these security issues proactively, threat modeling can be utilized as follows: to assess the current state of a system, and as a security-by-design tool for developing new systems. Threat models can serve as input for attack simulations, which are used for analyzing the behavior of attackers within the system. The simulation results obtained can help stakeholders to investigate in security settings that can be applied to secure their system more effectively.

This thesis presents work on threat modeling for IT systems. The contributions to the field of threat modeling include a systematic literature review on threat modeling (Paper A). With regard to securing enterprise systems, the contributions include a threat modeling language for security assessment of enterprise systems (Paper B), a method for assigning probability distributions in attack simulation languages to provide more realistic simulation results (Paper C), and a method for quality assessment of threat modeling languages (Paper D). With regard to securing connected vehicles, the contributions include a proof-of-concept of an approach for securing connected vehicles using threat modeling coupled with attack simulations (Paper E), and an empirical study to explore common security vulnerabilities and software weaknesses in vehicles (Paper F).

IT-system växer i komplexitet och blir mer och mer ihopkopplade. Att koppla samman system kan öka flexibiliteten och produktiviteten, samtidigt som det också kan medföra säkerhetsluckor. De senaste åren har vi bevittnat några av de största, mest sofistikerade och allvarligaste cyberattackerna på IT-system. Vilket kan få allvarliga konsekvenser för individer och organisationer, från vatten- och energidistributionssystem till banktjänster. Därför är säkerhet högsta prioritet i IT-system.

För att proaktivt ta itu med dessa säkerhetsfrågor kan hotmodellering användas för att bedöma ett systems nuvarande tillstånd och som ett verktyg för att designa säkra system. Hotmodeller kan även fungera som indata till attacksimuleringar. Dessa används för att analysera angriparnas beteende inom systemet, och simuleringsresultaten kan hjälpa intressenter att undersöka säkerhetsinställningar som kan implementeras för att säkra ett system mer effektivt.

Denna avhandling presenterar arbete med hotmodellering för IT-system. När det gäller hotmodellering generellt inkluderar bidragen en systematisk litteraturöversikt om hotmodellering (Artikel A), en metod för tilldelning av sannolikhetsfördelningar i attacksimuleringsspråk för att ge mer realistiska simuleringsresultat (Artikel C), och en metod för kvalitetsbedömning av hotmodelleringsspråk (Artikel D). När det gäller mer domänspecifika resultat inkluderar bidragen ett hotmodelleringsspråk för säkerhetsbedömning av företagsövergripandesystem (Artikel B), ett koncept-test av ett tillvägagångssätt som använder hotmodellering i kombination med attacksimuleringar för uppkoppladefordon  (Artikel E) och en empirisk studie för att utforska kända sårbarheter och svagheter i programvara för fordon (Artikel F).

This work concentrates on the cyber security of enterprise and Industrial Control Systems (ICS).

Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased attack surfaces. This all has led to fragmentation on the security front. To improve the security of enterprise systems, threat modeling can be applied to proactively deal with security issues from a holistic point of view, and can also be combined with attack simulations to provide quantitative security measurements, which has not been commonly used while shown efficient in some disciplines.

Hitherto, we have proposed the use of attack simulations based on system architecture models. Our approaches facilitate a model of the system and simulate cyber-attacks in order to identify the greatest weaknesses. This can be imagined as the execution of a great number of parallel virtual penetration tests. Such an attack simulation tool enables the security assessor to focus on the collection of the information about the system required for the simulations.

As the previous approaches rely on a static implementation, we propose the use of MAL (the Meta Attack Language). This framework for domain-specific languages (DSLs) defines which information about a system is required and specifies the generic attack logic. Since MAL is a meta language (i.e. the set of rules that should be used to create a new DSL), no particular domain of interest is represented, but it can be used to create languages targeting certain domains

This work introduces enterpriseLang - a threat modeling language for enterprise security based on the MITRE ATT&CK Matrix, which can assess the cyber security of enterprise systems from a holistic point of view. This compilable language can automatically visualize possible attack paths an adversary may choose, show the most vulnerable asset, and provide possible mitigations for each attack step intended to counter cyber-attacks. The attack steps representing adversary techniques are captured within the ATT&CK Matrix based on real-world observations. These adversary techniques are categorized by tactics, and are organized with security metrics e.g. platform, permissions required, and mitigations that provide information for threat modeling. The proposed threat modeling language is tested through modeling real-world attack scenarios, thus can be used to forecast attacks on enterprise systems. The language can also be re-used by people with less security expertise to automatically assess the security of their specific-enterprise systems.

This core IT related threat modeling language is complemented by our IcsLang that allows to create and simulate OT specific environments. Similarly to enterpriseLang, this language is based on the ICS MITRE ATT&CK Matrix and enriched by real-world observations collected from industry partners in an EU project (EnergyShield). Based on the characteristics of MAL, we will motivate why certain types of attacks are included in our artifact and others not. Mainly, this is based on assumptions, made in the design of MAL and creating a trade-off between level of detail and usability.

To demonstrate the applicability and the integration between the two languages, we present energy domain architecture and simulate well known attacks like the Ukrainian scenario.

Digitization has made enterprises and inter-enterprise organizations (e.g. smart cities) increasingly vulnerable to cyber attacks. Malicious actors compromising computers can have potential damage and disruptions. To mitigate cyber threats, the first thing is to identify vulnerabilities, which is difficult as it requires (i) a detailed understanding of the inter-enterprise architecture, and (ii) significant security expertise. Threat modeling supports (i) by documenting the design of the system architecture, and attack simulation supports (ii) by automating the identification of vulnerabilities. This paper presents a systematic literature review and provides a research outlook for threat modeling and attack simulations of smart cities. The results show that little research has been done in this area, and promising approaches are being developed. 

In this paper, we conduct an empirical study with the purpose of identifying common security vulnerabilities discovered in vehicles. The vulnerability information is gathered for 60 vehicle OEMs (Original Equipment Manufacturers) and common vehicle components from the National Vulnerability Database (NVD). Each vulnerability (CVE) is analyzed with respect to its software weakness type (CWE) and severity score (CVSS). 44 unique CVEs were found in NVD and analyzed. The analysis results show that about 50% of the vulnerabilities fall into the medium severity category, and the three most common software weaknesses reported are protection mechanism failure, buffer errors, and information disclosure.

Digitization has increased exposure and opened up for more cyber threats and attacks. To proactively handle this issue, enterprise modeling needs to include threat management during the design phase that considers antagonists, attack vectors, and damage domains. Agile methods are commonly adopted to efficiently develop and manage software and systems. This paper proposes to use an enterprise architecture repository to analyze not only shipped components but the overall architecture, to improve the traditional designs represented by legacy systems in the situated IT-landscape. It shows how the hidden structure method (with Design Structure Matrices) can be used to evaluate the enterprise architecture, and how it can contribute to agile development. Our case study uses an architectural descriptive language called ArchiMate for architecture modeling and shows how to predict the ripple effect in a damaging domain if an attacker's malicious components are operating within the network.