This paper has proposed a method to develop an attack tree, from application vulnerability data discovered through tests and scans and correlation analysis using incoming transaction requests monitored by a Web Application Firewall (WAF) tool. The attack tree shows multiple pathways for an attack to shape through vulnerability linkages and a deeper analysis of the Common Weakness Enumeration (CWE) and Common Vulnerability Exposure (CVE) mapping to individual vulnerabilities. By further relating to a parent, peer, or child CWE (including CWEs that follow another CWE and in some cases precede other CWEs) will provide more insight into the attack patterns. These patterns will reveal a multi-vulnerability, multi-application attack pattern which will be hard to visualize without data consolidation and correlation analysis. The correlation analysis tied to the test and scan data supports a vulnerability lineage starting from incoming requests to individual vulnerabilities found in the code that traces a possible attack path. This solution, if automated, can provide threat alerts and immediate focus on vulnerabilities that need to be remedied as a priority. SOAR (Security Orchestration, Automation, and Response), XSOAR (Extended Security Orchestration, Automation, and Response), SIEM (Security Information and Event Management), and XDR (Extended Detection and Response) are more constructed to suit networks, infrastructure and devices, and sensors; not meant for application security vulnerability information as collected. So, this paper makes a special case that must be made for integration of application security information as part of threat intelligence, and threat and incident response systems.
| Published in | American Journal of Networks and Communications (Volume 13, Issue 1) |
| DOI | 10.11648/j.ajnc.20241301.12 |
| Page(s) | 19-29 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2024. Published by Science Publishing Group |
Incidence Response, Vulnerability Correlation, Attack Surface, MITRE Enterprise ATT&CK Matrix, Threat Model, Attack Tree
| [1] | Cinque, M., Cotroneo, D., and Pecchia, A. Challenges and Directions in Security Information and Event Management (SIEM). In 2018 IEEE International Symposium on Software Reliability Engineering Workshops. http://dx.doi.org/10.1109/ISSREW.2018.00-24 |
| [2] | Velásquez, J. M. L., Monterrubio, S. M. M., Luis Enrique Sánchez Crespo, L. E. S., and Rosado, D. G. Systematic review of SIEM technology: SIEM-SC birth. In International Journal of Information Security (2023) 22: 691–711, https://doi.org/10.1007/s10207-022-00657-9 |
| [3] | Muhammad, A. R., Sukarno, P., and Wardana, A. A. Integrated Security Information and Event Management (SIEM) with Intrusion Detection System (IDS) for Live Analysis based on Machine Learning. In 4th International Conference on Industry 4.0 and Smart Manufacturing, ScienceDirect, Procedia Computer Science 217 (2023) 1406–1415, https://doi.org/10.1016/j.procs.2022.12.339 |
| [4] | Mern, J., Hatch, K., Silva, R., Hickert, C., Sookoor, T., and Kochenderfer, M. J. Autonomous Attack Mitigation for Industrial Control Systems. In 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). https://doi.org/10.48550/arXiv.2111.02445 |
| [5] | Gonzalez-Granadillo, G., Gonzalez-Zarzosa, S., and Diaz, R. Security Information and Event Management (SIEM): Analysis, Trends, and Usage in Critical Infrastructures. In Sensors 2021, 21, 4759. https://doi.org/10.3390/s21144759 |
| [6] | Johnson, J., McCarty, M., Richardson, B., Rieger, C., Cooley, R., Gentle, J. P., Rothwell, B., Phillips, T., Novak, B., Culler, M., Schwalm, K., and Wright, B. Hardening Wind Energy Systems from Cyber Threats–Final Project Report. In SANDIA REPORT, SAND2023-12610, Printed February 2023. |
| [7] | Nour, B., Pourzandi, M., and Debbabi, M. A Survey on Threat Hunting in Enterprise Networks. In IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 4, FOURTH QUARTER 2023. https://doi.org/10.1109/COMST.2023.3299519 |
| [8] | Olteanu, I. Evaluating the response effectiveness of XDR technology in a scaled down environment. Eindhoven University of Technology, Available from: https://research.tue.nl/files/305661196/Olteanu_I.C..pdf |
| [9] | EdgeScan. Vulnerability Statistics Report. In Edgescan, pp. 4-17, Available from: https://www.edgescan.com/wp-content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-2019.pdf |
| [10] | Sevri, M. and Karacan, H. Deep learning-based web application security. In Proc. of 2nd Int. Conf. on Advanced Technologies, in Proc. Computer Engineering and Science (ICATCES), Antalya, Turkey, pp. 349-354, Apr. 2019. |
| [11] | Kasturi, S. Post Implementation Evaluation of Coverage in Software Testing Using Monitoring Tools. 2020 IEEE International Conference on Computing, Power and Communication Technologies, (GUCON), Oct 2-4, 2020, pp. 13-21, https://doi.org/10.1109/GUCON48875.2020.9231169 |
| [12] | Kasturi, S., Li, X., Pickard, J., and Li, P. Understanding Statistical Correlation of Application Security Vulnerability Data from Detection and Monitoring Tools. In 2023 33rd International Telecommunication Networks and Applications Conference, Melbourne, Australia, 2023, pp. 289-296, https://doi.org/10.1109/ITNAC59571.2023.10368476 |
| [13] | MITRE. 2022 CWE Top 25 Most Dangerous Software Weaknesses. Available from: https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html |
| [14] | OWASP. OWASP Top 10. OWASP, Available from: https://owasp.org/Top10/ |
| [15] | MITRE. Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules. MITRE, Available from: https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf; https://nvd.nist.gov/vuln |
| [16] | Saini, V. K., Duan, Q., and Paruchuri, V. Threat Modeling Using Attack Trees. Researchgate, Available from: https://www.researchgate.net/publication/234738557_Threat_Modeling_Using_Attack_Trees |
| [17] | Lohmann, P., Albuquerque, C., and Machado, R.C.S. Systematic Literature Review of Threat Modeling Concepts. In Researchgate Conference Paper, March 2023 https://doi.org/10.5220/0000168400003405, Available from: https://www.researchgate.net/publication/368897944_Systematic_Literature_Review_of_Threat_Modeling_Concepts |
| [18] | Xiong, W., Legrand, E., Aberg, O., and Lagerstrom, R. Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling (2022) 21: 157–177 Available from: https://doi.org/10.1007/s10270-021-00898-7 |
| [19] | Akamai. Slipping Through the Security Gaps: The Rise of Application and API Attacks. Akamai, Available from: https://www.akamai.com/blog/security/the-rise-of-application-and-api-attacks |
| [20] | Carielli, S., DeMartine, A., Provost, A. C. and Dostie, P. The Forrester Wave™: Web Application Firewalls, Q3 2022, The 12 Providers That Matter Most And How They Stack Up. In Forrester, September, Available from: https://www.forrester.com/report/the-forrester-wave-tm-web-application-firewalls-q3-2022/RES176396 |
| [21] | FASTLY. 10 Key Capabilities of the Fastly Next-Gen WAF. FASTLY, 2022, Available from: https://learn.fastly.com/security-10-key-capabilities-of-fastlys-next-gen-waf.html |
| [22] | Signal Sciences. Identifying Web Attack Indicators. Available from: signal-sciences-white-paper-identifying-web-attack-indicators.pdf (signalsciences.com). |
| [23] | Na, J. Introducing Secure Application: True Runtime Application Self-Protection (RASP) for the Modern Application. In CISCO App Dynamics. Available from: https://www.appdynamics.com/blog/product/application-security/ |
| [24] | Salemi, M. Automated rules generation into Web Application Firewall using Runtime Application Self-Protection. Ecole polytechnique de Louvain, Université catholique de Louvain, 2020. Prom.: Ramin Sadre; Legay, Axel. Available from: http://hdl.handle.net/2078.1/thesis:25351 |
| [25] | OWASP-API. OWASP API Security Top 10. OWASP, Available from: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/ |
APA Style
Kasturi, S., Li, X., Li, P., Pickard, J. (2024). A Proposed Approach to Integrate Application Security Vulnerability Data with Incidence Response Systems. American Journal of Networks and Communications, 13(1), 19-29. https://doi.org/10.11648/j.ajnc.20241301.12
ACS Style
Kasturi, S.; Li, X.; Li, P.; Pickard, J. A Proposed Approach to Integrate Application Security Vulnerability Data with Incidence Response Systems. Am. J. Netw. Commun. 2024, 13(1), 19-29. doi: 10.11648/j.ajnc.20241301.12
AMA Style
Kasturi S, Li X, Li P, Pickard J. A Proposed Approach to Integrate Application Security Vulnerability Data with Incidence Response Systems. Am J Netw Commun. 2024;13(1):19-29. doi: 10.11648/j.ajnc.20241301.12
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ajnc.20241301.12,
author = {Santanam Kasturi and Xiaolong Li and Peng Li and John Pickard},
title = {A Proposed Approach to Integrate Application Security Vulnerability Data with Incidence Response Systems},
journal = {American Journal of Networks and Communications},
volume = {13},
number = {1},
pages = {19-29},
doi = {10.11648/j.ajnc.20241301.12},
url = {https://doi.org/10.11648/j.ajnc.20241301.12},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajnc.20241301.12},
abstract = {This paper has proposed a method to develop an attack tree, from application vulnerability data discovered through tests and scans and correlation analysis using incoming transaction requests monitored by a Web Application Firewall (WAF) tool. The attack tree shows multiple pathways for an attack to shape through vulnerability linkages and a deeper analysis of the Common Weakness Enumeration (CWE) and Common Vulnerability Exposure (CVE) mapping to individual vulnerabilities. By further relating to a parent, peer, or child CWE (including CWEs that follow another CWE and in some cases precede other CWEs) will provide more insight into the attack patterns. These patterns will reveal a multi-vulnerability, multi-application attack pattern which will be hard to visualize without data consolidation and correlation analysis. The correlation analysis tied to the test and scan data supports a vulnerability lineage starting from incoming requests to individual vulnerabilities found in the code that traces a possible attack path. This solution, if automated, can provide threat alerts and immediate focus on vulnerabilities that need to be remedied as a priority. SOAR (Security Orchestration, Automation, and Response), XSOAR (Extended Security Orchestration, Automation, and Response), SIEM (Security Information and Event Management), and XDR (Extended Detection and Response) are more constructed to suit networks, infrastructure and devices, and sensors; not meant for application security vulnerability information as collected. So, this paper makes a special case that must be made for integration of application security information as part of threat intelligence, and threat and incident response systems.
},
year = {2024}
}
TY - JOUR T1 - A Proposed Approach to Integrate Application Security Vulnerability Data with Incidence Response Systems AU - Santanam Kasturi AU - Xiaolong Li AU - Peng Li AU - John Pickard Y1 - 2024/03/07 PY - 2024 N1 - https://doi.org/10.11648/j.ajnc.20241301.12 DO - 10.11648/j.ajnc.20241301.12 T2 - American Journal of Networks and Communications JF - American Journal of Networks and Communications JO - American Journal of Networks and Communications SP - 19 EP - 29 PB - Science Publishing Group SN - 2326-8964 UR - https://doi.org/10.11648/j.ajnc.20241301.12 AB - This paper has proposed a method to develop an attack tree, from application vulnerability data discovered through tests and scans and correlation analysis using incoming transaction requests monitored by a Web Application Firewall (WAF) tool. The attack tree shows multiple pathways for an attack to shape through vulnerability linkages and a deeper analysis of the Common Weakness Enumeration (CWE) and Common Vulnerability Exposure (CVE) mapping to individual vulnerabilities. By further relating to a parent, peer, or child CWE (including CWEs that follow another CWE and in some cases precede other CWEs) will provide more insight into the attack patterns. These patterns will reveal a multi-vulnerability, multi-application attack pattern which will be hard to visualize without data consolidation and correlation analysis. The correlation analysis tied to the test and scan data supports a vulnerability lineage starting from incoming requests to individual vulnerabilities found in the code that traces a possible attack path. This solution, if automated, can provide threat alerts and immediate focus on vulnerabilities that need to be remedied as a priority. SOAR (Security Orchestration, Automation, and Response), XSOAR (Extended Security Orchestration, Automation, and Response), SIEM (Security Information and Event Management), and XDR (Extended Detection and Response) are more constructed to suit networks, infrastructure and devices, and sensors; not meant for application security vulnerability information as collected. So, this paper makes a special case that must be made for integration of application security information as part of threat intelligence, and threat and incident response systems. VL - 13 IS - 1 ER -
Department of Technology Management, Indiana State University, Terre Haute, USA
Information