Security Engineering (SE) Workbench

Return to the SE-Workbench Project Page

Security Attack Explorer Tool

The Security Attack Explorer (SAE) is a software tool that aids Security Engineers involved in reviewing attack patterns and selecting relevant attack patterns for Threat Models, Threat Assessments and planning for Security Tests.

To perform these Threat Assessments, Security Engineers will consult any of a number of authoritative reference documents concerned with Security Controls. The base documents for this type of assessment typically include: Mitre Common Attack Patterns, Mitre Attack, Mitre CWE and related technical reference documents.

The SAE tool provides a convenient way for the Security Engineer to explore the information in this grouping of reference information.

Security Attack Analysis Process Review

Table #1 below provides an overview of the Attack analysis process and information resources. The left side of the table shows the basic process where security engineers perform a variety of tasks to model, analyze and provision controls and countermeasures that map to relevant risks and attacks on information systems and assets. The right side of the table calls out reference information used by security engineers.

Table #1. Security Attack Analysis Process

Security Control Analysis Process
Security Attack Analysis Process

Security Control Analysis Reference Information
Security Attack Analysis Reference Information

Authoritative Information Sources

  1. NIST SP800-53R5
  2. ISO/IEC 27002:2013
  3. Common Criteria for Information Security Evaluation.
  4. Mitre Attack
  5. Mitre Common Attack Patterns (CAPEC)
  1. Mitre Common Weakness Enumeration (CWE)
  2. Mitre Common Vulnerability Enumeration (CVE)
  3. NIST SP800-30 Guide for Risk Assessment
  4. NIST Cybersecurity Framework
  5. NIST SP 1800-5 Asset Management
  6. Cybersecurity workforce framework

SAE Tool Overview

Table #2 below provides an overview of the SCE Tool. The user interface for the tool is a web browser. The display can be divided into sections: the upper section is the header portion and the lower portion is the data portion.

Table #2 - SAE Tool Layout

SAE Tool User Interface Web Browser
Tool Layout

The primary document for the SAE tool is Mitre CAPEC. Each entry in Mitre CAPEC represents a security attack pattern. Each attack pattern entry contains detailed information about the attack, along with direct and indirect information to other (secondary) references in the document map. Eadh secondary reference contains detailed information, as well as references to other secondiary documents or the primary document.

SAE Tool Detail

Security Attack Explorer Tool - Upper Section

The upper section of the browser window, shown in Table #3 below, contains three areas of interest:
  1. Banner Area: Identifes the tool
  2. Information Page Toggle: provides a means to show/hide the Tool Information Table
  3. Tool Information Table: Identifies key information about the tool, to include: tool version, revision date, contact information, general description of the tool, general usage tips, source documebts, terms of use, and disclaimers.

Table #3 - SAE Header

SAE Header

Security Attack Explorer Tool - Lower Section

The Lower Section of the browser window, shown in Table #4, contains 8 areas of interest:
  1. Page and Data Format Buttons: provide the ability to show and hide specific data columns, options for selecting and deselecting data, and options for exporting data to the computer's clipboard, or external files in CSV, PDF or Print format.
  2. Data Filters: provide the ability to filter the data to be displayed based on a number of predefined parameters.
  3. Text Search Data Entry Field: provide the ability to filter the data to be displayed using operator entered text string.
  4. Column Headers: Identifies the content in each column, also provides the ability to sort selected columns in ascending or descending order.
  5. Tool Data Content: one or more rows of data that is grouped by column.
  6. Row Selectors: provide the ability to select undividual rows. May be use on combination with the Select Data button in #4 to select groupings of rows from filtered data
  7. Page Footer: describes the number of visible rows
  8. Page Navigator: provides the ability to select the page shown, if there are multiple pages of data in the active display

Table #4 - SAE Data

SAE Data

The Data Table (identifed as item 8 in Table #4) is the focus of the tool. On initialization, the Data Table contains one row for each entry in the main reference document along with related direct and indirect references. For the Security Attack Explorer, the main reference document is the version of the Mitre Common Attack Patterns listed in the Tool Information Table. The data cells are constructed with information from the primary and secondary information sources, as well as derived data. The data cells may contain single data elements, grouped data elements or composite data. Derived data elements may include links to external referencces, data that is aggregated from one or more information sources, and/or knowledge insights. The size,content and order of the data table at any time is dependent on the user-driven operation.

The headings and buttons at the top of the Data Table are used to manipulate the information in the Data Table.

  • Data Filters (item 5 in Table #4) The Data Filters are a series of pull down menus, provide for selection and filtering of the data on the values that correspond to label on the menu.

    SAE Data Filters include:

    • Mitre CAPEC ID Number
    • Mitre Attack Pattern Name
    • Pattern Abstraction Level
    • Typical Likelihood
    • Typical Severity
    • Attack Domain
    • Reference Lists
    • Defect v. Abuse
    • Related Mitre CWE

  • Search Field (item 6 in Table #4) The search field provides for selection and filtering of the data using free form text.
  • Column Header Fields (item 7 in Table #4) The column headers identify the content in each column. Selected Column can be sorted in ascending or descending order.

    SAE Data Columns include:

    • Select Checkbox
    • Attack Description (Sortable, Default: Visible)
    • Attack Execution Flow (Default: Visible)
    • Mitigations (Default: Visible)
    • Typical Severity (Sortable, Default: Not Visible)
    • Typical Likelihood (Sortable, Default: Not Visible)
    • Attack Impact (Default: Not Visible)
    • Related Mitre CWE (Default: Not Visible)

  • Row Selector Fields (item 9 in Table #4) The row selectors provide the ability to highlight and select rows of interest in the data portion of the display. The row selectors are used in combination with the Select Data and Export Data buttons to create custom output.
  • Page Footer Field (item 10 in Table #4) The footer displays the total number of rows to be displayed. The right side of the footer provides navigation for the number of pages to be displayed.

SAE Tool User Operations

The SAE tool is designed to support the security engineer in evaluating and selecting security attack patterns that are relevant to a specific problem. to do that the tool provides the means for the security engineer to search, sort, select, review the available information on security attacks and export the findings for followup.

When the tool is invoked, the Data Area contains the default view or the entire security information base. The user may perform operations in any order:

  • Scrolling up/down to view the data elements
  • Setting/resetting the display page to from 10, 25, 50 or 100 entries
  • Sorting a column by clicking on the column header. Nested sorting is achieved by sorting the desired columns from least significant to most significant
  • Filtering via Text Search, for example "SQL"
  • Filtering via drop down menu.
  • Opening URL to access extended information in the cell
  • Highlighting / Selecting one or more rows of information using the cursor on the checkbox in the left column
  • Highlighting / Selecting sets of filtered data using the Select Data Button
  • Exporting Selected rows using the CSV, PDF, Print or Copy to Clipboard buttons within Export Data Button
  • Change the dispayable columns using the Column Visibility Button

SAE Export Data Function

The Export function is used to create and store a copy of some or all the data in the tool in PDF, CSV or Print formats. The export function operates on data that has been selected. There are two ways to select data: (1) clicking on the checkbox of one or more rows of data, or (2) use the filter or text search features of the tool to narrow the focus of the visible data and then use the Select Data function to either Select All Data or Select Filtered Data.

Table #5 below provides a visualization of the use of the Export function, where the user can select to "Copy Selected to Clipboard", generate a "PDF" diocument, generate a spreadsheet file in the "CSV" (Comma Separated Value) format, or create a "Print" file for local or network printing. The "Copy to Clipboard" function requires the operator to select a destimation application, such as Notepad, Word Processing Document or other. The PDF, CSV or Print options will automatically open a window to the corresponding application, assuming that the users computer system has a compatible application.

Table #5 - SAE Export Data Function

SAE Export

Sample Exercises

Some basic questions/problems the SAE tool can help answer include:

  1. What are the attacks associated with Cross Site Scripting (or XSS) vulnerabilities?
  2. What are attacks associated with "wifi" or "wi-fi"?
  3. What attacks in the software domain are not associated with a software defect?
  4. List and describe attacks on hardware.
  5. What are the variations of Phishing attacks?
Refer to the SAE Exercise link from the Project homepage for examples.

Copyright © 2021,2022 Jim Whitmore.

LAST UPDATE: 29 March 2022