: Public Class
Created: 01.06.2017 12:44:00
Modified: 16.03.2021 16:36:32
Project:
Advanced:
The metaclass Attack represents a cyber-physical attack on the system, as well as social engineering attacks on human actors or attacks on processes. Attacks can have multiple subattacks.<br/><br/>It is intended to be part of an attack tree, were the topmost elements are attack motivations and the bottom elements of the attack tree are attacks, i.e., the upper part of the attack tree consists of one root attack motivation that is broken down into fine-grained submotivations; the bottom part of the attack tree comprises the concrete attacks as fine-grained attack motivations. The syntax of AttackMotivations is inspired by the concept of security attack trees and attack vectors.<br/><br/>In connection with the East-ADL, SAM treats attacks as a special form of use cases, the misuse case. These were first defined by Sindre, Guttorm & Opdahl, Andreas (1) in .<br/><br/>Semantics:<br/><br/>Attacks that are used to model the attack tree, where attack motivations cover the topmost part and attacks cover the bottom part of the attack tree.<br/><br/>Constraints:<br/><br/>[1] Leaves of the attack tree should be attacks, not attack motivations.<br/><br/>Optional:<br/>[2] Attacks are performed by an Adversary. It is recommended to associate each attack to an adversary instance.<br/>[3] Some attacks may cause Dependability::Hazards (safetyRelevance)<br/><br/>Notation:<br/><br/>The Attack is shown as a solid-outline rectangle with a crosshair icon containing the name. Submotivations and subattacks are connected to their respective supermotivation/superattack by an undirected relationship and are arranged below their supermotivation/superattack (tree view).<br/><br/><br/><br/>Extension: Specialization of SysML::Requirement<br/><br/>(1) SINDRE, Guttorm; OPDAHL, Andreas L. Capturing security requirements through misuse cases. NIK 2001, Norsk Informatikkonferanse 2001, http://www. nik. no/2001, 2001.<br/>
Attribute
Public String
  accessRequired (AV)
Details:
Notes: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score.<br/><br/>Network (N) A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed "remotely exploitable" and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).<br/><br/>Adjacent A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014.<br/><br/>Local (L) A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.<br/><br/>Physical (P) A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.<br/><br/>In the original CVSS Score this Attribute is named for Attack Vector (AV).<br/>
Public String
  attackComplexity (AC)
Details:
Notes: This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). This metric value is largest for the least complex attacks.<br/><br/>Low (L) Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.<br/><br/>High (H) A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. 2 For example, a successful attack may depend on an attacker overcoming any of the following conditions:<br/>- The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc.<br/>- The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques.<br/>- The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).<br/><br/><br/>
Public String
  privilegesRequired (PR)
Details:
Notes: This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required.<br/><br/>None (N) The attacker is unauthorized prior to attack, and therefore does not require any access to settings, files or areas to carry out an attack.<br/><br/>Low (L) The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings, files or area access owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.<br/><br/>High (H) The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files or has the authority to enter areas or to view confidential documents .<br/>
Public String
  urgency
Details:
Notes: In SAM, urgency describes an attribute of an attack. The context is determined by the type of attack. In a social engineering attack, for example, urgency is an attribute that the attacker can exploit to induce a victim to act rashly. In the case of attacks on systems, the urgency implies, for example, the existence of so-called race conditions during the execution of code that can be exploited.<br/><br/>https://educalingo.com/en/dic-en/urgency<br/><br/>Not Defined (X) A statement as to whether this attribute is being exploited cannot be confirmed with certainty.<br/>None (N) This attribute is not exploited.<br/>Low (L) This attribute is exploited to a limited extent.<br/>High (H)  This attribute is exploited to a great extent.<br/><br/>
Public String
  userInteraction (UI)
Details:
Notes: This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required.<br/><br/>None (N) The vulnerable system can be exploited without interaction from any user.<br/><br/>Required (R) Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.<br/>
Element Source Role Target Role
AttackFeasibilityScore
Class   		Name:  
  		Name:  
 
Details:
 
UseCase
Class   		Name:  
  		Name: operationalSituationUseCase
 
Details:
 
Situation
Class   		Name:  
  		Name: environment
 
Details:
 
Mode
Class   		Name:  
  		Name: operatingMode
 
Details:
 
Situation
Class   		Name:  
  		Name: traffic
 
Details:
 
RequirementsRelationship
Class   		Name:  
  		Name: externalMeasures
 
Details:
 
Adversary
Class   		Name:  
  		Name:  
 
Details:
 
Element Source Role Target Role
SubAttackGroup
Class   		Name:  
  		Name:  
 
Details:
 
ThreatScenario
Class   		Name:  
  		Name:  
 
Details:
 
SecurityConcept
Class   		Name:  
  		Name:  
 
Details:
 
SubAttackGroup
Class   		Name:  
  		Name:  
 
Details:
 
Object Type Connection Direction Notes
SubAttackGroup Class Strong From  
AttackMotivation Class Generalization To  
UseCase Class Generalization To