What is it about?
In this article, we introduce ESSecA, an Expert System for Security Assessment that guides penetration testers during the assessment of IoT systems, in a threat-intelligence-driven perspective. ESSecA bases its analysis on different knowledge-bases, some, such as the CAPEC, maintained by MITRE. Starting from the system model, ESSecA produces a Threat Model and a list of Attack Plans for each identified threat. This information can be used by penetration testers to perform a systematic security test of the target system or infrastructure.
Photo by FLY:D on Unsplash
Why is it important?
This work proposes a technique for assessing the security of systems in an almost fully automated way. The process leverages the ESSecA expert system, which takes the system model as input and produces two main outputs, a Threat Model and a Testing Plan. The outputs can be leveraged by a penetration tester to systematically perform a security testing of the System Under Test (SUT). The proposed approach is innovative, as outlined in the state of art, for to three key aspects: i) it is almost fully automated, ii) it relates attacks to threats and iii) for the attack plans in relies on open knowledge bases derived from Cyber Threat Intelligence (CTI).
Read the Original
This page is a summary of: MetaSEnD: A Security Enabled Development Life Cycle Meta-Model, August 2022, ACM (Association for Computing Machinery), DOI: 10.1145/3538969.3544463.
You can read the full text:
The following have contributed to this page