The Center for Secure Information Systems

Research I Building, 4th Floor

George Mason University
Fairfax, VA 22030-4444

COMBINATORIAL ANALYSIS UTILIZING LOGICAL DEPENDENCIES

RESIDING ON NETWORKS (CAULDRON)

CAULDRON USER GUIDE

BY

CENTER FOR SECURE INFORMATION SYSTEMS

LAST MODIFIED JULY 28, 2008

GMU Proprietary

CAULDRON User Guide

1

TABLE OF CONTENTS
1.

INTRODUCTION

2.

CAULDRON MODELING CONCEPTS

2.1
2.2

Vulnerability Scans ............................................................................................7

Firewall Data ......................................................................................................8

3.

CAULDRON GUI

4.

IMPORTING SCAN DATA

4.1
4.2
4.3
4.4
4.5

5.

9
10

Subnets and Firewalls ......................................................................................10

Importing Nessus Data ....................................................................................11
Importing FoundScan Data ............................................................................15
Importing Symantec Discovery Data .............................................................18
Importing Firewall Rules ................................................................................18

CAULDRON ANALYSIS
5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.3

20

Running CAULDRON.....................................................................................20
Input and Output Files .......................................................................................22
Start and Goal Machines ....................................................................................22
Direct Attack Paths ............................................................................................25
Cycles through Start and Goal ...........................................................................27
Applying Mitigation Solutions ..........................................................................31
Finalizing CAULDRON Scenario .....................................................................34
Visualizing CAULDRON Results ...................................................................35
Visualization Overview .....................................................................................35
Viewing the Attack Graph .................................................................................36
The Exploit Table ..............................................................................................43
Toolbar Functions ..............................................................................................45
Network Hardening Recommendations .........................................................50

GMU Proprietary

CAULDRON User Guide

2

TABLE OF FIGURES
Figure 1. Nessus Connectivity ............................................................................. 6
Figure 2. Connectivity Graph from Nessus Scan Data......................................... 6
Figure 3. Nessus Scans for Two Subnets ............................................................ 7
Figure 4. Nessus Scans for Three Subnets ......................................................... 8
Figure 5. Initial view of CAULDRON GUI ............................................................. 9
Figure 6. Vulnerability Scan Sample Network .................................................... 11
Figure 7. Vulnerability Scanner Import Tool using Nessus ................................ 12
Figure 8. Select ScanResults Directory Dialog for Nessus ................................ 13
Figure 9. After Selecting a ScanResults Directory for Nessus ........................... 14
Figure 10. Vulnerability Scanner Import Tool for FoundScan ............................ 15
Figure 11. Select ScanResults Directory Dialog for FoundScan ........................ 16
Figure 12. After Selecting a ScanResults Directory for FoundScan ................... 17
Figure 13. Enabling Import of Firewall Rule Data............................................... 19
Figure 14. Creating CAULDRON scenario......................................................... 20
Figure 15. Property Dialog ................................................................................. 21
Figure 16. CAULDRON Scenario Panel ............................................................ 22
Figure 17. Unconstrained (Any) Start and Goal Machine................................... 24
Figure 18. Selecting a Start Machine ................................................................. 24
Figure 19. Selecting a Goal Machine ................................................................. 25
Figure 20. Direct Attack Paths Checkbox .......................................................... 25
Figure 21. Attack Graph with Indirect Attacks .................................................... 26
Figure 22. Attack Graph with Direct Attacks Only .............................................. 27
Figure 23. Attack Graph with No Cycles Containing Start or Goal ..................... 28
Figure 24. Allowing Cycles Back into Start Machine .......................................... 28
Figure 25. Attack Graph Allowing Cycles through Start ..................................... 29
Figure 26. Allowing Cycles Away from Goal Machine ........................................ 29
Figure 27. Attack Graph Allowing Cycles through Goal ..................................... 30
Figure 28. Allowing Cycles through Start and Goal............................................ 30
Figure 29. Attack Graph Allowing Cycles through Start and Goal ...................... 31
Figure 30. No Mitigation Solutions Applied ........................................................ 32
Figure 31. Applying Known Vulnerability Mitigation Solutions............................ 32
Figure 32. List of Vulnerability Mitigation Solutions ............................................ 32
Figure 33. Details for Vulnerability Mitigation ..................................................... 33
Figure 34. Applying Unknown Vulnerability Mitigation Solutions ........................ 33
Figure 35. Before Starting CAULDRON Scenario .............................................. 34
Figure 36. Major Components of Attack Graph Visualization............................. 35
Figure 37. A Sample Attack Graph View............................................................ 38
Figure 38. Exploits in the Graph View ................................................................ 39
Figure 39. Exploit Table ..................................................................................... 45
Figure 40. Toolbar Functions ............................................................................. 46
Figure 41. Print Options ..................................................................................... 47

GMU Proprietary

CAULDRON User Guide

3

Figure 42.
Figure 43.
Figure 44.
Figure 45.
Figure 46.
Figure 47.
Figure 48.

The Magnify Zoom Tool .................................................................... 48

Graph Rearrangement via Hierarchical Layout ................................. 50
Network Hardening Button ................................................................ 51
Attack Graph for Network Hardening Recommendations ................. 51
List of Hardening Recommendations ................................................ 51
Recommended Hardening between a Pair of Protection Domains ... 52
Exploit Details for a Hardening Recommendation ............................ 52

GMU Proprietary

CAULDRON User Guide

4

1.

INTRODUCTION

Researchers at George Mason Universitys Center for Secure Information Systems

(CSIS) have extended traditional vulnerability analysis through the Combinatorial
Analysis Utilizing Logical Dependencies Residing on Networks (CAULDRON) tool.
CAULDRON searches for sequences of interdependent vulnerabilities distributed among
the various network machines. The result is the discovery of attack paths within the
network with respect to pre-defined attack goals. This provides insight into the hardening
measures needed for eliminating the attack paths. It also supports inexpensive what-if
analysis, alleviating the need to build actual test networks for penetration testing and
vulnerability analysis.
In CAULDRON, network modeling captures the configuration of the network under
analysis. The network model can be populated either manually or from network scans.
CAULDRON also relies on exploit modeling, in which attacker exploits are modeled in
terms of their preconditions and postconditions.
CAULDRON automatically explores the total security ramifications of vulnerabilities
accessible to an attacker. The approach follows actual attack patterns, in which a series
of exploits incrementally diminishes network security. The attack paths discovered in
CAULDRON show the exact steps that attackers can take to reach their goals, giving a
full picture of network vulnerability. Such complete analysis promotes the development
of well-informed security policies. Moreover, the analysis is performed off-line, leaving
operational networks undisturbed.
The next section gives an overview of network attack modeling with the CAULDRON
tool. Section 3 describes the operation of the CAULDRON user interface. Section 4
shows how to create input models for CAULDRON. Section 5 describes the details of
CAULDRON network attack graph analysis.

2.

CAULDRON MODELING CONCEPTS

CAULDRON requires vulnerability connections between machines in a network. A

vulnerability connection consists of the existence of vulnerability on a machine and the
fact that another machine can connect to that vulnerability (services) over the network.
The CAULDRON Graphical User Interface (GUI) provides mechanisms for building a
network description and loading network scans into CAULDRON for execution.
A vulnerability scanner such as Nessus provides a list of vulnerabilities for each machine,
with the implication that those vulnerabilities are reachable over the network from the
scanning machine. This concept is illustrated in Figure 1.

GMU Proprietary

CAULDRON User Guide

5

Vulnerability 11003:
DDI_IIS_Compromised
Server 1
Vulnerability 11092:
apache_win32_dir_trav
Scan Machine
Server 2

Vulnerability 10951
cachefsd_overflow

Server 3

Figure 1. Nessus Connectivity

Multiple scans from points in the network allow CAULDRON to build a comprehensive
model of connections to vulnerable services. CAULDRON includes the capability for
merging these multiple scan results into a single network model, e.g., the one shown in
Figure 2. CAULDRON can also import firewall data directly (for the Sidewinder
firewall), and add any additional connections to vulnerable services.

Vulnerability 11003:
DDI_IIS_Compromised

Server 1

Vulnerability 11092:
apache_win32_dir_trav

Server 2
Vulnerability 10951:
cachefsd_overflow

Vulnerability 11092:
apache_win32_dir_trav

Server 3:

Figure 2. Connectivity Graph from Nessus Scan Data

When you run a network scan (e.g., with Nessus), you specify what targets to scan. To
give CAULDRON a complete view of the entire network, your scanner must be
configured to scan all relevant parts of the network to be included in the analysis.

GMU Proprietary

CAULDRON User Guide

6

Common practice is to scan a target once, from a scanner that has unrestricted access
(e.g., not blocked by firewalls) to the targets. But that does not capture the network as
seen by a potential attacker.

2.1

Vulnerability Scans

To capture the network model for CAULDRON scans should be done from each subnet,
and configured to scan all machines within the subnet and all machines in neighboring
subnets. The idea is to capture the visibility of all machines to all other machines across
all subnets. One scan per subnet, correctly configured, provides adequate detail for
CAULDRON. In other words, if multiple subnets will be included in the analysis, the
scans need to include not only intra-subnet, but also inter-subnet.
As an example, Figure 3 shows two subnets connected by a firewall. For this network,
perform these Nessus scans:
1. Scan 10.10.1.1-254 and 10.10.2.1-254 from machine 10.10.1.1
2. Scan 10.10.1.1-254 and 10.10.2.1-254 from machine 10.10.2.1
CAULDRON can then merge the resulting Nessus XML files, and build a network model
that includes connectivity (to vulnerable services) among all machines. Each of the items
(1) and (2) above represent a single Nessus scan (with multiple targets), resulting in a
single Nessus XML file per scan. We recommend naming the resulting XML files
according to subnet, e.g., subnet_10_10_1.xml for scan item (1) and subnet_10_10_2.xml
for scan item (2) above.

Figure 3. Nessus Scans for Two Subnets

GMU Proprietary

CAULDRON User Guide

7

Figure 4 shows a similar example, this time with three subnets connected by firewalls.
For this network, one would perform these Nessus scans:
1. Scan 10.10.1.1-254, 10.10.2.1-254, and 10.10.3.1-254 from machine 10.10.1.1
2. Scan 10.10.1.1-254, 10.10.2.1-254, and 10.10.3.1-254 from machine 10.10.2.1
3. Scan 10.10.1.1-254, 10.10.2.1-254, and 10.10.3.1-254 from machine 10.10.3.1

Figure 4. Nessus Scans for Three Subnets

Again, CAULDRON will merge the three resulting Nessus XML files. As before, each
of the items (1), (2), and (3) above represent a single Nessus scan (with multiple targets),
resulting in a single Nessus XML file per scan, with corresponding filenames
subnet_10_10_1.xml, subnet_10_10_2.xml, and subnet_10_10_3.xml.
IP addresses in a set of XML files for a network must be unique, e.g., 10.10.1.1 must not
appear in two different subnets as different machines. In particular, care must be taken if
one changes the IP addresses in the Nessus XML files, e.g., to provide anonymity.
CAULDRON can handle arbitrary identifiers for machines, but the identifiers must
remain unique.

2.2

Firewall Data

CAULDRON also has the capability for importing firewall data directly. In this case, any
connections to vulnerable services in the firewall data will be added to any vulnerable
connections created from vulnerability scans to remote subnets (as described in
Section 2.1). CAULDRON currently supports the Sidewinder firewall.
You could rely entirely on firewall data for capturing vulnerable connectivity across
subnets. In this case, you would scan locally in individual subnets, and use the scan
results for detecting vulnerable services on hosts in each local subnet. The firewall data

GMU Proprietary

CAULDRON User Guide

8

would then determine connections to vulnerable services across subnets. Or, you could
scan locally and remotely, as described in Section 2.1, and use firewall data to discover
any additional vulnerable connectivity, e.g., for modeling host-specific firewall rules.

3.

CAULDRON GUI

The Graphical User Interface (GUI) provides the ability to define and run CAULDRON
scenarios. Figure 5 shows the initial view of the CAULDRON GUI.

Figure 5. Initial view of CAULDRON GUI

The general design of the GUI is to treat everything, including a CAULDRON scenario
itself, as a document backed by a file. The Window menu permits different layout
options for viewer windows in the GUI panel.
When a file is opened, the GUI determines the file type and opens it in the appropriate
viewer. Files changed by a viewer will have a * next to their name (in their
corresponding tab) to indicate that the file requires saving. In a viewer, you can ignore
changes and revert to the saved disk file by either selecting File>Revert To
Saved or pressing the
button in the tool bar.
For a given scenario, CAULDRON generates a graph of all possible attacks.
CAULDRON also provides sophisticated capabilities for visualizing attack graphs, with
high-level overview and detail drilldown.

GMU Proprietary

CAULDRON User Guide

9

4.

IMPORTING SCAN DATA

Vulnerability scanners are the most efficient way to capture vulnerabilities in an existing
network. This section describes the CAULDRON capability for importing scanner
results for building input network models.
CAULDRON uses the output of scans through firewalls from/to various subnets to model
the effects of firewall filtering. It merges the information in the scan files, and creates a
file of network connectivity to vulnerable services. The resulting file serves as an input
model of initial network conditions for CAULDRON attack graph analysis. Section 4.1
describes this in more detail.
CAULDRON can import scans from these tools:

Nessus (Section 4.2)

FoundScan (Section 4.3)

Symantec Discovery (Section 4.4)

Sidewinder (Section 4.5)

4.1

Subnets and Firewalls

When you run a vulnerability scanner, you specify what machines and subnets to scan.
To build a comprehensive view of the entire network, configure the scanners to scan all
machines within a subnet and all machines in neighboring subnets. The idea is to capture
the visibility of all machines within subnets and across subnets. One scan from each
subnet, correctly configured, provides sufficient information for CAULDRON.
For example, Figure 6 shows two subnets connected by a firewall. For this network, you
would perform these scans:

Scan 10.10.1.0/24 and 10.10.10.0/24 from machine 10.10.1.1

Scan 10.10.1.0/24 and 10.10.10.0/24 from machine 10.10.2.1

The IP addresses must be unique, e.g., 10.10.1.1 must not appear in two different subnets
as different machines.

GMU Proprietary

CAULDRON User Guide

10

10.10.1.2

10.10.1.1

10.10.2.2

Firewall
10.10.2.1

10.10.1.3

10.10.2.3

Figure 6. Vulnerability Scan Sample Network

CAULDRON uses subnet masks for creating connections to vulnerable services based on
subnets. It creates connections for each vulnerability detected by the scanning machine.
Then, each machine within the scanning machines subnet (per the subnet mask) is
connected to those vulnerable services. The default subnet mask is 255.255.255.0 (CIDR
24), i.e., 256 hosts per subnet.

4.2

Importing Nessus Data

To load Nessus output files into CAULDRON, begin by placing all the Nessus output
XML files in a single directory, isolated from all other files. CAULDRON supports
XML only as the Nessus format for import. Other formats generated by the Nessus
client (e.g., HTML) are not supported.
To use the scanner import tool to import the output of the Nessus vulnerability scanner,
begin by creating a new CAULDRON scenario, i.e., File>New>Scenario. Launch
the scanner import tool via Tools>Import Nessus Scans from the menu bar. A
new dialog box appears (Figure 7).

GMU Proprietary

CAULDRON User Guide

11

Figure 7. Vulnerability Scanner Import Tool using Nessus

Inform the tool about you Nessus scan file directory by pressing the Select dir
w/ScanResults button (see Figure 7). This launches the directory selection dialog
box in Figure 8. A set of sample Nessus scans is in the samples\nessus_win
directory of CAULDRON.

GMU Proprietary

CAULDRON User Guide

12

Figure 8. Select ScanResults Directory Dialog for Nessus

From Figure 8, select the directory then press the Select ScanResults
directory button. After the dialog closes, the new directory will appear in the text
area next to the Select dir w/ScanResults button, as shown in Figure 9.
Also, the list of files appears in the Input Files table.

GMU Proprietary

CAULDRON User Guide

13

Figure 9. After Selecting a ScanResults Directory for Nessus

In Figure 9, the subnet mask and scanning machine IP address are editable within the
Input Files table. Thus, for example, if the scanning machine is not a valid IP
address, you can update the cell. Or, you could edit the subnet mask to change the
number of subnets (and corresponding IP address ranges). When editing a table cell,
make sure to press Enter before leaving the cell. A message indicating the cell entry
change will appear in the Status text area.
In Figure 9, note that the files are named according to the machine from which the scan
was done. By using this convention when saving a scan result, you can immediately use
that machine (IP address) in the Scan Machine field.
Next, set the output file. The output file will be created containing a merge of all Nessus
scan data into a CAULDRON network model. The Set Output File button
opens another file-choosing dialog to select an output file location and name. Do not
save the results in the same directory as the vulnerability scanner output files.
Press the OK button to start the import. The Status text area contains the status of the
import.
Upon completion, the dialog box closes and the resulting CAULDRON network
description is placed in the input files list for the CAULDRON configuration. You are
now ready for running this scenario, as described in Section 5.

GMU Proprietary

CAULDRON User Guide

14

4.3

Importing FoundScan Data

To load FoundScan output files into CAULDRON, begin by placing all the FoundScan
output XML files in a single directory, isolated from all other files. CAULDRON
supports XML only as the FoundScan format for import. Other formats generated by
FoundScan are not supported.
To use the scanner import tool to import the output of the FoundScan vulnerability
scanner, begin by creating a new CAULDRON scenario, i.e., File>New>Scenario.
Launch the scanner import tool via Tools>Import FoundScan Scans from the
menu bar. A new dialog box appears (Figure 10).

Figure 10. Vulnerability Scanner Import Tool for FoundScan

Inform the tool about you FoundScan scan file directory by pressing the Select dir
w/ScanResults button (see Figure 10). This launches the directory selection dialog
box in Figure 11. A set of sample FoundScan scans is in the samples\foundscan
directory of CAULDRON.

GMU Proprietary

CAULDRON User Guide

15

Figure 11. Select ScanResults Directory Dialog for FoundScan

From Figure 11, select the directory then press the Select ScanResults
directory button. After the dialog closes, the new directory will appear in the text
area next to the Select dir w/ScanResults button, as shown in Figure 12.
Also, the list of files appears in the Input Files table.

GMU Proprietary

CAULDRON User Guide

16

Figure 12. After Selecting a ScanResults Directory for FoundScan

In Figure 12, the subnet mask and scanning machine IP address are editable within the
Input Files table. Thus, for example, if the scanning machine is not a valid IP
address, you can update the cell. Or, you could edit the subnet mask to change the
number of subnets (and corresponding IP address ranges). When editing a table cell,
make sure to press Enter before leaving the cell. A message indicating the cell entry
change will appear in the Status text area.
In Figure 12, note that the files are named according to the machine from which the scan
was done. By using this convention when saving a scan result, you can immediately use
that machine (IP address) in the Scan Machine field.
Next, set the output file. The output file will be created containing a merge of all
FoundScan scan data into a CAULDRON network model. The Set Output File
button opens another file-choosing dialog to select an output file location and name. Do
not save the results in the same directory as the vulnerability scanner output files.
Press the OK button to start the import. The Status text area contains the status of the
import.
Upon completion, the dialog box closes and the resulting CAULDRON network
description is placed in the input files list for the CAULDRON configuration. You are
now ready for running this scenario, as described in Section 5.

GMU Proprietary

CAULDRON User Guide

17

4.4

Importing Symantec Discovery Data

CAULDRON has the capability for importing scan data from Symantec Discovery. This
involves a custom export tool developed by Symantec, not a regular part of the Discovery
product. Once you have this Symantec Discovery add-on, you can use it to create scan
output for CAULDRON import. Contact CSIS for details.

4.5

Importing Firewall Rules

CAULDRON has the capability for importing data from the Sidewinder firewall. To
enable this data import, check the Apply Firewall Rules checkbox during the
Nessus import, as shown in Figure 13. When CAULDRON processes firewall rules, and
connections to vulnerable services will be added to any such connections created from
vulnerability scans to remote subnets.
For example, you could run your Nessus scans against host in local subnets only, and rely
on firewall rule data for defining vulnerable connections across subnets. Or, you could
target local as well as remote hosts in your scans, and augment those scan results with
any additional vulnerable connections contained in the firewall data.
The firewall rule file is defined in the file lib/tva.properties. In this file, the
property SIDEWINDER_RULESET_FILE defines the particular filename containing
Sidewinder firewall export data. All firewall export data must be included in this file,
i.e., this is the only source of Sidewinder firewall data used by CAULDRON.

GMU Proprietary

CAULDRON User Guide

18

Figure 13. Enabling Import of Firewall Rule Data

GMU Proprietary

CAULDRON User Guide

19

5.

CAULDRON ANALYSIS

This section describes the various attack graph analysis capabilities available in
CAULDRON.

5.1

Running CAULDRON

A CAULDRON scenario is configured via a file that maintains the input network
connectivity files, the analysis output file, the attacker machine, and the attack goal
machine. If desired, CAULDRON will constrain the attack graph according to the given
start and goal.
To create a new CAULDRON scenario, select File>New>CAULDRON Scenario
from the menu bar, as shown in Figure 14.

Figure 14. Creating CAULDRON scenario

You can change the CAULDRON configuration (scenario) name using
File>Properties or the property button
15.

GMU Proprietary

on the button bar, as shown in Figure

CAULDRON User Guide

20

Figure 15. Property Dialog

Figure 16 shows the resulting CAULDRON scenario panel. The tab name New
Scenario will remain unchanged until the scenario is saved as a file.

GMU Proprietary

CAULDRON User Guide

21

Figure 16. CAULDRON Scenario Panel

5.1.1 Input and Output Files
The CAULDRON configuration viewer supports multiple input files. The connectivity
data from the input files is combined into one comprehensive model of network
connectivity via vulnerabilities.
To add an input file, select the Add File button the input files sub panel (Figure 16).
A file-choosing dialog will appear to allow selection of input files. Be sure to select only
those files applicable to CAULDRON. When a file is added, the machine identifiers in
the files are added to the lists for selecting goals and attacker machines.
A file from the input files list can be removed by selecting it and then clicking the
Remove Button in Figure 16. Removing a file may also remove knowledge of certain
machines, e.g., for attack start and goal.
The output file will contain the results of a CAULDRON analysis engine execution, i.e.,
the attack graph. In the GUI, the output XML file is set via a file-choosing dialog by
selecting the Set File button in Figure 16. The resulting XML is a dump of the full
graph, e.g., for post-analysis or debugging.
5.1.2 Start and Goal Machines
If desired, you can constrain CAULDRON attack graphs based on an assumed attacker
starting machine and/or attacker goal machine. A starting machine represents the initial

GMU Proprietary

CAULDRON User Guide

22

starting point in the network for a simulated attacker. A goal machine represents the end
state of the attack, in which that machine is compromised.
All 4 possible combinations of constrained/unconstrained start/goal are possible:

Start and goal unconstrained (any): All possible paths are computed,
independent of any particular start and goal. This might be a good option
to start with, to see the full scope of attacks. Unconstrained graphs show
all possible attacks, from all possible starting and ending machines. This
may include cycles that are possible for the attacker. It is important to
include all paths (even cycles) when considering network defense. For
example, an exploit that is part of a cycle may also be part of a separate
path of attack, and removing it would give a false sense of security, i.e.,
that there is no need to protect against it.

Start constrained, goal unconstrained (any): Start at a particular machine,

and find all possible paths from there. This shows the total extent of
network compromise from a particular attack threat source. As for
unconstrained graphs, this may include cycles (even cycles involving the
start), which are important when considering network defense.

Start unconstrained (any), goal constrained: Find all possible paths

leading to a particular machine. This shows the total extent of attacker
reachability to a particular network host (e.g., critical server). As for
unconstrained graphs, this may include cycles (even cycles involving the
goal), which are important when considering network defense.

Start and goal constrained: Find all possible paths that start from a
particular machine and end at (another) particular machine. This shows
the total extent of network compromise from a particular threat source,
which leads to compromise of a particular host (e.g., critical server). As
for unconstrained graphs, this may include cycles (even cycles involving
the start and/or goal), which are important when considering network
defense.

By default (i.e., if not specified in the scenario configuration file), CAULDRON

computes an unconstrained attack graph, i.e., no particular start and goal machines are
applied. This is shown in Figure 17, in which both the start and goal are initially any in
the CAULDRON scenario panel.

GMU Proprietary

CAULDRON User Guide

23

Figure 17. Unconstrained (Any) Start and Goal Machine

5.1.2.1

Attack Start

In CAULDRON, an attack machine represents the initial starting point in the network for
a simulated attacker. The attack graph is then generated with this as a starting point,
showing all possible paths leading from this point.
To define a starting machine, select a machine user interface dropdown box as shown in
Figure 18. This dropdown box lists all machines in the CAULDRON network model.
Once a start machine is selected, CAULDRON will use it as the starting point of the
attack.

Figure 18. Selecting a Start Machine

5.1.2.2

Attack Goal

A CAULDRON attack goal represents then end state of the attack. The resulting attack
graph will contain all possible paths to the goal (independent of the starting point).
To define a goal machine, select a machine user interface dropdown box as shown in
Figure 19. This dropdown box lists all machines in the CAULDRON network model.
Once a goal machine is selected, CAULDRON will use it as end point of the attack.

GMU Proprietary

CAULDRON User Guide

24

Figure 19. Selecting a Goal Machine

5.1.3 Direct Attack Paths
By default, CAULDRON finds all possible attack paths through a network (with the
exception of cycles away from goal and cycles into start, as described in Section 5.1.4).
Optionally, you can limit the analysis to direct paths only, i.e., the most direct path from
start to goal. This option is enabled by checking the Direct Attack Paths box, as
in Figure 20.

Figure 20. Direct Attack Paths Checkbox

In particular, if you specify a start machine and enable direct paths, CAULDRON will
find all paths from the start, via the most direct possible paths. Similarly, if you specify a
goal machine and enable direct paths, CAULDRON will find all paths to the goal, via the
most direct possible paths. Or, if you enable direct paths and specify both a start and goal
machine, CAULDRON will find all direct paths from start to goal.
As an example of direct paths in CAULDRON, Figure 21 shows an attack graph for the
default behavior, i.e., all paths. In this case, the start machine is 1.1.52.244 and the goal
machine is 1.1.219.100. There are indirect attacks, e.g., from 1.1.4.176 to 1.1.219.100
via 1.1.105.244, including a cycle back into 1.1.4.176.

GMU Proprietary

CAULDRON User Guide

25

Figure 21. Attack Graph with Indirect Attacks

Figure 22 shows the attack graph for the same scenario as Figure 23, with direct paths
enabled. In particular, the graph now includes only direct paths from start (1.1.52.244) to
goal (1.1.219.100). The indirect attack via 1.1.105.244 is excluded from the graph.

GMU Proprietary

CAULDRON User Guide

26

Figure 22. Attack Graph with Direct Attacks Only

5.1.4 Cycles through Start and Goal

By default, CAULDRON avoids attacks away from the goal (protection domain), under
the assumption that once the goal is reached, no further attacks are needed. Similarly,
attacks back into the start (protection domain) are avoided by default, under the
assumption that the attacker need not attack back where he started. Such attacks (away
from goal or into start) necessarily involve cycles through start or goal.
You can relax the default behavior and specify that CAULDRON include any such cycles
through the start and/or goal. As an example, Figure 23 shows an attack graph with the
default behavior (avoiding attacks away from goal and back into start), with start machine
1.1.4.176 and goal machine 1.1.219.100.

GMU Proprietary

CAULDRON User Guide

27

Figure 23. Attack Graph with No Cycles Containing Start or Goal

To specify that CAULDRON include attack cycles through the start, check the Cycles
Containing Start box, as shown in Figure 24.

Figure 24. Allowing Cycles Back into Start Machine

The resulting attack graph is shown in Figure 25. There is now an attack (7 exploits)
back into the start domain, i.e., from 1.1.4.176 to 1.1.105.244.

GMU Proprietary

CAULDRON User Guide

28

Figure 25. Attack Graph Allowing Cycles through Start

To specify that CAULDRON include attack cycles away from the goal, check the
Cycles Containing Goal box, as shown in Figure 26.

Figure 26. Allowing Cycles Away from Goal Machine

The resulting attack graph is shown in Figure 27. There is now an attack (7 exploits)
away from the goal domain, i.e., from 1.1.219.10 to 1.1.105.244.

GMU Proprietary

CAULDRON User Guide

29

Figure 27. Attack Graph Allowing Cycles through Goal

To specify that CAULDRON include attack cycles through both start and goal, check
boxes Cycles Containing Start and Cycles Containing Goal, as shown
in Figure 28.

Figure 28. Allowing Cycles through Start and Goal

The resulting attack graph is shown in Figure 29. There are now attacks (7 exploits) into
the start domain (1.1.4.176 to 1.1.105.244) and away from the goal domain (1.1.219.10 to
1.1.105.244).

GMU Proprietary

CAULDRON User Guide

30

Figure 29. Attack Graph Allowing Cycles through Start and Goal

5.1.5 Applying Mitigation Solutions

CAULDRON has the ability to model mitigation solutions for network vulnerabilities. It
first reports all vulnerabilities across the network (over all hosts), categorized by (1)
vulnerabilities with known mitigation solutions, and (2) vulnerabilities with no known
mitigation solutions. It then allows you to review these two lists, and to accept or reject
each recommended solution.
The mitigation solutions are approaches for addressing vulnerabilities, such as upgrading
to new versions of software, applying manufacturer patches, changing server
configuration settings, removing vulnerable server scripts, running anti-virus tools to
remove backdoors, etc.
If you select mitigation solutions, these will automatically be applied to the CAULDRON
attack graph. In particular, if there are vulnerabilities with known solutions (and you
accept each solution), then those vulnerabilities will be removed across the network, for
all machines that have them. If there are vulnerabilities with no known solutions (and
you accept that fact for each vulnerability), then those vulnerabilities will be included
across the network, for all machines that have them.

GMU Proprietary

CAULDRON User Guide

31

For example, in an extreme case where there are known mitigation solutions for every
vulnerability in the network, the resulting attack graph would be empty (no attack paths).
Or in the other extreme, where no vulnerability in the network has a known mitigation
solution, the resulting attack graph would be unchanged.
By default, CAULDRON will apply no mitigation solutions. This is shown in Figure 30,
in which the effects of both known (Mitigated) solutions and unknown
(Non Mitigated) solutions are ignored, i.e., both categories are unchecked.

Figure 30. No Mitigation Solutions Applied

5.1.5.1

Known Mitigation Solutions

To review vulnerabilities with known mitigation solutions, and apply them to the
CAULDRON model, check the Mitigated checkbox, as shown in Figure 31.

Figure 31. Applying Known Vulnerability Mitigation Solutions

CAULDRON will then display the list of network vulnerabilities with known mitigation
solutions, as shown in Figure 32. Navigate the list by clicking on a vulnerability to select
it.

Figure 32. List of Vulnerability Mitigation Solutions

GMU Proprietary

CAULDRON User Guide

32

For a selected vulnerability, CAULDRON then gives the detailed information about it, as
shown in Figure 33. This includes the numMachines field, which is the total number
of machines in the network that have the vulnerability.

Figure 33. Details for Vulnerability Mitigation

After you have reviewed a vulnerability with a known mitigation solution, you can either
accept or reject the solution. To accept the solution, simply leave the vulnerability
unaltered. To reject the solution, delete the vulnerability by selecting it in the left panel
and clicking the node delete button (trash can icon for Node).
Once you have finished reviewing the vulnerabilities with known mitigation solutions,
click the save file button (diskette icon). This will commit the selected vulnerabilities to
the CAULDRON input model and close the vulnerability list. For each accepted
(unaltered) solution, the vulnerability will be excluded in the model, i.e., assumed that it
has been mitigated. For each rejected (removed) solution, the vulnerability will be
included in the model, i.e., assumed that no mitigation has been applied.
5.1.5.2

Unknown Mitigation Solutions

To review vulnerabilities that have no known mitigation solutions, and apply them to the
CAULDRON model, check the check the Non Mitigated checkbox, as shown in
Figure 34.

Figure 34. Applying Unknown Vulnerability Mitigation Solutions

CAULDRON will then display the list of network vulnerabilities with no known
mitigation solutions. This list will display just as shown in Figure 32 and Figure 33. The

GMU Proprietary

CAULDRON User Guide

33

difference is that the list will be for vulnerabilities with no known mitigation solutions,
versus vulnerabilities with known mitigated solutions.
Once you have finished reviewing the vulnerabilities with no known mitigation solutions,
click the save file button (diskette icon). This will commit the selected vulnerabilities to
the CAULDRON input model and close the vulnerability list. For each accepted
(unaltered) unknown solution, the vulnerability will be included in the model, i.e.,
assumed that there is no mitigation for it. For each rejected (removed) solution, the
vulnerability will be excluded from the model, i.e., assumed that a mitigation has in fact
been applied.
5.1.6 Finalizing CAULDRON Scenario
Before executing the CAULDRON scenario, make sure that the input file(s), output file,
attacker, and goal configurations are completed in the configuration viewer, and that the
configuration file is saved. Also, if desired, make sure that the boxes for vulnerability
mitigation, direct attack paths, and cycles containing start or goal are checked. The
screen should look something like Figure 35.

Figure 35. Before Starting CAULDRON Scenario

When you have specified all the inputs, you are ready to generate an attack graph. Do
this by clicking the View Full button at the bottom of the panel. CAULDRON will
then begin generating an attack graph for this scenario.

GMU Proprietary

CAULDRON User Guide

34

When CAULDRON completes, the Status box gives the total analysis run time, then
displays CAULDRON Run Finished. It then opens a visualization of the resulting
attack graph. Section 5.2 describes the attack graph visualization capabilities.
If either the start machine, goal machine, or both are selected, then CAULDRON can
provide network hardening recommendations. This is described in Section 5.3.

5.2

Visualizing CAULDRON Results

The CAULDRON tool generates all attack paths, i.e., it generates all possible executable
exploits that lead to the specified attack goal, along with the precondition/postcondition
dependencies among the exploits. The output of CAULDRON analysis is a set of attack
paths organized as an attack graph. An attack graphs is made up of exploits and
conditions, and represents all the possible ways an attacker could reach a given network
goal.
CAULDRON visualization creates a user-friendly display of an attack graph, and allows
it to be manipulated in ways that support visual analysis.
5.2.1 Visualization Overview
Figure 36 shows the main components of CAULDRON attack graph visualization.

Toolbar

Graph View Pane

Overview
Pane

Tree View
Pane

Exploit Table
Pane

Harden List
Pane

Fig. 1 - TVA Visualization Tool Major Components

Figure 36. Major Components of Attack Graph Visualization

GMU Proprietary

CAULDRON User Guide

35

In Figure 36, an attack graph is visible in the Graph View pane. The Overview pane
shows a reduced size image of the main view. The Exploit table lists Exploits associated
with a machine (in this case, machine v1.8) that has been selected in the Graph View.
Major components of attack graph visualization are as follows:

Toolbar Contains a suite of tools for manipulating the display and performing
image I/O. Resting the cursor on any one of these tools shows a brief tooltip
describing its function. Toolbar tools are listed and described in greater detail
below.

Overview pane shows a reduced size image of the Attack Graph, with the
section displayed by the Graph View highlighted as a grey rectangle. Clicking at
any point in the overview pane will center the larger Graph View in current scale
at the corresponding point. Nodes and edges selected in the Graph view will be
shown as selected in the Overview.

Tree View pane Displays the folder hierarchy (Protection Domains and
Machines) in Tree format corresponding to the current Graph view. Folders that
are open in the Graph view are open in the Tree view. Machines that are visible
in the Graph view are also visible in the Tree view. Nodes and edges selected in
the Graph view will be shown as selected in the Tree view; they can also be
selected from the tree view.

Harden List Pane This is a special pane for listing Machines and Exploits that
have been designated as hardened by the user. Hardening is discussed in
Section 5.2.2.4.2.

Graph View pane this is the primary viewing and functional area for Attack
Graph Visualization. It supports opening and closing of Protection Domains,
viewing and traversal of exploits, hardening and deletion of machines and
exploits, plus many other functions that are described in greater detail in
Section 5.2.2. It also allows manual movement and adjustment of graph objects
by the user to support visualization.

Exploit Table pane This pane contains a spreadsheet-style table for displaying
groups of exploits associated with a given Machine, Protection Domain, or
specific source/destination pair. For example, selecting a machine lists all
exploits either originating or terminating at that machine. For each exploit, a
number of fields of data are shown. For fields containing large amounts of text,
you can mouse-over the field to see the entire text content.

5.2.2 Viewing the Attack Graph

5.2.2.1

Machines and Protection Domains

Here are the capabilities for viewing machines and protection domains in CAULDRON:

Individual machines are represented as machine icons and labeled with the
machine name. Machines are visible only if the Protection Domain node

GMU Proprietary

CAULDRON User Guide

36

containing them has been expanded. This is generally done by clicking the small
+/- icon in the upper left corner. There are two particular Machines that are
specially designated as the Initial and Goal machines. Machine icons look like
small computer terminals, and the screens of these icons are colored according to
the following convention: Blue default, Green Initial Machine, Red Goal
Machine, Purple Hardened Machine (see Section 5.2.2.4.2).

Protection domains are represented as either Folder or Group nodes, which are
rectangular nodes that can contain machines or other folders. These nodes are
labeled with the name of the Protection Domain they represent. A Folder node is
closed it displays none of the machines it contains, but has a + button on the
upper left corner by means of which it can be expanded. Once it is expanded, it is
called a Group node and the underlying machines it contains are visible. A Group
node has a - sign in the upper left hand corner by which it may be closed,
usually to simplify the view and conserve space. NOTE: When an Attack Graph
is initially displayed, all its Protection Domains are displayed in closed form.
This allows for an initial display that is easy to understand, and which can be
expanded incrementally as desired. It also allows for near-realtime loading of
extremely large Attack Graphs.

The tiny machine-like icons shown inside a closed protection domain are for
labeling purposes only, and do not necessarily correspond to the contents or
members of the protection domain, except for the purpose of identifying initial
(green) and goal (red) machines. That is, if the Initial node lies within a closed
Protection domain, one of the tiny machines in the label will display a green
screen; the others will be blue. Similarly, if the Initial node lies within a closed
Protection domain, one of the tiny machines in the label will display a red screen.

The attack graph in Figure 37 illustrates some of these capabilities. There are two
expanded protection domains (Groups) with names aSubDom and vSubDom1, and a
third closed protection domain (Folder) named vSubDom2.

GMU Proprietary

CAULDRON User Guide

37

Figure 37. A Sample Attack Graph View

A final note on label coloring: if the closed Protection Domain has been hardened, all the
screens of the label will be colored purple, except ones that are already colored green or
red. This is not illustrated in Figure 37.
5.2.2.2

Exploits

The display of exploits within the Graph View is governed by the following rules:

Exploits are represented by arrows (edges) in the graph. Multiple exploits

connecting the same pair of nodes in the same direction are aggregated into a
single arrow; that is, there will be at most a single arrow in each direction
connecting any pair of nodes. When exploits are aggregated into a single arrow,
the number of individual exploits represented by the arrow appears as its label.
For example, in Figure 37, the arrow labeled 2 represents two individual
exploits whose originating machine is the attack machine, and whose target
machine is machine v1.1. (The individual exploits represented by this arrow
will appear in the Exploit Table when the arrow is selected see below.)

Intra-domain exploits, that is, exploits originating and terminating within the same
protection domain, are not represented as arrows in the graph view. Intra-domain
exploits can be viewed by utilizing the Exploit Table display (see below). All
machine nodes within a protection domain that are involved only with intradomain exploits are aggregated into a single subfolder of the protection domain,
labeled Unconnected. The Unconnected folder label also indicates the number of
nodes it contains for example, the Unconnected folder of protection domain

GMU Proprietary

CAULDRON User Guide

38

vSubDom1 in Figure 37 contains 17 machine nodes (and can be expanded to

display them).

An exploit arrow will originate and terminate on machine nodes if and only if the
protection nodes containing the source and destination machines are both
expanded. Otherwise, the arrow will be shown connecting the protection domains
themselves. This helps to simplify the display. An Exploit arrow connecting two
protection domains in a single direction represents all exploits originating from
machines in the source domain that terminate at machines in the destination
protection domain, and is numbered accordingly.

The following example illustrates this behavior: In Figure 38(a), we see two closed
protection domains, and an exploit arrow representing three individual exploits
originating in the Internet domain and targeting the DMZ. In Figure 38(b), the DMZ
domain has been expanded, but the exploit arrow remains aggregated, and points to the
DMZ node rather than to its individual machines. It is only when both protection domains
are expanded, in Figure 38(c), that the exploits are shown connecting the actual source
and target machines. Note that the exploits targeting machine dmz_mail remain
aggregated, even at this level. To view these exploits individually it is necessary to use
the Exploit Table.

(a)

(b)

(c)

Figure 38. Exploits in the Graph View

GMU Proprietary

CAULDRON User Guide

39

5.2.2.3

Edit Mode functions in the Graph View

Edit Mode is the default operating mode inside the Graph View. It is denoted by the
cursor. Functions available within Edit Mode include the following:
Selection In Edit Mode, the cursor may be used to select (L-click) individual
machines, protection domains, and exploit arrows. When these items are selected,
exploits associated with them are listed in the Exploit Table (see below). Multiple
machines and Protection Domains can also be selected by clicking and dragging a
selection rectangle over them (multiple Exploit arrows cannot be selected in this
way or any other).
Deletion Items selected in Edit Mode may be deleted by means of the delete
key. The same function is also available by R-clicking the selected items and
selecting Remove (Delete) from the Context menu (see below). Note that,
when machines and protection domains are deleted, the Exploits associated with
them are deleted also. If these Exploits are included in an aggregated Exploit (see
above), the count label for the aggregated Exploit arrow is reduced accordingly.
Relocation Machines, Protection Domains, and Exploits can all be relocated in
the Graph View using the Edit Mode cursor. For machines and PDs, this is
generally just a matter of clicking and dragging a object to a desired location. But
the exact result varies somewhat depending upon the object(s) selected.
o Protection Domains: A protection domain can be dragged in the view asis, whether open or closed. It will retain its shape and interior layout.
Exploit arrows originating or terminating within the Protection Domain
will automatically track its movement and do not need to be redrawn.
o Machines: A machine can be relocated (dragged around) within its
Protection Domain if it is visible that is, if the PD is open (a Group
node). The enclosing PD node will automatically resize to accommodate
the relocated machine. Additionally, any exploit arrows attached to the
machine will automatically track its movement and will not need to be
redrawn. A similar situation holds for Unconnected machines (see above):
the Unconnected group node will automatically resize to enclose the
moved machines new location. Machines cannot be dragged outside their
enclosing nodes.
o Exploits: To relocate an exploit arrow, first select it. Then its endpoints
become highlighted and can be moved around using the cursor. These
endpoints must remain attached to their original nodes, but there are
usually numerous locations on the border of the node to which an arrows
endpoint can be relocated. In many cases this can improve readability of
the display.
o Multiple Selections: Multiple machines and protection domains can be
selected at one time, by clicking and dragging a rectangle over them.
GMU Proprietary

CAULDRON User Guide

40

Once this is done, the selection can be left-clicked and dragged within the
Graph View. Protection domains will relocate as-is, while isolated
selected machines will be relocated within their (unselected) protection
domains as described above. As before, exploit arrows will track relocated
objects wherever necessary.
Resizing Selected Protection Domains (and Unconnected nodes) can be resized
by clicking the small black square object handles that define the objects
enclosing rectangle and dragging them in the usual manner. This applies to nodes
that are either open or closed. When open, the interior layout of machines will be
preserved: In particular, a parent node (PD or Unconnected group node) cannot
be reduced to a size smaller the interior layout of its machines.
5.2.2.4

Other Graph View Functions

5.2.2.4.1

Context Menu

A Context Menu displays whenever the right mouse button is clicked in the Graph View
pane. As suggested by the name, contents of the Context menu vary depending on where
the right-click occurs:
When a white area of the display is right-clicked, the context menu displays four
items: Zoom, Close All Folders, View Parent, and Copy to Clipboard:
o Zoom: Selecting this displays a submenu containing the Zoom In, Zoom
Out, and Fit Content functions, one of which can then be selected. These
functions resize the display and are also available on the Toolbar; they are
described in Section 5.2.3.
o Close All Folders: Clicking this will cause all Protection Domains to be
closed, so that the machines they contain will be hidden. This is a handy
way to simplify the display. Note: if all protection domains are already
closed, this function is greyed-out in the Context menu (unavailable).
o View Parent: This menu item is always greyed out (unavailable), as is the
corresponding Toolbar icon (Section 5.2.3).
o Copy to Clipboard: This function also exists on the toolbar; it causes the
entire Attack Graph to become visible in the Graph View.
When an Exploit arrow is right-clicked, its Context menu displays two functions:
Harden and Remove (Delete). The Harden function is discussed separately in this
section, while Remove (Delete) is basically equivalent to hitting the Delete key
with that Exploit selected; that is, all exploits represented by this arrow will be
removed from the Graph.
When a Machine node is right-clicked, it is selected and the Context menu
contains three functions: Harden, Delete (Remove), and Traverse Exploits
(Alt+Left Click). Selecting Harden hardens the node (see next section), while

GMU Proprietary

CAULDRON User Guide

41

Remove (Delete) performs the same function as the Delete key: that is, the node
is deleted, along with its associated edges. The Traverse Exploits function gives
an animated view of the Attack Graph relative to the selected node, and is also
described in more detail later in this section.
When an open Protection Domain is selected, available functions are the same as
for a machine node, and perform in much the same way. Additionally, the Close
Folder function is available, which closes the Protection Domain and hides the
Machines it contains. (This function can also be performed by clicking the -
symbol in the upper left hand corner of the node.)
When a closed Protection Domain node is right-clicked, the Context menu
displays the Harden, Delete (Remove), and Traverse Exploits (Alt+Left Click)
functions, which we have already seen. However, the Open Folder and Open
Folder Isolated functions are also displayed. Open Folder simply expands the
Domain to display the machines within it, but Open Folder Isolated displays the
contents of the domain in an isolated view mode, without the parent node or any
exploits. Even the Exploit Table remains blank when items in this view are
selected. To exit the Open Folder Isolated mode, double-click the Root folder in
the Tree View.
5.2.2.4.2

Hardening

Hardening is a function that allows the user to select items, and then view the graph as
though these items were no longer targets or originators of any exploits. When an item is
hardened, it is not necessarily deleted from the graph, but all exploits associated with that
item are removed. Additionally, hardened items are recorded in the Harden List, which is
the Visualization Tool pane located in the lower left corner.
Hardening is performed by right-clicking an item, then selecting Harden from the
Context menu. If an individual Machine is hardened, all exploits associated with that
machine disappear, and the name of the machine is appended to the Harden List.
Additionally, the screen color of the Machine icon is changed to purple to indicate its
new status.
If a Protection Domain is hardened, all exploits originating or terminating in that domain
disappear, and the names of all Machines in the Protection Domain (except Unconnected)
appear in the Harden List. (Note also that the Protection Domain name does not appear in
the list). The screens of all machines in the domain, if and when they are visible, are
colored purple. Likewise the screens of machines that make up the closed folder label for
that domain will be purple if the domain is closed.
Exploits can also be hardened, or rather groups of exploits represented by Exploit arrows
can be. When an Exploit group is hardened, all individual exploits in the group are
deleted, and the names of the individual exploits are added to the Harden list. The
listed Exploit names are actually a bit more informative than the Machine names which
appear here: they contain the Exploit name itself as well as the names of its source and
target Machines.
GMU Proprietary

CAULDRON User Guide

42

5.2.2.4.3

Traverse Exploits

Traverse Exploits is an option that can be selected from the Context menu for either a
Machine or closed Protection Domain. It displays a brief animation in which Exploit
arrows associated with the selected node are progressively colored red, beginning with
their source nodes and ending with their target nodes. That is, the red color grows along
the Exploit arrows in the direction of the attack, and once the target node is reached the
process is reversed and the color retreats back to its original node. This is a handy tool
for conceptualizing attack paths originating or terminating in a given area.
5.2.2.4.4

Miscellaneous Functions

Mouse Wheel Zooming: - Whenever the cursor is positioned in the Graph View, the
display can be zoomed in and out by rotating the mouse wheel in the appropriate
direction. Zooming in magnifies objects visible in the display, but reduces the overall
scope of view relative to the entire Attack Graph. Zooming out reduces the size of visible
objects, but increases the scope of the display. The central point of the display is always
preserved. Note that other zooming functions are available in both the Visualization
Toolbar, and in the Context menus.
Machine and Protection Domain tooltips: - Tooltips are visible when the cursor hovers
over either a Machine node or a closed Protection Domain node in the Graph View. In
the case of a Machine node, the tooltip shows the machine name and also the term
Initial or Goal where appropriate, if the Machine in question is one of those specific
nodes. In the case of a closed Protection Domain, the Tooltip displays the name and the
total number of Machines it contains (including any Unconnected machines). If either
the Initial or Goal machine is contained in the Protection Domain, that fact is also
indicated in the tooltip, along with the machine name.
5.2.3 The Exploit Table
The Exploit Table is an Excel-like spreadsheet table that provides the list of exploits and
associated details for a selected entity: a Machine, group of Machines, Protection
Domain, Exploit arrow, etc. This mechanism avoids layout overhead and visual
confusion associated with a nodal representation for Exploits. When an item or group of
items is selected, all Exploits associated with that item are listed in the table. A scroll bar
appears when this Exploit list is too long for the display, and the Exploit Table itself can
be resized by clicking and dragging its top edge.
For each listed Exploit, the Name, Source Machine, Target Machine, Preconditions and
Postconditions are listed in the table, as provided by the Attack Graph model. Clicking on
a column header causes the Exploit list to be sorted by that specific parameter; either
ascending or descending order can be chosen. Column headers may also be rearranged
and resized by clicking and dragging in the table header.

GMU Proprietary

CAULDRON User Guide

43

The Exploit Table is automatically populated when a machine, protection domain, or

edge is selected. Specific behavior is as follows:

Select Single Machine All exploits originating or terminating at a selected

Machine are displayed in the table. This includes all intra-domain exploits
associated with that Machine. Intra-domain exploits are listed differently in the
table: the machine name is in the To field (target machine), while the From
field (source machine) is blank. This makes intra-domain exploits in the list very
easy to identify.

Select Protection Domain All exploits originating or terminating at machines

inside the selected protection domain are displayed in the table, whether the
selected protection domain is open or closed. Actual source and target machine
names are listed. Intra-domain exploits are not displayed.

Select Edge - All individual exploits represented by the edge are displayed. The
number of exploits in the display list will agree with the edge label. Actual source
and target machine names are listed, whether or not they are actually visible.

Multiple Select Multiple nodes and protection domains can be selected by

clicking the mouse and dragging a rectangle over the desired items. This will
NOT result in display of associated exploits; in fact, it usually results in clearing
the Exploit Table display.

Figure 39 shows a simple attack graph view in which a single machine dmz_mail has
been selected. The accompanying Exploit Table has been sorted on the From column in
descending order, so that intra-domain exploits associated with dmz_mail appear at the
bottom. There are four inter-domain (or normal) exploits associated with dmz_mail:
two originate from the outsideAttacker machine, and two originate with
dmz_mail itself and terminate at the srvr_mail machine. The srvr_mail machine
is not visible in the display to see it, it is necessary to expand the ServerLAN
protection domain.

GMU Proprietary

CAULDRON User Guide

44

Figure 39. Exploit Table

5.2.4 Toolbar Functions
The Toolbar contains a number of tools that can be useful in visualizing and analyzing
attack graphs. Figure 40 shows the Toolbar and each of its tools, together with the
Tooltip description that can be obtained by hovering the mouse cursor over the tool. This
section also briefly describes the capabilities of each tool.

GMU Proprietary

CAULDRON User Guide

45

Edit Mode (Ctrl+E)

Zoom Area (Ctrl+B)

Navigation Mode (Ctrl+N)

Magnify Zoom (Ctrl+M)

Print (Ctrl+P)

View Parent (Page Up)

Export (Ctrl+SHIFT+E)

Hierarchical Layout

Copy to Clipboard (Ctrl+C)

Orthogonal Layout

Zoom In (+)

Circular Layour

Zoom Out (-)

Organic Layout

Fit Content (Alt+Enter)

Incremental Layout

Figure 40. Toolbar Functions

Edit Mode (Ctrl+E) Edit Mode is the normal operating mode inside the Graph View. In
this mode, one can perform selection, deletion, resizing, and relocation operations on
Attack Graph objects that are displayed. Edit Mode functions and capabilities are
described in Section 5.2.2.3.
Navigation Mode (Ctrl+N) Navigation Mode has most of the functionality of Edit
Mode, but with one significant difference: Left-clicking and dragging anywhere within
the Graph View will cause the entire display to be dragged/relocated along with the
mouse cursor. In Edit Mode, Left-clicking and dragging creates a selection rectangle used
to select multiple objects.
Print (Ctrl+P) The print function allows the Attack Graph display to be printed in one
of several modes specified by the user. Prior to displaying the usual Microsoft priner
selection window, a small Print Options dialog appears (Figure 41) with the following
options:

Print Area: Specifies the portion of the Graph View to be printed. Selecting
Entire Graph prints the whole Attack Graph, regardless of what is currently
visible in the Graph View. Current View will only print that portion of the
Attack Graph which is visible.

Sheet(s) Across: Specifies how many print sheets are to be spanned by the
horizontal dimension of the printed image.

Sheet(s) Down: Specifies how many print sheets are to be spanned by the vertical
dimension of the printed image.

GMU Proprietary

CAULDRON User Guide

46

Figure 41. Print Options

The Sheet(s) Across/Down options allow the printed image to be printed onto a
rectangular array of 8.5x11 sheets, which can then be assembled to produce the full
size printed display.
Export (Ctrl+SHIFT+E) This function brings up a file save dialog allowing the Graph
View image to by exported as a graphics file. Saved image is precisely the image
appearing in the Graph View display. User navigates to the desired folder location, and
also supplies a name for the image file. Formats are selected by clicking the dropdown
arrow next to the Files of type field in the save dialog and selecting one of the
supported graphics format options. Supported formats at this time are *.JPG, *.GIF, and
*.SVG.
Zoom In (+) Clicking this icon in the Toolbar (or typing +) causes the Graph View to
zoom in by a fixed amount, that is, objects in the display will become larger and less of
the total image will be visible. Center point of the view remains the same. Note that at
any time the Graph View can be zoomed in or out using the mouse wheel.
Zoom Out (-) - Clicking this icon in the Toolbar (or typing -) causes the Graph View to
zoom out by a fixed amount, that is, objects in the display will become smaller and
more of the total image will be visible. Center point of the view remains the same. Note
that at any time the Graph View can be zoomed in or out using the mouse wheel.
Fit Content (Alt+Enter) Clicking this icon in the Toolbar (or typing Alt+Enter) causes
the entire Attack Graph to become visible in the Graph View, regardless of current
magnification factor or what portion of the Attack Graph is currently displayed.
Zoom Area (Ctrl+B) - Clicking this icon in the Toolbar (or typing Alt+B) allows the user
to select a rectangular area of the current Graph View display for closer viewing. The
Cursor becomes a magnifying glass with a small plus sign, and this cursor is clicked and
dragged in the Graph View to create the magnification rectangle. When the left mouse
button is released the rectangle is expanded to fill the entire display.

GMU Proprietary

CAULDRON User Guide

47

Magnify Zoom (Ctrl+M) Selecting the Magnify Zoom tool puts the cursor at the center
of a 2 diameter circle that functions as virtual magnifying glass when dragged around
the Graph View (Figure 42). The degree of magnification inside the circle can be
adjusted by rotating the mouse wheel. Additionally, most of the Edit Mode functions
remain active in this mode, for example, one can select, delete, resize and relocate graph
objects. One especially useful application occurs in very large, complicated graphs when
it is necessary to locate and click the open/close (+/-) button in the upper left corner of a
Protection Domain.

Figure 42. The Magnify Zoom Tool

You can exit Magnify Zoom mode by re-clicking the Magnify Zoom tool button, by rekeying the Ctrl+M key sequence, or by typing the ESC key.
Layout tools: The remaining items in the Toolbar are Layout Tools clicking a Layout
Tool will cause a reorganization or layout of visual elements of the Attack Graph view,
based on some underlying layout algorithm. Applying a new layout is frequently useful
for organizing a graph view that has become messy, or for viewing the graph in a new
way, But it is not generally possible to predict the precise effect that any given layout
algorithm will have. There are five layout tools in the toolbar, each named according to
the layout algorithm it employs:

Hierarchical Layout

Orthogonal Layout

GMU Proprietary

CAULDRON User Guide

48

Circular Layout

Organic Layout

Incremental Layout

The first four of these tools implements what is known as a from-scratch layout
algorithm, meaning that node locations, edge routing, etc. are all completely recalculated
for the entire Attack Graph. The final algorithm is called Incremental it can be viewed
as a layout algorithm that attempts to optimize the display based on recent changes. Try
this algorithm after moving a few Machines or Protection Domain elements around,
relocating Exploit endpoints, or deleting a few items. You are encouraged to experiment
with these layouts and find the ones best suited to your analytical style, or to make
particular graph patterns more explicit.
Note that an incremental layout algorithm similar (but not necessarily identical) to this
one is implicitly invoked whenever hierarchical changes occur to the display: in
particular, opening and closing Protection Domain or Unconnected Group/Folder nodes.
Additionally, it should be mentioned that when a new Attack Graph is loaded, the initial
layout algorithm is Hierarchical.
Figure 43(a) shows an attack graph with an initial layout. Figure 43(b) the same attack
graph, rearranged by applying the Hierarchical layout tool from the Toolbar. This gives
you an idea of what this might be expected to produce. Starting from a fixed initial
graph, it is a good idea to see what the individual layout tools will do; this can give a
good intuitive idea of expected effects for each of the available algorithms.

GMU Proprietary

CAULDRON User Guide

49

(a)

(b)

Figure 43. Graph Rearrangement via Hierarchical Layout

5.3

Network Hardening Recommendations

CAULDRON makes recommendations for hardening the network, based on the attack
graph. These recommendations are generated as XML (e.g., for subsequent reporting),
and rendered in CAULDRON. Recommendations are also saved in an XML file, with
the filename postfix .hardened (based on the attack graph filename). To compute
network hardening recommendations, you must constrain the attack graph with specific
attack start and/or goal machines (as described in Section 5.1.2).
CAULDRON makes 3 kinds of recommendations:
1. Optimal (minimum-effort) hardening requires the minimum number of changes
(e.g., firewall rules) to the network, while preventing the attacker from reaching
the goal. This option requires both start and goal machines to be defined.
2. First-level hardening gives the network changes that stop the attack as soon as
possible, i.e., immediately after the attack start. This option requires the start
machine to be defined.
3. Last-level hardening gives the network changes that protect the goal from all
attack sources, i.e., immediately preceding the attack goal. This option requires
the goal machine to be defined.
GMU Proprietary

CAULDRON User Guide

50

Once you have defined the attack scenario, e.g., to the point that you would generate the
attack graph via View Full as described in Section 5.1.6, you are ready to compute
hardening recommendations. Just click the Network Hardening button, as shown in
Figure 44.

Figure 44. Network Hardening Button

As an example, consider the attack graph in Figure 45, which has starting machine
1.1.52.244 and goal machine 1.1.1.244.

Figure 45. Attack Graph for Network Hardening Recommendations

Figure 46 is a list of the CAULDRON recommendations, i.e., minimum-effort, firstlayer, and last-layer. With the minimum-effort recommendation selected, CAULDRON
shows there are a grand total 2 exploits as the minimum number of hardened (e.g.,
blocked) exploits to prevent the attack from reaching 1.1.1.244 from 1.1.52.244.

Figure 46. List of Hardening Recommendations

GMU Proprietary

CAULDRON User Guide

51

You can drill down to see the details of each hardening recommendation. In this
example, the minimum-effort solution is one exploit from 1.1.219.100 to 1.1.1.244
(highlighted in Figure 47), and one exploit from 1.1.105.244. Here, attackerDom and
victimDom under DomToDom are the specific attacker and victim domains
(respectively), and numExploits is the total number of exploits between those two
domains.

Figure 47. Recommended Hardening between a Pair of Protection Domains

Figure 48 shows the details for an individual exploit to be hardened.

Figure 48. Exploit Details for a Hardening Recommendation

GMU Proprietary

CAULDRON User Guide

52