2. CyberCAPTOR-Client - User and Programmer Guide

This project is a part of FIWARE. For more information, please consult [FIWARE website] (http://www.fiware.org/).

CyberCAPTOR is an implementation of the Cyber Security Generic Enabler, the future developments of the [Security Monitoring GE] (http://catalogue.fiware.org/enablers/security-monitoring).

The high-level README file of CyberCAPTOR-Client can be found here.

2.1. Table of Contents

• Introduction
• User Guide
  • CyberCAPTOR-Client views
    • Initialization
    • Configuration
    • Attack Graph
    • Attack Path
    • Remediation Simulation
    • Dynamic Risk Analysis
  • Interpretation
• Programmer Guide
  • Technologies
    • AngularJS
    • D3JS
    • Bootstrap
  • Source files organization
    • JS
      • MyApp
      • Controller
      • Directive
      • Service
      • Filter
    • Lib
      • Transform
    • View
    • Img
    • Doc

2.2. Introduction

This is the User and Programmer Guide of CyberCAPTOR-Client.

For the illustrations of this manual, we used the file dataSet.xml as topological input file.

2.3. User Guide

This guide describe how to use CyberCAPTOR-Client.

2.3.1. CyberCAPTOR-Client views

2.3.1.1. Initialization

This page can be accessed at this adress : http://localhost:8000/#/welcome

This page initializes the server with data provided in the topological XML file.

Initialization page

Use the button to select your topology file. When it is loaded on the queue file, click on “Upload All” to upload all your data in the server. When your data is loaded, the progress bar is fulfilled and a message appears to acknowledge the good reception.

Now, the server has received your data and CyberCAPTOR is ready for risk analysis.

Server ready

2.3.1.2. Configuration

This page can be accessed at this adress : http://localhost:8000/#/configuration

This page lists all hosts of the network. You can also specify the importance of each host and update the parameters used for remediation cost calculation.

The panel “Configuration” lists all hosts of the network topology. You can filter this list with the input “Search”.

Click on the select input under “Name” to specify the importance of this host. By default, they host importance is “Negligeable”. When you are ready, click on “Save” to transmit the information to the server.

The other panel lists the parameters used for the remediation cost calculation. Change them according to your preferences and click on “Save”.

Configuration page

2.3.1.3. Attack Graph

This page can be accessed at this adress : http://localhost:8000/#/attackGraph

This page displays the attack graph of the information system.

By default, the graph is displayed in a topological view but, you can switch in a logical view by selecting the proper mode. If you put your cursor above a node, you can see the node details. You can also move the nodes using drag and drop.

Attack Graph page

2.3.1.4. Attack Path

This page can be accessed at this adress : http://localhost:8000/#/attackPath

This page displays the selected attack path, its attrition level and remediations.

You can select the path to view in the panel “Selection”. By default, the first path is displayed. The attrition level characterize the criticity of the path. There are five criticity level : Negligeable, Minor, Medium, Severe and Catastrophic.

By default, the graph is displayed in a topological view but, you can switch in a logical view by selecting the proper mode. If you put your cursor above a node, you can see the node details. You can also move the nodes using drag and drop.

Remediations lists all known solutions to correct the risk of the selected attack path. They are ordered by your habits (previously deployed remediations) and by the cost of the remediations. Habits represents your preference to a specific remediation.

The button “Simulate” open a new page “Remediation Simulation”.

You can see the attack path in a logical view.

Attack path, logical view

Or in a topological view

Attack path, topological view

2.3.1.5. Remediation Simulation

This page can be accessed at this adress : http://localhost:8000/#/simulation

This page display the simulation of a remediation on the whole attack graph.

In “Remediation Simulation”, you can see the attack graph. Nodes with a green border are corrected by the remediation selected and the nodes with orange border are still presents.

If you wan to confirm the remediation application, click on “Validate” to certify that you are going to apply this remediation. This action increments the habit score of this remediation.

Remediation Simulation page

2.3.1.6. Dynamic Risk Analysis

This page can be accessed at this adress : http://localhost:8000/#/dynamicRiskAnalysis

This page allow to visualize the currently happening attacks on your information system received by the server in IDMEF.

Dynamic Risk Analysis page

The alarms are stored in the Alarm Box, you can selected one and see its impact on the whole information system.

Dynamic Risk Analysis visualization

To see the dynamic remediations known to solve the vulnerability, click on “Remediations”.

Dynamic Risk Analysis remediations

2.3.2. Interpretation

This part explains how can understood the logical graphs displayed by CyberCAPTOR-Client.

In the following example, there are 5 nodes :

• node (1) : Physical access
• node (2) : Network access
• node (3) : Vulnerability
• node (4) : Rule for remote exploit
• node (5) : Execute code on “linux-user 2” as user

Interpretation

The target, “linux-user-2”, has a network access and a physical access, a vulnerability is presents and these conditions allow an attacker to use a remote exploit. In this case, the attack can execute a code on the device as a user.

2.4. Programmers Guide

This guide describe how to develop within CyberCAPTOR-Client.

2.4.1. Technologies

This part lists all technologies used to develop CyberCAPTOR-Client.

2.4.1.1. AngularJS

The Javascript framework AngularJS is used. You can find the documentation here.

The library Angular-File-Upload is used to upload file.

2.4.1.2. D3JS

The Javascript library Data-Driven Documents D3JS is used to display the graphs.

2.4.1.3. Bootstrap

The framework Bootstrap is used to design CyberCAPTOR-Client (CSS + Javascript).

2.4.2. Source files organization

This part presents the organization of the sources files, and the role of each folder.

2.4.2.1. JS

This section detailed all JavaScript files contains in the js folder.

2.4.2.1.1. MyApp

This file contains all parameters, routes, constants of CyberCAPTOR-Client.

2.4.2.1.2. Controller

This file contains all controllers used to manage CyberCAPTOR-Client.

2.4.2.1.3. Directive

This file contains all directives used to display all graphe in CyberCAPTOR-Client.

2.4.2.1.4. Service

This file contains all services used in CyberCAPTOR-Client.

2.4.2.1.5. Filter

This file contains all filters used in CyberCAPTOR-Client.

2.4.2.2. Lib

2.4.2.2.1. Transform

Transform owns differents methods used to modify data’s structure received from server. That allow to simplify the calculations and the visualizations for these graphs.

2.4.2.3. View

This folder contains all views used to display informations, graphes, data,...

2.4.2.4. Img

This folder contains all pictures used in CyberCAPTOR Client.

2.4.2.5. Doc

This folder contains all documents describing CyberCAPTOR.