Lab 3 told us what is broken on the network. Chapter 4 asks the operational question: what does it mean in context? This demo turns the same SEAS-8414 scan into a directed attack graph, finds the cheapest attacker paths, computes the Breakwater Risk Score with SHAP-style attribution, maps findings to MITRE ATT&CK ICS, simulates remediations, and exports a STIX 2.1 bundle — then goes further with the cross-phase HYDRA score, GNN augmentation, and a risk-timeline forecast.
Demo built by RayveLabs to illustrate Dr. Mallarapu's SEAS-8414 Chapter 4, continuing the same teaching network as Lab 3 (172.30.0.0/24; Hikvision camera, OT gateway, PLC/HMI, medical-device ROE block). Original course material © Dr. Mallarapu / The George Washington University. Synthetic network, real CVE / ATT&CK data.
Discovery (Ch.1) is descriptive, enrichment (Ch.2) is diagnostic, vulnerability assessment (Ch.3) is detective. Attack-graph analytics is the first predictive phase: it reasons about how an attacker would move and which device matters most, not just which CVE scores highest.
Figure 4.1: Live scan summary for the Lab 3 → Lab 4 teaching network. Stats recompute as you apply remediations below.
Five node types (device, service, subnet, entry point, physical process) and eight edge types whose weights encode attacker effort — lower weight = easier traversal. Click any device to drive the risk panels below.
| edge type | weight | meaning |
|---|---|---|
| shares_credentials | 0.1 | trivial lateral movement |
| exploitable_via | 0.1–0.4 | known CVE (by severity) |
| same_firmware | 0.4 | one exploit chains to both |
| same_subnet | 0.5 | L2 / ARP adjacency |
| runs_service | 0.7 | exposed attack surface |
| communicates_with | 0.7 | observed comms |
| controls_process | 0.8 | physical-process target |
| can_reach | 1.0 | L3 routed reachability |
Figure 4.2–4.5: Directed attack graph built from scan results. Edges drawn between devices reflect credential reuse, shared firmware, subnet adjacency and routed reachability from the entry point.
The cheapest weighted path from an entry point to a high-value target is the route an attacker is most likely to take. Path cost maps to an ordinal probability and a rough time-to-traverse estimate.
Path is highlighted in red on the graph above.
| # | route | cost | prob | ~time |
|---|
Figure 4.6–4.9: Yen's k-shortest-paths over the weighted graph. Probability is a reciprocal-of-cost ordinal ranking (planning evidence, not a calibrated field probability); time is a weight-scaled estimate.
CVSS scores a CVE in isolation; BRS scores a device in its operational context: BRS = 0.20·V + 0.20·E + 0.20·R + 0.15·P + 0.05·S − 0.20·C, clamped to 0–10. Pick a device, then move the factor sliders to see the score and rating band react live.
Figure 4.10–4.12: BRS decomposition and rating thresholds. Try the camera vs. thermostat lesson — the device with the lower CVSS often carries the higher BRS once reachability and physical consequence are included.
A score is only actionable if you can see why. Each bar is a factor's contribution (weight × score); positives raise risk, the compensating-controls bar pulls it back down. The longest movable bar is usually your highest-leverage fix.
Figure 4.13: SHAP-style waterfall. Where reachability + low controls dominate, segmentation is the lever; where V + E dominate, patch.
External feeds (CISA KEV, abuse.ch, STIX/TAXII) are correlated against scan findings. A KEV match pins exploitability to confirmed in-the-wild activity and raises the device's E factor.
| device | CVE | CVSS | feed match | effect on E |
|---|
Figure (4.6): Indicator correlation. KEV entries score E=9.0; default credentials override to E=10.0 (no exploit development required).
Clone the graph, apply candidate remediations, re-score, and read the predicted ΔBRS before touching production. Efficiency ranks each action by risk reduced per cost unit.
Changes flow through every panel on the page (graph, BRS, paths, scores).
Figure 4.14–4.15: What-if pipeline + remediation efficiency. The highest-yield action is not always the most expensive — credential rotation is cheap and often moves the needle most.
A CVE says what is broken; ATT&CK says how an adversary uses it. Findings map to techniques three ways — finding-type (conf 0.8–1.0), CWE-based (0.7), device-type (0.5) — and aggregate into tactic coverage.
| device | technique | tactic | via | conf |
|---|
Coverage spanning Initial Access → Lateral Movement → Impair Process Control → Impact is the classic ICS kill chain; gaps tell you where this network is not currently exposed.
Figure 4.16: Mapping strategies and their confidence. Finding-type mappings rest on direct observation; device-type mappings are inferred.
Package the scan as a standards-compliant STIX 2.1 bundle — identity, observed-data, vulnerability, attack-pattern and relationship objects, plus a report — ready for an ISAC, a SIEM, or CRA / NIST CSF evidence.
// bundle preview will appear here
Figure 4.17: STIX 2.1 bundle structure — identities, collected data, vulnerabilities, attack patterns, relationships, and a report object as one shareable artifact.
This is the "and more." HYDRA extends six factors to eight by pulling in Q (quantum exposure, Ch.7) and D (deception intelligence, Ch.10), then optionally blends a topology-aware GNN estimate (70% GNN / 30% rule) so structurally similar devices get similar scores.
BRS_HYDRA = .18V+.18E+.15R+.14P+.05S+.05Q+.05D − .20C
HYDRA normalizes streams and applies a 70/30 exponential moving average against history, so the score evolves across scans rather than resetting.
Figure 4.18–4.20: HYDRA formula, EMA blending, and the GAT-based GNN architecture that learns from five heterogeneous edge types.
10·(1 − cross-subnet device-edge ratio). Low score → prioritise segmentation projects over per-device patching. Toggle "Segment OT devices" above to watch it climb.
Figure 4.21–4.22: Compromising a high-connectivity gateway exposes far more of the network than an isolated sensor — blast radius highlighted in orange on the graph.
Given a device's current BRS, HYDRA projects forward with logistic growth — slow, then accelerating as unpatched vulns age, then saturating. A "patching window" is flagged when projected BRS crosses the high band within 90 days.
Figure 4.19: Bounded logistic forecast over 365 days. The dashed line is the High (7.0) threshold; the marker is the projected crossing.
ROE — Rules of Engagement. Active analysis permitted on 172.30.0.0/24 except 172.30.0.40 (Alaris infusion pump — policy-blocked). The pump appears in the graph and risk model as ROE-blocked: it is scored for context but never probed, and any path that would require touching it is reported as method.not_run, not method.negative.
Attack-graph analytics is read-only by construction — it reasons over already-collected scan data. The destructive surface (what-if simulation) operates on a graph clone and never mutates the live model, mirroring the plan/approve/execute safety gate that Chapter 12 formalises.