RayveLabs — teaching demo Labs · Chapter 4 — Attack Graph Analytics & Risk Scoring
SEAS-8414 · Phase 4 · 24 features

From findings to an attack graph, a risk score, and a sharable threat bundle.

Lab 3 told us what is broken on the network. Chapter 4 asks the operational question: what does it mean in context? This demo turns the same SEAS-8414 scan into a directed attack graph, finds the cheapest attacker paths, computes the Breakwater Risk Score with SHAP-style attribution, maps findings to MITRE ATT&CK ICS, simulates remediations, and exports a STIX 2.1 bundle — then goes further with the cross-phase HYDRA score, GNN augmentation, and a risk-timeline forecast.

Demo built by RayveLabs to illustrate Dr. Mallarapu's SEAS-8414 Chapter 4, continuing the same teaching network as Lab 3 (172.30.0.0/24; Hikvision camera, OT gateway, PLC/HMI, medical-device ROE block). Original course material © Dr. Mallarapu / The George Washington University. Synthetic network, real CVE / ATT&CK data.

4.1

Analytics context — moving from detective to predictive

Discovery (Ch.1) is descriptive, enrichment (Ch.2) is diagnostic, vulnerability assessment (Ch.3) is detective. Attack-graph analytics is the first predictive phase: it reasons about how an attacker would move and which device matters most, not just which CVE scores highest.

Figure 4.1: Live scan summary for the Lab 3 → Lab 4 teaching network. Stats recompute as you apply remediations below.

4.2

Attack graph construction

Five node types (device, service, subnet, entry point, physical process) and eight edge types whose weights encode attacker effort — lower weight = easier traversal. Click any device to drive the risk panels below.

Edge weights · Table 4.3

Selected: — click a node —
edge typeweightmeaning
shares_credentials0.1trivial lateral movement
exploitable_via0.1–0.4known CVE (by severity)
same_firmware0.4one exploit chains to both
same_subnet0.5L2 / ARP adjacency
runs_service0.7exposed attack surface
communicates_with0.7observed comms
controls_process0.8physical-process target
can_reach1.0L3 routed reachability
entry point device (IT) camera / NVR OT / PLC / SCADA medical (ROE-blocked) physical process

Figure 4.2–4.5: Directed attack graph built from scan results. Edges drawn between devices reflect credential reuse, shared firmware, subnet adjacency and routed reachability from the entry point.

4.3

Attack path analysis — Yen's K-shortest paths

The cheapest weighted path from an entry point to a high-value target is the route an attacker is most likely to take. Path cost maps to an ordinal probability and a rough time-to-traverse estimate.

Compute attack paths

Path is highlighted in red on the graph above.

Ranked paths

#routecostprob~time

Figure 4.6–4.9: Yen's k-shortest-paths over the weighted graph. Probability is a reciprocal-of-cost ordinal ranking (planning evidence, not a calibrated field probability); time is a weight-scaled estimate.

4.4

Breakwater Risk Score

CVSS scores a CVE in isolation; BRS scores a device in its operational context: BRS = 0.20·V + 0.20·E + 0.20·R + 0.15·P + 0.05·S − 0.20·C, clamped to 0–10. Pick a device, then move the factor sliders to see the score and rating band react live.

Device factors

Score

Vulnerability surface (V)
Exploitability (E)
Reachability (R)
Physical consequence (P)
Supply chain (S)
Compensating controls (C)

Figure 4.10–4.12: BRS decomposition and rating thresholds. Try the camera vs. thermostat lesson — the device with the lower CVSS often carries the higher BRS once reachability and physical consequence are included.

4.4.4

SHAP-style factor attribution

A score is only actionable if you can see why. Each bar is a factor's contribution (weight × score); positives raise risk, the compensating-controls bar pulls it back down. The longest movable bar is usually your highest-leverage fix.

BRS waterfall —

Figure 4.13: SHAP-style waterfall. Where reachability + low controls dominate, segmentation is the lever; where V + E dominate, patch.

4.6

Threat intelligence integration

External feeds (CISA KEV, abuse.ch, STIX/TAXII) are correlated against scan findings. A KEV match pins exploitability to confirmed in-the-wild activity and raises the device's E factor.

deviceCVECVSSfeed matcheffect on E

Figure (4.6): Indicator correlation. KEV entries score E=9.0; default credentials override to E=10.0 (no exploit development required).

4.7

What-if remediation simulation

Clone the graph, apply candidate remediations, re-score, and read the predicted ΔBRS before touching production. Efficiency ranks each action by risk reduced per cost unit.

Candidate actions · network-wide

Changes flow through every panel on the page (graph, BRS, paths, scores).

Predicted impact

Mean BRS — baseline
Mean BRS — simulated
ΔBRS (network)
Total cost
Efficiency (Δ / cost)

Figure 4.14–4.15: What-if pipeline + remediation efficiency. The highest-yield action is not always the most expensive — credential rotation is cheap and often moves the needle most.

4.8

MITRE ATT&CK ICS mapping

A CVE says what is broken; ATT&CK says how an adversary uses it. Findings map to techniques three ways — finding-type (conf 0.8–1.0), CWE-based (0.7), device-type (0.5) — and aggregate into tactic coverage.

Technique mappings

devicetechniquetacticviaconf

Tactic coverage · Table 4.10

Coverage spanning Initial Access → Lateral Movement → Impair Process Control → Impact is the classic ICS kill chain; gaps tell you where this network is not currently exposed.

Figure 4.16: Mapping strategies and their confidence. Finding-type mappings rest on direct observation; device-type mappings are inferred.

4.9

STIX 2.1 export

Package the scan as a standards-compliant STIX 2.1 bundle — identity, observed-data, vulnerability, attack-pattern and relationship objects, plus a report — ready for an ISAC, a SIEM, or CRA / NIST CSF evidence.

// bundle preview will appear here

Figure 4.17: STIX 2.1 bundle structure — identities, collected data, vulnerabilities, attack patterns, relationships, and a report object as one shareable artifact.

4.10

Beyond Chapter 4 — HYDRA cross-phase score + GNN

This is the "and more." HYDRA extends six factors to eight by pulling in Q (quantum exposure, Ch.7) and D (deception intelligence, Ch.10), then optionally blends a topology-aware GNN estimate (70% GNN / 30% rule) so structurally similar devices get similar scores.

Cross-phase inputs —

BRS_HYDRA = .18V+.18E+.15R+.14P+.05S+.05Q+.05D − .20C

HYDRA score

Rule-based BRS
+ Q / D streams
GNN-blended
BRS_HYDRA

HYDRA normalizes streams and applies a 70/30 exponential moving average against history, so the score evolves across scans rather than resetting.

Figure 4.18–4.20: HYDRA formula, EMA blending, and the GAT-based GNN architecture that learns from five heterogeneous edge types.

4.11–4.12

Segmentation score & blast radius

Network segmentation score

10·(1 − cross-subnet device-edge ratio). Low score → prioritise segmentation projects over per-device patching. Toggle "Segment OT devices" above to watch it climb.

Blast radius · descendants()

devices reachable downstream

Figure 4.21–4.22: Compromising a high-connectivity gateway exposes far more of the network than an isolated sensor — blast radius highlighted in orange on the graph.

4.13

Risk timeline & trend forecast

Given a device's current BRS, HYDRA projects forward with logistic growth — slow, then accelerating as unpatched vulns age, then saturating. A "patching window" is flagged when projected BRS crosses the high band within 90 days.

Figure 4.19: Bounded logistic forecast over 365 days. The dashed line is the High (7.0) threshold; the marker is the projected crossing.

4.16

Safety posture & rules of engagement

ROE — Rules of Engagement. Active analysis permitted on 172.30.0.0/24 except 172.30.0.40 (Alaris infusion pump — policy-blocked). The pump appears in the graph and risk model as ROE-blocked: it is scored for context but never probed, and any path that would require touching it is reported as method.not_run, not method.negative.

Attack-graph analytics is read-only by construction — it reasons over already-collected scan data. The destructive surface (what-if simulation) operates on a graph clone and never mutates the live model, mirroring the plan/approve/execute safety gate that Chapter 12 formalises.

devices scored
1
ROE-blocked (not probed)
clone
simulation isolation
read-only
graph analytics mode