Many IT Security professionals simply do not understand "threat modeling" - or how an attack at component A can ultimately affect component B, C, and D ... this example-based (and very, very high-level) talk hopes to get you interested in threat modeling and understanding how things are connected - in orer to give you a chance to build your defenses.
4. What is threat modeling?
“Threat modeling is a procedure for optimizing security by identifying objectives
and vulnerabilities, and then defining countermeasures to prevent, or mitigate
the effects of, threats to the system.”
-- http://searchsecurity.techtarget.com/definition/threat-modeling
5. What is threat modeling?
What is this asset?
What are all the ways that
it can be attacked?
…how can I effectively
protect it from exploit?
…and if it gets successfully
exploited, what does that …and how does it affect
mean? these other assets?
6. Why learn threat modeling?
In order to enact effective strategies to protect the most critical assets and
systems, we first need to understand how they will be potentially abused, or
attacked.
If you cannot understand a system, you cannot defend it.
7. The Problem
Poor
visibility
• Where are logically and physically
critical processes, data, and systems?
• How are critical systems, networks, and
applications connected?
7 Enterprise Security – HP Confidential
8. The Problem
Limited insight
• What is the difference between a legitimate
transaction, and an attack … or fraud?
• How does an event in one system impact others?
8 Enterprise Security – HP Confidential
9. Benefits of Threat Modeling
• Gain understanding of real attack
surface of enterprise assets
• Identify inter-connectedness of
systems, applications, etc
• Plot attack scenarios based on
probability, impact, connectedness
• Gain comprehensive understanding
of real exploit impact
9 Enterprise Security – HP Confidential
11. When to Use Threat Modeling
• designing a threat mitigation for a system, application, or asset
• desire to understand how a compromised component can impact others
• security testing a component with limited time
• demonstrating inter-dependence of
various enterprise components
• comprehending failure modes and
risk scoring
11 Enterprise Security – HP Confidential
12. Approaches to Threat Modeling
• Attacker-centric
– Start with attacker, evaluate their goals, methods and means
– Completely centered around the „actor‟ in the attack
• System-centric
– Start with a system, architecture, or software and define ways in which it can be attacked
– Build out system (or software, etc) map then define exposures, ways to attack system
• Asset-centric
– Start with assets entrusted to a system such as data
– Understand how assets relate to a system, move within a system
Source: Wikipedia[1]
12 Enterprise Security – HP Confidential
13. High Level Threat Modeling Steps
1. Understand the target
2. Model the target
3. Identify threats to the target
4. Determine exploit impact
5. Perform risk-based scoring
6. Determine counter-measures, re-model
13 Enterprise Security – HP Confidential
14. The Basic Threat Model
Threat: Target:
Vector:
The attack System or
The method
agent or asset under
of the attack
potential attack
risk
14 Enterprise Security – HP Confidential
15. 3 Things to Remember
Things you must remember when threat modeling
1. Spend enough time understanding your target
– Be thorough in evaluating the target‟s requirements and goals
– Evaluate how your target is connected to other potential pieces
2. Don‟t miss relationships
– Systems, applications, threats all have relationships which may be relevant
– Follow processes, data flows, to their logical „dead end‟
3. Dig deep into the details
– The more details present the more complete, accurate the threat model is
– Balance completeness vs. getting lost in the details
15 Enterprise Security – HP Confidential
17. Important Preparation
Select the appropriate approach
Attacker-Centric System-Centric Asset-Centric
Ideal for: Ideal for: Ideal for:
• understanding an attacker • modeling complex system • defending specific assets
• setting up penetration test • modeling applications • assessing public systems
• when threat actor is known • attacking business with private data
processes
Strengths: Strengths: Strengths:
• motivations often drive attack • ability to see complex • focuses on the most basic
strategy at all levels relationships in system component, the asset
Weaknesses: Weaknesses: Weaknesses:
• often impossible to fully • requires a tremendous • potential to miss system-
understand attacker amount of effort level mitigations, defenses
17 Enterprise Security – HP Confidential
18. Practical: Building a Threat Model
• Building a threat model against an enterprise application
• Taking the most appropriate approach for the requirement
• Start with basic information, build knowledge
• Utilize failure mode analysis, risk scoring
• Derive weaknesses in system, create defensive strategy
18 Enterprise Security – HP Confidential
19. Understanding the Target
Component Notes
“External” web interface • Exposed to the Internet External
• Written in Flash App
• Mixed content
• SSL-required
“Internal” customer • Protected content
representative interface • Written in Java
• Access multiple
customer data
Mobile application • Mixed content Mobile
• iOS and Android OS App
• Encrypted https
Automated API for 3rd • REST-based API
party access • Access basic sensitive 3rd Party
information API
• Certificate-based
access
19 Enterprise Security – HP Confidential
20. Model the Target – Iteration 1
JavaScrip
t
Adobe
Flash
Web MS
MQ
Browser MS SQL Serve
r
WebSpher Web
e App
Server Browser
Applet
Webkit/
Safari
JavaScrip
t iOS
REST
3rd Party
Web
Service
UNTRUSTED TRUSTED
20 Enterprise Security – HP Confidential
21. Model the Target – Iteration 2
JavaScrip
t
Adobe
Flash
Web MS
MQ
Google Browser MS SQL Serve
r
Gears
WebSpher Web
e App
Server Browser
Applet
Webkit/
Safari
JavaScrip
t iOS
Oracle
REST
3rd Party
Web CS
R
Service
mySQL
UNTRUSTED TRUSTED
21 Enterprise Security – HP Confidential
22. Model the Target – Iteration 3
JavaScrip SQLit
t e
Adobe
Flash
Web MS
MQ
Google Browser MS SQL Serve
r
Gears
SQLit
e
WebSpher Web
e App
Server Browser
Applet
SQLit
Webkit/ e
Safari
JavaScrip
t iOS
Oracle
REST
3rd Party
Web CS
R
Service
mySQL
UNTRUSTED TRUSTED
22 Enterprise Security – HP Confidential
23. Identify Threats to the Target
1
JavaScrip SQLit
t e
2 Adobe
Flash
Web MS
MQ
Google Browser MS SQL
3
Serve
r Attack local
Gears 1 database of external
SQLit
e user
WebSpher Web 2
Attack Flash client of
e App external user
Server Browser
Applet Attack main
SQLit application db
Webkit/ e 3
4 through SQL
Safari
JavaScrip
t iOS injection
Oracle
Attack secondary
application db
REST 4
3rd Party through SQL
Web CS injection
R
Service 5
…
mySQL
UNTRUSTED TRUSTED
23 Enterprise Security – HP Confidential
24. Identify Threats to the Target
Item Attack Description Effectiveness Difficulty
1 Attack local cache/database of external user Medium High
2 Exploit flash client of external user High Medium
Attack main application database through SQL
3 High Low
injection
Attack secondary application database through
4 High Low
SQL injection
5 … … …
24 Enterprise Security – HP Confidential
25. Determine Exploit Impact
JavaScrip
t
SQLit
e
Focus on one
Adobe
Flash
Web MS
MQ attack at a time.
Google Browser MS SQL Serve
r
Gears
SQLit
e If #4 is successful
WebSpher Web (penetrate secondary
e App
Server Browser database) what can
SQLit
Applet the exploit impact be?
Webkit/ e 4
Safari
JavaScrip
t iOS
Oracle
REST
3rd Party
Web CS
R
Service
mySQL
UNTRUSTED TRUSTED
25 Enterprise Security – HP Confidential
26. Determine Exploit Impact
JavaScrip
t
SQLit
e
Relationships
Adobe
Flash
Web MS
MQ help us visualize
Google Browser MS SQL Serve
Gears
r
the impact of a
SQLit
e successful exploit
WebSpher Web on any given
e App
Server Browser
Applet
component.
SQLit
Webkit/ e 4
Safari
JavaScrip
t iOS
Oracle
REST
3rd Party
Web CS
R
Service
mySQL
UNTRUSTED TRUSTED
26 Enterprise Security – HP Confidential
27. Perform Risk-Based Scoring
Score each threat scenario based on
– Criticality
– Likelihood
– Difficulty
– Impact
Create matrix called a “Failure Mode Analysis”
– Assign numerical values to modifiers for analysis
– Compute mathematical risk impact for objective analysis
27 Enterprise Security – HP Confidential
29. Determine Counter-Measures
Mathematical, objective analysis will determine countermeasures
Most critical failures modes aren‟t always obvious
Most critical failure modes aren‟t always most complex or difficult to protect
Counter-measures should be appropriate to the threat criticality
…after formulating counter-measures, re-run threat scenario to validate.
29 Enterprise Security – HP Confidential
31. Prior work …
1. Wikipedia - http://en.wikipedia.org/wiki/Threat_model
2. OWASP “Threat Modeling” by Martin Knobloch - https://www.owasp.org/images/c/cf/OWASP-BeNeLux_2010_ThreatModeling.pdf
3. John Steven, Citical (OWASP presentations, various works)