AGENDA Threat Modeling Term definitions Examples! Attack Trees, STRIDE, Security Cards Practical Threat Modeling SERIOUS LIFE QUESTIONS What is the purpose of life? Shall I patch the vulnerability on my internal server? Can we keep the default admin password? What is the air-speed velocity of an unladen swallow? Can we keep the thermal exhaust port as it is now? What is the difference between living and existing? Is 42 a perfect number? Could sharks be a serious threat to my house? 7 THREAT MODELING THE MODERN TECH STACK XKCD 2166 L the: modern tech stack M compromised by a customer | compromised by a former employee compromised by a current employee compromised by ßrrcoiM miners COMPROMISED BY UMKfJOUN HACKERS compromised by our own government compromised by a Foreign government massive undiscovered HAR0UARE vulnerability TERM DEFINITIONS Asset An asset is what we're trying to protect. Vulnerability \^ A weakness or gap in our protection efforts. Threat Risk What we're trying to protect against. Risk is the intersection of assets, threats, and vulnerabilities. DEFINITION: THREAT MODELING Threat modeling is a process by which potential \^ threats can be identified, enumerated and prioritized, all from a hypothetical attacker's point of view. (aka "analyzing risky designs") o PRIMARY COMPONENTS Assets Pe rs o n a s/Att a c ke r s • Not just people, it could be other disasters as wel Methods/Attack Vectors • Impacts • Likelihood Mitigation/Countermeasuers • Credit: Threat Modeling the Death Star-Mario Areias; PyCon 2019 YOUR MISSION Goal: The Death Star Stakeholder: Galactic Empire Project status • Big, very big waterfall project • 20 years in the making • Way over budget • Deadline missed many times • Motivated leader with vision! • Known terrible security of the past projects M REUiflRD h . WE'RE LOOKinc FO IS UIORTH THIS dh m (im m UCIBIE IfWurCHTPLr wins r- «ntum -^ WE'RE FORCE ISUJIJMÜIU/ i Am your father /THERE ISM) m\ /SIZE *»DHTUŮ*\ /mflrrifls IE\ 7i1üt ASORHV \ /^sl Ani i /IT'S R TRfiPlS- \ /the FQRCUS STTtgnG uj1th f ^nau h j-- • -yms tint ITS HOT vauHfmiX uiiSETO ontvHOPE \ UPSET flf—^tgaJ UIOOKIEt bust m my BEWARE bf THE ilflH« Siüt/ m SETÍOR fjfltfl ätl, Katun s B LOST [ml V^JjSVQU UJISH Uli SHOT, ; ■ihťuinuiSH KID mftv the\ *ou im\ CKQU be WITH* "lÍÄTÍSSŕoiSTufte» \ ľfTl a LM™ \ SS* scounoRü/ w;TFB,iAÄ.nc/ flgauTTHis JEBELSCUmV f VOuflfiE rm r a koiiit\ HE'S THE BMIfiS.SWEETHÍflflT". VOUR POUltflS BRE UltflK THAT BOVIS^ an íi jeĺii OUR MST MF a>w BEFORE (TU Sto* FflSlUlDlŕLHlM Ä" QHDPE BEFORE (Tlí shfí (flíunniŕLHííHi J AiWimE^ L,* KÄCoinuc VOUR DESTjnV 1 X /fcftŕľfô m J \uie ítieet\ mE^-_AACAin Ať^ Jn A GALAXV FARl lflst "ä FARAUIrW„„/ fiHMMTWlS_THinc_BnEl_MH£IM ^ J[fl \.vW\ PERSONAS POTENTIAL ATTACKERS y RIGHT PEOPLE IN THE ROOM LET'S DO SOME ANALYSIS! ATTACK VECTORS \.vW\ 0*^ GOALS, METHODS y THREAT MODELING: ATTACK TREES Goals °0l fl6 0 8 Take control of Death Star ake Death Stai o 7 THREAT MODELING: ATTACK TREES rake Death St out of action °0l fl6 0 8 Disable Death Star Destroy Death Star o 7 THREAT MODELING: ATTACK TREES °0l fl6 0 8 o THREAT MODELING: ATTACK TREES Disable Deatl Star °0l fl6 0 8 System Failure Mechanical Failure o 7 THREAT MODELING: ATTACK TREES iystems Failun Mechanical Failure °0l fl6 0 8 Compromisi Critical IT )verload critical infrastructure o 7 THREAT MODELING: ATTACK TREES Overload critical infrastructure °0l fl6 0 8 o 7 THREAT MODELING: ATTACK TREES Privileged Access to iternal Networl "or o6 n« THREAT MODELING: ATTACK TREES °0l fl6 0 8 o THREAT MODELING: ATTACK TREES Destroy Reactor °0l fl6 0 8 Shoot at Thermal Port Obtain Death Star Plans o 7 MITIGATION STRATEGIES MINIMIZE THE RISKS y PRIVILEGED ACCESS TO NETWORK mpact: CRITICAL Likelihood: MEDIUM Mitigation strategies Better authentication / authorization Defense in Depth Pen Testing the Systems > Likelihood: LOW o MILITARY ATTACK mpact: CRITICAL Likelihood: HIGH Mitigation strategies Incident Response procedures Star Destroyers "On Call" Monitor Rebellion Activities MILITARY ATTACK mpact: CRITICAL Mitigation strategies Incident Response procedures Star Destroyers "On Call" Monitor Rebellion Activities Likelihood: HIGH > Impact: HIGH Likelihood: MEDIUM o 7 SHOOT AT THERMAL PORT mpact: CRITICAL Likelihood: LOW Mitigation strategies Move Death Star plans to Imperial Security complex. °0l fl6 0 8 o 7 JOB WELL DONE! LET's DEPLOY THAT THING y FORENSIC ANALYSIS \.vW\ 0*^ WHAT HAPPENED? y NEW PERSONA? Another Jedi in the story! Support from a Bounty Hunter! Princess Leia's brother! Son of a., your boss! DESIGN FLAWS Insufficent design reviews! A vital flaw in design Introduced by an insider \.vW\ THREAT MODEL EARLY AND OFTEN LIST OF STANDARDIZED COMPONENTS SECURITY THROUGH OBSCURITY \.vW\ 0*^ IS A TERRIBLE IDEA THREAT MODELING EXAMPLES Rob a bank? Steal a car? Short-n-easy examples • Threat modeling of movies/heroes (Batman) • Physical security Criminal Gang • Other criminal gangs • Police raids • Killing a puppy A CRYPTO MERD'i HIS LAPTOPS ENCRYPTED. LETS SWlD A MiUJOf-DOUflR CUJiTCR CRACK IT NO GOOD! TT'S BLftSTl our EVIL PLAN IS FOILEP1. N WHAT WOULD ACTUALLY HAPPEN; H'S LAPTOP'S Et-JOWPTED. DRUO HIM AND HTT HIT"! WITH THIS f5 WRENCH UNTIL HE TBiS us THE PA3J6RD. 1 V METHODOLOGIES • Attack Trees • STRIDE • PASTA • CVSS • Security Cards and plenty of others! THREAT MODELING: STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Services Elevation of Privileges STRI D E <2> o SPOOFING TAMPERING REPUDIATION INFO DISCLOSURE DENIAL OF SERVICE ELEVATION OF PRIVLEGE In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage. Tampering can refer to many forms of sabotage but the term is often used to mean intentional modification of products in a way that would make them harmful to the consumer. In digital security, non-repudiation means a service that provides proof of the integrity and origin of data, or an authentication that can be said to be genuine with high confidence. Information disclosure is the unwanted dissemination of data, technology, or privacy, legal and political issues surrounding them. It is a violation of data privacy[2] or data protection. The challenge of data privacy is to use data A denial-of-service attack (DoS attack) is a cyber attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. THREAT MODELING: STRIDE Provides a good methodology Various areas people could start with Tools available! • Microsoft Threat Modeling tool • OWASP Threat Dragon Adopted by Microsoft, Github,... SECRETS IN A GIT REPOSITORY Category Threat Description Mitigation Information Disclosure Credentials Theft An unauthorized person could get to the credentials, later on this could be used to alter potentially sensitive/vital information. Least privilege principle; dynamic, generated credentials (if possible, with time limited validity). Repudiation Performing operations on someone else's behalf Sharing secrets makes non-repudiation impossible - there's always a space for justified doubt about who could actually be the initiator of a potentially harmful actions. Least privilege, no shared secrets, strong authentication, good audit logs. n Tampering Rewriting a crucial secret. When a write permission on the secrets is also shared by a group of individuals, it's possible to harm services by rewriting the stored secret (either deliberately or by accident). Secrets versioning, stricjt rb+es and least privilege. THREAT MODELING: SECURITY CARDS Gamification of threat modeling! 4 different categories of cards ("dimensions") • Human Impact • Adversary's Motivation • Adversary's Resources • Adversary's Methods Interactive Adversary's Motivations might the adversary use or abuse your m for the purpose of convenience or gain access to a resource? What kind f individual or group might target your em because it is more convenient than alternative, or because it is the only way to achieve their goal? THREAT MODELING: SECURITY CARDS • Custom cards possible • Extensions: • Elevation of Privilege cards (Microsoft) • Elevation of Privacy cards (F-Secure) • Cornucopia (OWASP) V EOP VS CORNUCOPIA \.vW\ PRACTICAL THREAT MODELING THERE'S NOTHING MORE PRACTICAL THAN A GOOD THEORY! y HOW TO THREAT MODEL EFFICIENTLY Security engineers threat model every story • Delays! Software engineers threat model every story • Too much time spent on reviews. • Teaming with Security Software engineers assess risk on every story • A questionnaire supporting their decisions • "When a software engineer feels they must choose between doing security and doing engineering, you have lost the battle." SECURITY QUESTIONNAIRE SAMPLE Does it deal with customer data? Does it communicate over network? Is this a critical component? Does your component require authentication? Does your project introduce or utilize a third-party library? Are you implementing or modifying any APIs? Does your project utilize a database via SQL? HOW TO THREAT MODEL EFFICIENTLY What works • Shifting left, like a boss • Re-usable reviewed and assessed components • Proper threat modeling and risk assessment for the critical ones • Questionnaire to support the activity • Security impact criteria • Security Engineers teaming up with software engineers and developers Mutual respect and understanding RISK MITIGATION ACTIONS Remove the threat • e.g. by removing the respective functionality Mitigate • e.g. through standard practices like encryption • "What cannot be mitigated could perhaps be monitored." Accept • be careful about "accepting" risk for your customers Transfer e.g. via license agreements or terms of service thaddeus e. grugq @thegrugq Your threat model is not my threat model. YOUR THREAT MODEL IS NOT MY THREAT MODEL 9:42 AM ■ May 15, 2017 • Tweetbot for iOS SERIOUS LIFE QUESTIONS Shall I patch the vulnerability on my internal server? Can we keep the default admin password? Can we keep the thermal exhaust port as it is now? Could sharks be a serious^ )^^^^^yft\rh o u se? QUESTIONS? NOTES Agile Threat Modeling • https://martinfowler.com/articles/aqile-threat-modellinq.html AppSec at scale • https://r2c.dev/bloq/2021/appsec-development-keeping-it-all-together-at-scale/?s=09