Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Agenda
–What is threat modeling?
–A simple approach to threat modeling
–Top 10 lessons
What is threat modeling?
A SIMPLE APPROACH TO
THREAT MODELING
4 Questions
• What are you working on?
• What can go wrong?
• What are you going to do about it?
• Did you do an acceptable job at 1-3?
Web AppCustomer
DB
Our AppOur App
Content creation
What are you working on?
What are you working on?
• nmap
• tcpdump
• lsof
• strace/dtrace
• All help you create a model of the system being pentested
• Either with or without a copy of their threat model
What Are You Working On?
What are you working on?Data Flow Diagram example
What are you deploying? Network example
What Can Go Wrong?Remember STRIDE
Spoofing
By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532
Tampering
http://pinlac.com/LegoDSTractorBeam.html
RepudiationRepudiation
By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/
Information Disclosure
Photo by Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/
Information Disclosure(and impact)
Denial of Service
Model by Nathan Sawayahttp://brickartist.com/gallery/han-solo-in-carbonite/
Elevation of Privilege
http://www.flickr.com/photos/prodiffusion/
What Can Go Wrong?Remember STRIDE
What can go wrong? Kill Chains
• Harvesting email addresses, conference
information, etc.Reconnaissance
• Coupling exploit with backdoor into
deliverable payloadWeaponization
• Delivering weaponized bundle to the victim
via email, web, USB, etc.Delivery
• Exploiting a vulnerability to execute code
on victim’s systemExploitation
• Installing malware on the assetInstallation
• Command channel for remote
manipulation of victimCommand & Control (C2)
• With “Hands on Keyboard” access,
intruders accomplish their original goalActions on Objectives From/see also Sean Malone,
Extended Cyber Kill Chain, BlackHat 2016
4 Questions
1. What are you working on?
2. What can go wrong?
3.3.3.3. What are you going to do about it?What are you going to do about it?What are you going to do about it?What are you going to do about it?
4.4.4.4. Did you do an acceptable job at 1Did you do an acceptable job at 1Did you do an acceptable job at 1Did you do an acceptable job at 1----3?3?3?3?
What Are You Going To Do About It? (sw eng edition)Threat Property Mitigation approach
Spoofing Authentication • Passwords, multi-factor authN
• Digital signatures
Tampering Integrity • Permissions/ACLs
• Digital signatures
Repudiation Non-Repudiation • Secure logging and auditing
• Digital Signatures
Information Disclosure Confidentiality • Encryption
• Permissions/ACLS
Denial of Service Availability • Permissions/ACLs
• Filtering
• Quotas
Elevation of privilege Authorization • Permissions/ACLs
• Input validation
What Are You Going To Do About It? – pentest edition
Threat Property Testing approach
Spoofing Authentication • THC Hydra
• SSLSpoof
Tampering Integrity • Burp
• emacs
Repudiation Non-Repudiation • (Unclear if this applies in a CTF)
Information Disclosure Confidentiality • Tcpdump/Wireshark
Denial of Service Availability • HULK
• PyLoris
Elevation of privilege Authorization • Metasploit
• Fuzzers
What Are You Going To Do? OWASP EditionOWASP Top 10 STRIDE Look when Threat
Modeling?
Injection Tampering Yes
Broken Auth/Session management Spoofing (initial, ongoing) Yes
XSS Tampering/EoP Maybe
Insecure Direct Object Refs EoP Yes
Security Misconfiguration ? Probably not
Sensitive data exposure Info Disclosure Maybe
Missing Function Level Access control EoP Probably not
CSRF Spoofing Probably not
Known Vulnerabilities No good map No
Redirects & Forwards ? Maybe
What are you going to do? CCM Edition
What are you going to do? Portfolio Management
• See my RSA talk
“Security Leadership
Lessons From
The Dark Side”
Link: adam.shostack.org
Acme Data
Center
Iden. fy
(8%)
Protect
(39%)
Detect
(45%)
Respond
(8%)
Recover
(0)
Devices
(34%) 3 14 12 5
Apps
(22%) 2 5 15
Data
(3%) 3
Network
(30%) 15 15
People
(11%) 3 5 3
Top Ten Lessons
Trap #1: “Search your feelings!”
• “Think Like An Attacker”
• Serious work is helped by structureFix
Trap
Trap #2: “You’re Never Done Threat Modeling”
Model
Identify Threats
Mitigate
Validate
Model
Identify Threats
Mitigate
Validate
Trap #3: “The Way To Threat Model Is…”
• Too much focus on specifics of how
– Use this framework (STRIDE)
– With this diagram type
• Focus on helping people find good threats
• Focus on different skills, systems
– Developers, operations, security, etc
Fix
Trap
Model
Identify Threats
Mitigate
Validate
Model
Identify Threats
Address Threats
Validate
Privacy
Trap #3: Monolithic ProcessesTrap Fix
Security mavens Experts in other areas
Trap #3: “The Way To Threat Model Is…”
Trap #4: Threat Modeling as One Skill
• “I should learn to threat model”
• Think of techniques & repertoire
• Technique: DFDs, STRIDE, Attack trees
• Repertoire:
– Tools: SSLSpoof, Firesheep
– Books: Mitnick, Cuckoo's Egg
• All used to analogize & reason about new systems
Trap
Fix
Trap #5: “Threat Modeling is Easy”
• Thinking your first threat model will be easy
• Metaphor: musical instrument…
• Understand that learning depends on easy tunes
• Accept not everyone wants to be a virtuoso
Trap
Fix
We’ve got to give them more time!
Trap #6: Threat Modeling is for Specialists
• Thinking TM is for specialists
• Make it like version control:
– Every developer, most sysadmins know some
– Some orgs have full time people managing trees
• This is a stretch goal for threat modeling
Trap
Fix
Trap #7: The Wrong Focus
• Start from your assets
• Start by thinking about your attackers
• Threat modeling should focus on finding threats
• Remember trap #3: “The Way to threat model is”
• Starting from assets or attackers work for some people
Trap
Fix
Trap #8: Not Having a Rebel Alliance
• Cost & feasibility of fixes changes along the supply chain
– Some threats are “easy” for a supplier to fix (OS behavior)
– Some threats are “easy” for a developer to fix (add logging)
– Some threats are “easy” for operations to fix (look at the logs)
• Think about an alliance along your supply chain
• Rebellions are built on
– Security Operations Guide
– Non-requirements
Trap
Fix hopethreat modeling
Requirements
Threats Mitigations
Requirements drive threats
Threats drive requirements
No mitigation? Simplify requirements
Threats need mitigation
Mitigations can be bypassed
Trap #9: Laser-Like Focus on Threats
Interplay of attacks, mitigations and requirements
Trap #10: Threat Modeling at the Wrong Time“Sir, we’ve analyzed their attack pattern, and there is a danger”
“Sir, we’ve analyzed their attack pattern, and there is a danger”
Summary
• Anyone can threat model, and everyone should…soon!
• The skills, techniques and repertoire can all be learned
• There are many traps
• Threat modeling is the way to
– Drive security through your product, service or system
– (Or demonstrate that it didn’t happen)
– Engage with leadership about security
Summary
• Anyone can threat model, and everyone should…soon!
• The skills, techniques and repertoire can all be learned
• There are many traps
• Threat modeling is the way to
– Drive security through your product, service or system
– Engage with leadership about security
— George BoxGeorge BoxGeorge BoxGeorge Box
“All models are wrong, some “All models are wrong, some “All models are wrong, some “All models are wrong, some models are useful”models are useful”models are useful”models are useful”
Call to Action
• Remember the 4 questions
• Be proactive
– Find security issues early
– Fix them before they’re exploited
• Go threat model something!
• Drive threat modeling for your org
Questions?
Learning more:
• Threatmodelingbook.com site & book
• adam.shostack.org/blog/category/threat-modeling/
Questions?
Learning more:
• Threatmodelingbook.com site & book
• adam.shostack.org/blog/category/threat-modeling/
• Adam helps lots of organizations — get in touch!
[email protected] / +1 917-391-2168
Questions?
Resources:
• adam.shostack.org/blog/category/threat-modeling/
• This talk, linked from Threatmodelingbook.com resources page: https://youtu.be/-2zvfevLnp4
• The book!
Email: [email protected]
Thank you!
• Star Wars: Episodes IV-VI
• Great Creative Commons Lego brick art:– Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532
– http://pinlac.com/LegoDSTractorBeam.html
– Seb H http://www.flickr.com/photos/88048956@N04/8531040850/
– Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/
– Kaitan Tylerguy http://www.flickr.com/photos/kaitan/3326772088/
– Nathan Sawaya, http://brickartist.com/gallery/han-solo-in-carbonite/
– http://www.flickr.com/photos/prodiffusion/
BACKUP
Resources: Additional Books
• The Checklist Manifesto, Atul Gawande
• Thinking Fast & Slow, Daniel Kahneman
• The Cukoo’s Egg, Cliff Stoll
• Ghost in the Wires, Kevin Mitnick
• Understanding Privacy, Dan Solove
• Privacy in Context, Helen Nissenbaum
Threat Modeling: Designing For Security
Part I: Getting StartedPart I: Getting StartedPart I: Getting StartedPart I: Getting Started1. Dive in and threat model2. Strategies for threat modeling
Part II: Finding ThreatsPart II: Finding ThreatsPart II: Finding ThreatsPart II: Finding Threats3. STRIDE4. Attack Trees5. Attack Libraries6. Privacy Tools
Part III: Managing and Addressing Threats Part III: Managing and Addressing Threats Part III: Managing and Addressing Threats Part III: Managing and Addressing Threats 7: Processing and managing threats8. Defensive Building Blocks9. Tradeoffs when addressing threats10. Validating threats are addressed11. Threat modeling tools
Part IV: Threat modeling in technologies and tricky Part IV: Threat modeling in technologies and tricky Part IV: Threat modeling in technologies and tricky Part IV: Threat modeling in technologies and tricky areasareasareasareas
12. Requirements cookbook13. Web and cloud threats14. Accounts and Identity15. Human Factors and Usability16. Threats to cryptosystems
Part IV: Taking it to the next levelPart IV: Taking it to the next levelPart IV: Taking it to the next levelPart IV: Taking it to the next level17. Bringing threat modeling to your organization18. experimental approaches19 Architecting for success
AppendicesAppendicesAppendicesAppendices– Helpful tools, Threat trees, Attacker Lists, Elevation of Privilege (the cards), Case
studies
Process
Data Store
SSSS T R I DT R I DT R I DT R I D EEEE
� �
� �����
� ��
� ��
ELEMENT
?
Data Flow
External Entity
Different Threats Affect Each Element Type
This isn’t the reputation you’re looking for…