Threat Modeling:Lessons from

Star Wars

Adam Shostackadam@shostack.org

Agenda

–What is threat modeling?

–A simple approach to threat modeling

–Top 10 lessons

What is threat modeling?

A SIMPLE APPROACH TO

THREAT MODELING

4 Questions

• What are you working on?

• What can go wrong?

• What are you going to do about it?

• Did you do an acceptable job at 1-3?

Web AppCustomer

DB

Our AppOur App

Content creation

What are you working on?

What are you working on?

• nmap

• tcpdump

• lsof

• strace/dtrace

• All help you create a model of the system being pentested

• Either with or without a copy of their threat model

What Are You Working On?

What are you working on?Data Flow Diagram example

What are you deploying? Network example

What Can Go Wrong?Remember STRIDE

Spoofing

By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532

Tampering

http://pinlac.com/LegoDSTractorBeam.html

RepudiationRepudiation

By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/

Information Disclosure

Photo by Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/

Information Disclosure(and impact)

Denial of Service

Model by Nathan Sawayahttp://brickartist.com/gallery/han-solo-in-carbonite/

Elevation of Privilege

http://www.flickr.com/photos/prodiffusion/

What Can Go Wrong?Remember STRIDE

What can go wrong? Kill Chains

• Harvesting email addresses, conference

information, etc.Reconnaissance

• Coupling exploit with backdoor into

deliverable payloadWeaponization

• Delivering weaponized bundle to the victim

via email, web, USB, etc.Delivery

• Exploiting a vulnerability to execute code

on victim’s systemExploitation

• Installing malware on the assetInstallation

• Command channel for remote

manipulation of victimCommand & Control (C2)

• With “Hands on Keyboard” access,

intruders accomplish their original goalActions on Objectives From/see also Sean Malone,

Extended Cyber Kill Chain, BlackHat 2016

4 Questions

1. What are you working on?

2. What can go wrong?

3.3.3.3. What are you going to do about it?What are you going to do about it?What are you going to do about it?What are you going to do about it?

4.4.4.4. Did you do an acceptable job at 1Did you do an acceptable job at 1Did you do an acceptable job at 1Did you do an acceptable job at 1----3?3?3?3?

What Are You Going To Do About It? (sw eng edition)Threat Property Mitigation approach

Spoofing Authentication • Passwords, multi-factor authN

• Digital signatures

Tampering Integrity • Permissions/ACLs

• Digital signatures

Repudiation Non-Repudiation • Secure logging and auditing

• Digital Signatures

Information Disclosure Confidentiality • Encryption

• Permissions/ACLS

Denial of Service Availability • Permissions/ACLs

• Filtering

• Quotas

Elevation of privilege Authorization • Permissions/ACLs

• Input validation

What Are You Going To Do About It? – pentest edition

Threat Property Testing approach

Spoofing Authentication • THC Hydra

• SSLSpoof

Tampering Integrity • Burp

• emacs

Repudiation Non-Repudiation • (Unclear if this applies in a CTF)

Information Disclosure Confidentiality • Tcpdump/Wireshark

• Google

Denial of Service Availability • HULK

• PyLoris

Elevation of privilege Authorization • Metasploit

• Fuzzers

What Are You Going To Do? OWASP EditionOWASP Top 10 STRIDE Look when Threat

Modeling?

Injection Tampering Yes

Broken Auth/Session management Spoofing (initial, ongoing) Yes

XSS Tampering/EoP Maybe

Insecure Direct Object Refs EoP Yes

Security Misconfiguration ? Probably not

Sensitive data exposure Info Disclosure Maybe

Missing Function Level Access control EoP Probably not

CSRF Spoofing Probably not

Known Vulnerabilities No good map No

Redirects & Forwards ? Maybe

What are you going to do? CCM Edition

What are you going to do? Portfolio Management

• See my RSA talk

“Security Leadership

Lessons From

The Dark Side”

Link: adam.shostack.org

Acme Data

Center

Iden. fy

(8%)

Protect

(39%)

Detect

(45%)

Respond

(8%)

Recover

(0)

Devices

(34%) 3 14 12 5

Apps

(22%) 2 5 15

Data

(3%) 3

Network

(30%) 15 15

People

(11%) 3 5 3

Top Ten Lessons

Trap #1: “Search your feelings!”

• “Think Like An Attacker”

• Serious work is helped by structureFix

Trap

Trap #2: “You’re Never Done Threat Modeling”

Model

Identify Threats

Mitigate

Validate

Model

Identify Threats

Mitigate

Validate

Trap #3: “The Way To Threat Model Is…”

• Too much focus on specifics of how

– Use this framework (STRIDE)

– With this diagram type

• Focus on helping people find good threats

• Focus on different skills, systems

– Developers, operations, security, etc

Fix

Trap

Model

Identify Threats

Mitigate

Validate

Model

Identify Threats

Address Threats

Validate

Privacy

Trap #3: Monolithic ProcessesTrap Fix

Security mavens Experts in other areas

Trap #3: “The Way To Threat Model Is…”

Trap #4: Threat Modeling as One Skill

• “I should learn to threat model”

• Think of techniques & repertoire

• Technique: DFDs, STRIDE, Attack trees

• Repertoire:

– Tools: SSLSpoof, Firesheep

– Books: Mitnick, Cuckoo's Egg

• All used to analogize & reason about new systems

Trap

Fix

Trap #5: “Threat Modeling is Easy”

• Thinking your first threat model will be easy

• Metaphor: musical instrument…

• Understand that learning depends on easy tunes

• Accept not everyone wants to be a virtuoso

Trap

Fix

We’ve got to give them more time!

Trap #6: Threat Modeling is for Specialists

• Thinking TM is for specialists

• Make it like version control:

– Every developer, most sysadmins know some

– Some orgs have full time people managing trees

• This is a stretch goal for threat modeling

Trap

Fix

Trap #7: The Wrong Focus

• Start from your assets

• Start by thinking about your attackers

• Threat modeling should focus on finding threats

• Remember trap #3: “The Way to threat model is”

• Starting from assets or attackers work for some people

Trap

Fix

Trap #8: Not Having a Rebel Alliance

• Cost & feasibility of fixes changes along the supply chain

– Some threats are “easy” for a supplier to fix (OS behavior)

– Some threats are “easy” for a developer to fix (add logging)

– Some threats are “easy” for operations to fix (look at the logs)

• Think about an alliance along your supply chain

• Rebellions are built on

– Security Operations Guide

– Non-requirements

Trap

Fix hopethreat modeling

Requirements

Threats Mitigations

Requirements drive threats

Threats drive requirements

No mitigation? Simplify requirements

Threats need mitigation

Mitigations can be bypassed

Trap #9: Laser-Like Focus on Threats

Interplay of attacks, mitigations and requirements

Trap #10: Threat Modeling at the Wrong Time“Sir, we’ve analyzed their attack pattern, and there is a danger”

“Sir, we’ve analyzed their attack pattern, and there is a danger”

Summary

• Anyone can threat model, and everyone should…soon!

• The skills, techniques and repertoire can all be learned

• There are many traps

• Threat modeling is the way to

– Drive security through your product, service or system

– (Or demonstrate that it didn’t happen)

– Engage with leadership about security

Summary

• Anyone can threat model, and everyone should…soon!

• The skills, techniques and repertoire can all be learned

• There are many traps

• Threat modeling is the way to

– Drive security through your product, service or system

– Engage with leadership about security

— George BoxGeorge BoxGeorge BoxGeorge Box

“All models are wrong, some “All models are wrong, some “All models are wrong, some “All models are wrong, some models are useful”models are useful”models are useful”models are useful”

Call to Action

• Remember the 4 questions

• Be proactive

– Find security issues early

– Fix them before they’re exploited

• Go threat model something!

• Drive threat modeling for your org

Questions?

Learning more:

• Threatmodelingbook.com site & book

• adam.shostack.org/blog/category/threat-modeling/

Questions?

Learning more:

• Threatmodelingbook.com site & book

• adam.shostack.org/blog/category/threat-modeling/

• Adam helps lots of organizations — get in touch!

adam@shostack.org / +1 917-391-2168

Questions?

Resources:

• adam.shostack.org/blog/category/threat-modeling/

• This talk, linked from Threatmodelingbook.com resources page: https://youtu.be/-2zvfevLnp4

• The book!

Email: adam@shostack.org

Thank you!

• Star Wars: Episodes IV-VI

• Great Creative Commons Lego brick art:– Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532

– http://pinlac.com/LegoDSTractorBeam.html

– Seb H http://www.flickr.com/photos/88048956@N04/8531040850/

– Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/

– Kaitan Tylerguy http://www.flickr.com/photos/kaitan/3326772088/

– Nathan Sawaya, http://brickartist.com/gallery/han-solo-in-carbonite/

– http://www.flickr.com/photos/prodiffusion/

BACKUP

Resources: Additional Books

• The Checklist Manifesto, Atul Gawande

• Thinking Fast & Slow, Daniel Kahneman

• The Cukoo’s Egg, Cliff Stoll

• Ghost in the Wires, Kevin Mitnick

• Understanding Privacy, Dan Solove

• Privacy in Context, Helen Nissenbaum

Threat Modeling: Designing For Security

Part I: Getting StartedPart I: Getting StartedPart I: Getting StartedPart I: Getting Started1. Dive in and threat model2. Strategies for threat modeling

Part II: Finding ThreatsPart II: Finding ThreatsPart II: Finding ThreatsPart II: Finding Threats3. STRIDE4. Attack Trees5. Attack Libraries6. Privacy Tools

Part III: Managing and Addressing Threats Part III: Managing and Addressing Threats Part III: Managing and Addressing Threats Part III: Managing and Addressing Threats 7: Processing and managing threats8. Defensive Building Blocks9. Tradeoffs when addressing threats10. Validating threats are addressed11. Threat modeling tools

Part IV: Threat modeling in technologies and tricky Part IV: Threat modeling in technologies and tricky Part IV: Threat modeling in technologies and tricky Part IV: Threat modeling in technologies and tricky areasareasareasareas

12. Requirements cookbook13. Web and cloud threats14. Accounts and Identity15. Human Factors and Usability16. Threats to cryptosystems

Part IV: Taking it to the next levelPart IV: Taking it to the next levelPart IV: Taking it to the next levelPart IV: Taking it to the next level17. Bringing threat modeling to your organization18. experimental approaches19 Architecting for success

AppendicesAppendicesAppendicesAppendices– Helpful tools, Threat trees, Attacker Lists, Elevation of Privilege (the cards), Case

studies

Process

Data Store

SSSS T R I DT R I DT R I DT R I D EEEE

� �

� �����

� ��

� ��

ELEMENT

?

Data Flow

External Entity

Different Threats Affect Each Element Type

This isn’t the reputation you’re looking for…