Nashville InfoSec Conference

September, 2018

Frederick Scholl, Ph.D., CISSP

Director, MS Cybersecurity Program

Threat Modeling: Removing the Mystery

Agenda

• Threat modeling isn’t threat modeling• Why should we practice threat modeling?• Describing threat modeling• How to fail at threat modeling• How to succeed at threat modeling• Where do you get baseline threat libraries?• Looking at use cases for threat modeling• Tool comparison• Challenges and opportunities

Threat Modeling Is Not Threat Modeling

• It’s risk analysis for applications and systems• Risk = Threat x Vulnerability x Likelihood x Asset Value

Why Practice Threat Modeling?

• Compliance• NIST 800-53 R5, SA-15 “Development Processes, Standards and

Tools”. Control Enhancement• DISA STIG: required for Level II application

• Good practice• OWASP SAMM: required for Maturity Level I• Safecode.org: required by their design practices

What Are The Goals of Threat Modeling?

• Identify risks up front: i.e. build in security• Find architectural and design bugs, not code flaws• Provide neutral platform for collaboration of security with other teams

How to Fail at Threat Modeling

• Failure to carefully define scope• Must follow Goldilocks approach

Two More Ways to Fail

• Think you are modeling the “Kill Chain”• You are not!• There is overlap in steps #3 and #4, Delivery and Exploitation

• Think you are modeling the Mitre ATT&CK framework• ATT&CK models intruder behavior and detection after exploit• Interface with your “threat hunters”, don’t duplicate them

Where to Get Baseline Threat Libraries

• No canonical library of threats• Start with a baseline; modify for your own context• Create your own reusable threats• Libraries

• CAPEC: 519 attack patterns• STRIDE (Microsoft): 41 threats• Threat Modeler (commercial): many built in

• In need of work: GCP and Azure

Tool Comparison

Tool Capabilities Strengths Cautions Microsoft TMT Modeling threats in

software systems Free, widely used Library of specific

mitigations is thin. Threat Modeler Commercial enterprise

threat modelling. Nice GUI interface. Built in knowledge base

Smaller company with seven partners.

Continuum Security (Irius)

Application development threat modeling

Close alignment with dev environment

Small company, based in Spain

FAIR (Risk Lens) Modeling enterprise risks Determines financial impact of enterprise risks

Enterprise tool; may not suitable for DevOps teams.

Security Compass Software security modeling Uses simple questionnaire approach

Company also provides training services

OWASP Threat Dragon

Open source tool Free, open source Jury is out as to success of this tool; 4 contributors.

Foreseeti Securicad Commercial and free versions

Analyzes attack paths and attacks times

Focuses on infrastructure, not applications

Sea Sponge Open Source Free, browser based Questionable support; last commit was April 2016

Tutamantic Beta Develop threat from Visio diagrams

Startup

Output of Microsoft TMT Tool

IriusRisk

Imbedding Threat Modeling in the Dev Cycle

NIST CSF Functions Identify Protect Detect Respond RecoverCI/CD Risk Management Processes

Identify Vulnerabilities Protect codebase from vulnerabilities

Detect vulnerabilities in

codebase

Manage vulnerability risks (accept, avoid, mitigate, transfer)

Recover from production vulnerability

Agile/DevOps Lifecycle

Iteration 0 Construction iterations, 1-N Construction iterations, 1-N

Transition (QA, staging) Production release

Security Activities Threat modelCompliance mgt.

Supply chain analysisPrivileged access mgt.IDE security testingLibrary of user stories

Dynamic testingStatic testing

Vulnerability mgt.Information radiatorCompliance managementManual code reviews and pen testing

Bug BountiesWeb application firewall Security information bus

Example Tools Microsoft TMT, Threat Modeler, Irius etc.;Archer, Evident, Allgress

Black DuckCyberArkVeracode, etc.

FortifyNetsparkerSAINT, etc.

ThreadfixCodeDXDefectDojoSplunk, etc.

HackerOneBarracuda Splunk, etc.

Relative mitigation cost

1x 6.5x 6.5x 15x 100x

Challenges & Opportunities

• Move a better security conversation to the front end• Enable a smarter risk analysis• Find new threats to code architecture

• Different languages spoken by dev, ops, business and security• Perception that threat modeling takes too long

Additional Resources

• Adam Shostack’s “Threat Modeling in 2018”, Black Hat• OWASP # threat-modeling Slack channel

Thank You