Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Nashville InfoSec Conference
September, 2018
Frederick Scholl, Ph.D., CISSP
Director, MS Cybersecurity Program
Threat Modeling: Removing the Mystery
Agenda
• Threat modeling isn’t threat modeling• Why should we practice threat modeling?• Describing threat modeling• How to fail at threat modeling• How to succeed at threat modeling• Where do you get baseline threat libraries?• Looking at use cases for threat modeling• Tool comparison• Challenges and opportunities
Threat Modeling Is Not Threat Modeling
• It’s risk analysis for applications and systems• Risk = Threat x Vulnerability x Likelihood x Asset Value
Why Practice Threat Modeling?
• Compliance• NIST 800-53 R5, SA-15 “Development Processes, Standards and
Tools”. Control Enhancement• DISA STIG: required for Level II application
• Good practice• OWASP SAMM: required for Maturity Level I• Safecode.org: required by their design practices
What Are The Goals of Threat Modeling?
• Identify risks up front: i.e. build in security• Find architectural and design bugs, not code flaws• Provide neutral platform for collaboration of security with other teams
How to Fail at Threat Modeling
• Failure to carefully define scope• Must follow Goldilocks approach
Two More Ways to Fail
• Think you are modeling the “Kill Chain”• You are not!• There is overlap in steps #3 and #4, Delivery and Exploitation
• Think you are modeling the Mitre ATT&CK framework• ATT&CK models intruder behavior and detection after exploit• Interface with your “threat hunters”, don’t duplicate them
Where to Get Baseline Threat Libraries
• No canonical library of threats• Start with a baseline; modify for your own context• Create your own reusable threats• Libraries
• CAPEC: 519 attack patterns• STRIDE (Microsoft): 41 threats• Threat Modeler (commercial): many built in
• In need of work: GCP and Azure
Tool Comparison
Tool Capabilities Strengths Cautions Microsoft TMT Modeling threats in
software systems Free, widely used Library of specific
mitigations is thin. Threat Modeler Commercial enterprise
threat modelling. Nice GUI interface. Built in knowledge base
Smaller company with seven partners.
Continuum Security (Irius)
Application development threat modeling
Close alignment with dev environment
Small company, based in Spain
FAIR (Risk Lens) Modeling enterprise risks Determines financial impact of enterprise risks
Enterprise tool; may not suitable for DevOps teams.
Security Compass Software security modeling Uses simple questionnaire approach
Company also provides training services
OWASP Threat Dragon
Open source tool Free, open source Jury is out as to success of this tool; 4 contributors.
Foreseeti Securicad Commercial and free versions
Analyzes attack paths and attacks times
Focuses on infrastructure, not applications
Sea Sponge Open Source Free, browser based Questionable support; last commit was April 2016
Tutamantic Beta Develop threat from Visio diagrams
Startup
Output of Microsoft TMT Tool
IriusRisk
Imbedding Threat Modeling in the Dev Cycle
NIST CSF Functions Identify Protect Detect Respond RecoverCI/CD Risk Management Processes
Identify Vulnerabilities Protect codebase from vulnerabilities
Detect vulnerabilities in
codebase
Manage vulnerability risks (accept, avoid, mitigate, transfer)
Recover from production vulnerability
Agile/DevOps Lifecycle
Iteration 0 Construction iterations, 1-N Construction iterations, 1-N
Transition (QA, staging) Production release
Security Activities Threat modelCompliance mgt.
Supply chain analysisPrivileged access mgt.IDE security testingLibrary of user stories
Dynamic testingStatic testing
Vulnerability mgt.Information radiatorCompliance managementManual code reviews and pen testing
Bug BountiesWeb application firewall Security information bus
Example Tools Microsoft TMT, Threat Modeler, Irius etc.;Archer, Evident, Allgress
Black DuckCyberArkVeracode, etc.
FortifyNetsparkerSAINT, etc.
ThreadfixCodeDXDefectDojoSplunk, etc.
HackerOneBarracuda Splunk, etc.
Relative mitigation cost
1x 6.5x 6.5x 15x 100x
Challenges & Opportunities
• Move a better security conversation to the front end• Enable a smarter risk analysis• Find new threats to code architecture
• Different languages spoken by dev, ops, business and security• Perception that threat modeling takes too long
Additional Resources
• Adam Shostack’s “Threat Modeling in 2018”, Black Hat• OWASP # threat-modeling Slack channel
Thank You