Portland OWASP Chapter Meet
Add TAL, improve a threat model!
Welcome:
WASP!!
…Or as we used to be called, simply:
Our mission was different back then.
A little more about me…
• Served as the NCOIC for Counter Intelligence, Psychological Operations, and Operation Security and network warfare for an Air Force Information Warfare Flight
Information Security Architect Umpqua Bank • Risk Assessments• Project Engagement Security Support• Security Awareness
Previous: • Information Security Manager: Portland Community College• Network Warfare Operations / Influence Operations NCOIC:
Air Force• Intelligence Detachment Section Leader: Army National
Guard
Eric Jernigan MSIA, CISSP, CISM, CRISC
Actual me
TONIGHT LETS GET BETTER AT…
Modeling!
Umm, Threat Modeling
Questions
• Do you do application risk assessments?
• Do you use threat modeling?
• Are you familiar with OWASP’s Threat Agent content?
• Do you use a taxonomy of threat actors?
• Why? Why Not?
Look familiar
OWASP Threat Modeling
Threat Agent
Threat Agent = Capabilities + Intentions + Past Activities
Intel Threat Agent Library
Timothy Casey, Intel Corporation
• Threat Agent Library Helps Identify Information Security Risks
• Prioritizing Information Security Risks with Threat Agent Risk Assessment
What the TAL?
• TAL identifies 22 threat agent archetypes, such as disgruntled employee, competitor, and organized crime
• Provides consistent, reference describing the human threat actors that pose threats to IT systems and other information assets
• Use it as a stand-alone tool or as part of other standard risk assessment methodologies
Threat Agent Archetypes
• Build upon OWASP’s threat agent materials• Increase the accuracy of your threat models• Use alone or in conjunction with other
methodologies• Build threat based risk assessments• Use the output to feed into risk assessments• Integrate into Threat Intelligence
Why the Threat Agent Library?
Vulnerability Part of the information security infrastructure that could represent a weakness to attack in the absence of a control.
Threat Agent Person who originates attacks, either with malice or by accident, taking advantage of vulnerabilities to create loss.
Threat Actor An individual or group that can manifest a threat.
Motivation Internal reason a threat agent wants to attack. Objective What the threat agent hopes to accomplish by the attack.
Method Process by which a threat agent attempts to exploit a vulnerability to achieve an objective.
Attack Action of a threat agent to exploit a vulnerability.
Control Tools, processes, and measures put in place to reduce the risk of loss due to a vulnerability.
Exposure Vulnerability without a control.
Operating Terms
TAL Agent Attributes
Pronounced: “Tal” not “Towel…”
Internal Agent has internal access.
External Agent has only external access.
Access
Access This defines the extent of the agent’s access to the company’s assets.
Acquisition/ Theft
Illicit acquisition of valuable assets for resale or extortion in a way that preserves the assets’ integrity but may incidentally damage other items in the process
Business Advantage
Increased ability to compete in a market with a given set of products. The goal is to acquire business processes or assets.
Damage Injury to Intel personnel, physical or electronic assets, or intellectual property
Embarrassment Public portrayal of Intel in an unflattering light, causing Intel to lose influence, credibility, competitiveness, or stock value
Technical Advantage
Illicit improvement of a specific product or production capability. The primary target is to acquire production processes or assets rather than a business process
Outcome (Objective)
The agent’s primary goal— what the agent hopes to accomplish with a typical attack. Also consider: Information Operations Effects
Code of Conduct
Agents typically follow both the law and a code of conduct accepted within a profession. Example: an auditor
Legal Agents act within the limits of applicable laws. Example: Legal Adversary
Extra-legal, minor
Agents may break the law in relatively minor, non-violent ways, such as minor vandalism or trespass. Example: Activist
Extra-legal, major
Agents take no account of the law and may engage in felonious behavior resulting in significant impact or extreme violence. Example: organized crime
Limits
The legal and ethical limits to which the agent may be prepared to break the law.
Individual Resources limited to the average individual; agent acts independently. Minimum skill level: None
Club Members interact on a social and volunteer basis, often with little personal interest in the specific target. Group persists long term. Minimum skill level: Minimal
Contest A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. Minimum skill level: Minimal
Operational Team: A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single region. Minimum skill level: Operational.
Organization Larger and better resourced than a Team. Usually operates in multiple geographies and persists long term. Minimum skill level: Adept.
Government Controls public assets and functions within a jurisdiction; very well resourced and persists long term. Minimum skill level: Adept.
Resource Level
The organizational level at which determines the resources available to that agent for use in an attack. Linked to the Skill Level attribute
None Has average intelligence and ability and can easily carry out random acts of disruption or destruction, but has no expertise or training in the specific methods necessary for a targeted attack.
Minimal Can copy and use existing techniques. Example: Untrained Employee.
Operational Understands underlying technology or methods and can create new attacks within a narrow domain.
Adept Expert in technology and attack methods, and can both apply existing attacks and create new ones to greatest advantage
Skill Level
The special training or expertise an agent typically possesses.
Copy Make a replica of the asset so the agent has simultaneous access to it.
Destroy Destroy the asset, which becomes worthless to either Intel or the agent.
Injure Damage the asset, which remains in Intel’s possession but has only limited functionality or value.
Take Gain possession of the asset so that Intel has no access to it.
Don’t Care: The agent does not have a rational plan, or may make a choice opportunistically at the time of attack.
Obective (Intended Action)
The action that the agent intends to take in order to achieve a desired outcome.
Overt The agent deliberately makes the attack and the agent’s identity is known before or at the time of execution
Covert The victim knows about the attack at the time it occurs, or soon after. However, the agent of the attack intends to remain unidentified
Clandestine The agent intends to keep both the attack and his or her identity secret
Visibility
The extent to which the agent intends to conceal or reveal his or her identity.
Intel’s TAL matrix. Next, lets look at TARA.
TARA!
Sorry, wrong TARA…
Intel’s TARA
• Build’s upon the TAL• Identifies the most likely
attack vectors to support secure development
• Pinpoint the information security areas of greatest concern
• Stand alone threat centric methodology
1. Measure current threat agent risks
2. Distinguish threat agents that exceed baseline acceptable risks.
3. Derive primary intent of those threat agents.
4. Assess capabilities likely to manifest.
5. Assess Operational Constraints.
6. Align strategy to target the most significant exposures.
TARA Process
Call to action
• OWASP Threat Agent Page out of date• Updates needed to both home page and
template• Most sub categories are emptyProposal:• Nix Force Majeure (Natural: Flood, fire, etc.
unless secure code is affected by it…)• Implement TAL into OWASP Threat Actor
Page/articles
While you napped… (summary)
• Don’t let vendors and news broadcasters determine who is your top threat actors are
• Build upon OWASP’s threat agent materials• Increase the accuracy of your threat models• Pinpoint the information security areas of
greatest concern• Use the output to feed into risk assessments• Proposal: Implement TAL into OWASP Threat
Actor Page/articles
You Need the Right Agent to Improve Your
Modeling Career…
Resources
OWASP –Threat Agents• Category: Threat Agent
https://www.owasp.org/index.php/Category:Threat_Agent
• Application Threat Modelinghttps://www.owasp.org/index.php/Application_Threat_Modeling
Intel TAL and TARA• Threat Agent Library Helps Identify Information Security Risks
https://communities.intel.com/servlet/JiveServlet/downloadBody/1151-102-1-1111/Threat%20Agent%20Library_07-2202w.pdf
• Prioritizing Information Security Risks with Threat Agent Risk Assessmenthttp://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf
Questions?
Image Credits
All images in this presentation were found on public facing websites. The presenter believes such use constitutes a 'fair use' of copyrighted material as provided in Section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material in the presentation is provided without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For further information on fair use, go to: http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000107----000-.html.
Please do not reprint any photos. If you wish to use copyrighted material from the presentation for purposes of your own that go beyond fair use, you must obtain permission from the copyright owner.