Embed Size (px)
DESCRIPTION
Alex Hutton & Allison Miller review their research and application of threat modeling. This version was presented at SOURCE Barcelona (2010), a previous version was presented at Black Hat.
Citation preview
Alex HuttonPrincipal, Risk & Intelligence - Verizon Business
http://securityblog.verizonbusiness.comhttp://www.newschoolsecurity.com
Society of Information Risk Analystshttp://societyinforisk.org/
@alexhutton on the twitter
Threat Modeling
Allison MillerGroup Manager, Account Risk & Security - PayPal
LIVE
what is this presentation about?- new way to look at risk management via
data and threat modeling
what is a model?
what is risk management?
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners
- Jack Jones
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners
control, influence over outcome
threats manifest as loss of assets
how much can you afford to lose?
Traditional Risk Management
Find issue, call issue bad, fix issue, hope you don’t find it again...
Traditional Risk Management
emphasis on assessment, compliance...what about security?
Closing the Gap
Between Assessment and Defense
Design
Management
Operations
Design
Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain.
Len FisherRock, Paper, Scissors: Game Theory in Everyday Life
system models are different from maps, they include dynamics and boundaries
Management
risk management that simply reacts to yesterday's news is not risk management at all
Douglas HubbardThe Failure of Risk Management
the importance of feedback loop instrumentation
(that‘s where metrics come from)
Operations
Prediction is very difficult, especially about the future
Niels Bohr
Models in operations tend to assist in automating system decisions, or monitoring for quality defects
This means we need to understand what makes a good decision vs a bad decision
Patterns that can be defined can be detected
…and defining patterns means analyzing lots and lots of data
We don't talk about what we see; we see only what we can talk about
Donella Meadows Thinking in Systems: A Primer
Friederich Hayek invades our dreams to give us visions of a new approach
These “risk” statements you’re making, I don’t think you’re doing it right.
- (Chillin’ Friederich Hayek)
Risk Assessment Current Practice
Dutch Model, Likelihood & Impact statement
very physics/engineering oriented
from Mark Curphey’s SecurityBullshit
ComplexSystems
Complex AdaptiveSystems
Complex Adaptive Systems:
You can’t make point probabilities (sorry ALE) you can only work with patterns of information
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety)
Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago
http://www.ctlab.org/documents/How%20Complex%20Systems%20Fail.pdf
Because we’re dealing with Complex Adaptive Systems
engineering risk statements = bankrupt
(sorry GRC)
We need a new approach
Complex Systems Create a business process
Process is a collection of system interaction (system behavior)
Process has human interaction (human behavior)
instead of R = T x V x I
behavioral analytics &data driven management
evidence based risk management
Verizon has shared data
- 2010 ~ 900 cases- (900 million
records)
Verizon is sharing our framework
Verizon Enterprise Risk & Incident Sharing (VERIS) Framework
it’s open*!
* kinda
What is the Verizon Incident Sharing (VERIS) Framework?
- A means to create metrics from the incident narrative
- how Verizon creates measurements for the DBIR
- how *anyone* can create measurements from an incident
- https://verisframework.wiki.zoho.com
What makes up the VERIS framework?
$ $ $+demographics incident classification (a4)
discovery& mitigation impact classification
1 2 3 4> > >
information about the organization; including their size, location,industry, & securitybudget (implied)
information about the attack (traditional threat model); including (meta) data about agent, action,asset, & security attribute (C/I/A)
information about incident discovery, probable mitigating controls, and rough state of security management.
information about impact categorization (a la’ FAIR & ISO 27005), aggregate estimate of loss (in $), & qualitative description of damage.
49
The Incident Classification section employs Verizon’s A4 event model
A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s:
Agent: Whose actions affected the assetAction: What actions affected the asset Asset: Which assets were affectedAttribute: How the asset was affected
1 2 3 4 5> > > >Incident as a chain of events>
Cybertrust Security
$ $ $+demographics incident classification (a4) discovery
& mitigation impact classification
1 2 3 4 5> > > >
incident narrative incident metrics
Cybertrust Security
$ $ $+demographics incident classification (a4) discovery
& mitigation impact classification
1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
case studies data set
a
b
c
d
e
f
Cybertrust Security
behaviors!
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2
3
4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
the potential for pattern matching
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
3
Fraud, Incidents, andGood Lord Of The Dance:
creating models for the real management of risk
Fraud
in VERIS we see THREE events.
1 2 3> >
phishing
malware infection
credential theft
in VERIS we see THREE events.
1 2 3> >
phishingmalware infectioncredential exfiltration
in addition we can describe FOUR fraud events
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
1> AGENT: external, organized crime,
eastern europe
ACTION: social, type: phishing, channel: email, target: end-user
ASSET: human, type: end-user
ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
2> AGENT: external, organized crime,
eastern europe
ACTION: malware, type: install additional malware or software
ASSET: end-user device; type: desktop (more meta-data possible)
ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
3> AGENT: external, organized crime,
eastern europe
ACTION: malware, type: harvest system information
ASSET: end-user device, type: desktop (more meta-data possible)
ATTRIBUTE: integrity, confidentiality
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
4> AGENT: external, organized crime,
eastern europe
ACTION: impersonation
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
5> AGENT: external, organized crime,
eastern europe
ACTION: impersonated transaction
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
6> AGENT: external, organized crime,
eastern europe
ACTION: Buy goods or transfer funds
from the initial narrative, we now have a threat event model with SEVEN objects
1 2 3 4 5> > > > 6 7>>
7> AGENT: external, organized crime,
eastern europe
ACTION: Goods/Funds extraction
we can study the event model to understand control opportunities
1 2 3 4 5> > > > 6 7>>
end user could have made better choices
we can study the event model to understand control opportunities
1 2 3 4 5> > > > 6 7>>
Wouldn’t it be nice ifend users had desktopDLP?
we can study the event model to understand control opportunities
1 2 3 4 5> > > > 6 7>>
Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2
3
4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
the potential for pattern matching and control application
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
3
if patterns can be defined, they can be stored for later use.
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2
3
4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
a
b
c
d
e
f
demograp incident discover impact
3
if they can be stored for later use, they can be used to Detect, Respond, and Prevent.
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2
3
4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
a
b
c
d
e
f
demographic incident classification (a4) discovery impact
3
$ $ $+1 2 3 4 5> > > >
$ $ $+1 234 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
a
b
c
d
e
f
demographics incident classification discovery impact
3
OBLIGATORY QUESTIONS SLIDE
MUCHAS GRACIAS
