Threat modelling
Updated:
2. Threat modelling
Threat Modelling Goals
- To be able to understand the system’s threat profile – and really break down the risks
- Facilitate secure design and implementation by addressing as many threats you could identify and the mitigation strategy accordingly
- To understand where we need to look for vulnerabilities
Three different perspectives: Assets, Attackers, Software (of the system itself)
- one most important is focusing on the system. Rest is less technical
1. Assets: valuable things you tryna protect
- Some are obvious, some aren’t
- Confidential data
- User credentials – data breach! And the most common
- Gotta think wider – intangible, you can’t touch it!
- Systems availability – attacked in DoS
- Reputation or a soft target – affect ur finances if they see you not running a secure system
- Attackers want overlapping but not identical sets of things
2. Attacker lists- idea of this technique is that you are tryna make a list of ppl who could attack you less technical
- If you could help him picture what hackers would be like – could be
more tangible
- U may cancel out certain types of attackers
- Might understand the motivation or skills better
- BUT the modeller could be unconsciously biased!
- Example of an attacker list [2 pdf 7]
- Classified into 4 diff levels of hackers (kiddy ~~ specialist) && their goals (curiosity ~~ national interests) and made a chart out of it
3. Thinking about threats IN the actual software
- Unstructured
- Is to think about the ranges of techniques we could use by brainstorming -it won’t give you all the possibilities
- So instead, Moderately structured
- User case story and analyse the situation more thoroughly
- Use a game approach to estimate
as a group what the threats are and how serious they are
- Protection poker – give each risk a scale from 0 -100 (10 units)
- Highly structured
- data flow diagrams, STRIDE, Attack tress
Data Flow Diagram
- Dataflow – communication btwn diff elements in the system (btwn processes, btwn protocols)
- !
-
Example seen in page 09 – they all interact with the system, but there are boundaries
- Trust boundaries are shown in dash line – shows the level of
privilege it requires (btwn diff. users, physical computers,
VMs, network segments) privilege spectrum
- Authentication – and you need a privilege to acquire authentication from user/ admin
- Principal – any active entity with access privileges that
are distinct
- Least privilege – end user
- Most privilege – systems admin
- And every time a principal talks to another gotta draw a trust boundary
</br>
- Entry & Exit points
- Place where control or data crosses a trust boundary
- E.g. Config files and registry – is the entry point when this is attacked the whole application could be affected!
- Entry points can be layered – URL shows the multiple entry
- https – server listing you enter the web
- login.jsp - request going into that login code another level entry
- cmd=NewUser - specific operation being triggered another level
- Place where control or data crosses a trust boundary
- Why do Trust Boundaries?
- We tryna figure out all sets of possibilities of how attack could take place shows attack surface
- They tend to cluster in entry and exit point in the trust boundary
- So by doing this (trust boundaries), we are mapping out where
we are looking at! the value of it
- But also gotta look at what the ACTUAL threats are
STRIDE
- Spoofing identity - pretending to be someone that you are not
- Tampering with data – modifying something in memory/ On disk/ on a network
- Repudiation - being able to deny that you did something (when you did it)
- Information disclosure – providing info to someone not authorised to see it
- Denial of service – absorbing a server’s resources to prevent others from accessing it
- Elevation of privilege – acquiring permission to do something
that you are not authorised to do
- User and sys admins – about moving up that spectrum of permission
- Benefits of stride
- DFD – we can think what could happen in each stage of the flow
as a checklist
- Is there an opportunity of spoofing, privilege in this stage? – more systematic compared to just guessing
- Could prioritize – some are more
important – elevation of privilege is usually the most imp
- But the priority depends on the context
- DFD – we can think what could happen in each stage of the flow
as a checklist
- Stride per element - you could focus more on individual elements
– different types of threats could be more relevant
- Lets say we have external entity (as DFD element type) – most relevant are spoofing and repudiation.
- For each element of DFD – assign at least one threat systematic
Other models – simple
- IIMF – interception, interruption, modification, fabrication
- CIA – (violation of) confidentiality, integrity, availability
Attack trees
- How we explore the details of threats could be done by identifying paths
- Root node: overall threat, and you decompose that in a hierarchical component
- Child nodes: represent a
condition that must be true
- Top level condition for attack to be successful keep going down till you cant decompose
- shows a detailed picture of the probability of the attack being successful based on the percentage
- Attack path: leaf node to the root – could mark up (dash line- less likely etc )
- In attack trees, bear in mind that! OR unless specified as AND
- OR - Either of them could be the reason of attack, gotta explore all
- And – shown by linking 2 nodes, and BOTH needs to fulfil to happen
- Example of an attack tree [2 pdf 18]
- Acquires valid username AND a valid password –
- Could be trying random usernames and brute force attack for
pw
- And decompose down
- Could be trying random usernames and brute force attack for
pw
- When we are breaking it down, and its AND, eliminate one with less child leaf as this will cut down the workload
- each nodes are conditions! So it does NOT imply any situations
- Acquires valid username AND a valid password –
Textual representation
- Harder to use, but could be machine readable (xml, json to build it graphically further)
Risk Assessment: DREAD
: D amage potential
: R eproducibility (how often an attempt at exploiting a
vulnerability actually works)
: E xploitability (effort required to exploit vulnerability)
: A ffected users (proportion of install base that would be affected
if an exploit became widely available)
: D iscoverability (likelihood that a vulnerability will be found by
external security researchers or black hats)
- To explore the potential aftermath of risk – so use DREAD
- However, could be very subjective and not all of those dimensions are useful in diff. contexts
CVSS – vulnerability scoring system – more rigorous approach
- More thorough and objective way of scoring the vulnerability
- attack vector, attack complexity, etc
- Online calculator to find out
Mitigation
- We can drop DFD, STRIDE to figure out the threats, but we also need to know how to stop it from happening!
- Every threat we find should be mitigated by a security feature to cut down on overall sec. threat
-
- Identify the most high risk threat and prioritize!
- could use attack trees to build a mitigation strategy
- What are the attack paths and how do we mitigate it effectively?
- We gotta count all attack paths – and how do we eliminate as many as
possible?
- When its an AND tree, we can lose the entire left had side!!! omg so efficient
Leave a comment