Threat modelling

5 minute read

Updated:

2. Threat modelling

Threat Modelling Goals

  • To be able to understand the system’s threat profile – and really break down the risks
  • Facilitate secure design and implementation by addressing as many threats you could identify and the mitigation strategy accordingly
  • To understand where we need to look for vulnerabilities

Three different perspectives: Assets, Attackers, Software (of the system itself)

  • one most important is focusing on the system. Rest is less technical

1. Assets: valuable things you tryna protect

  • Some are obvious, some aren’t
    • Confidential data
    • User credentials – data breach! And the most common
  • Gotta think wider – intangible, you can’t touch it!
    • Systems availability – attacked in DoS
    • Reputation or a soft target – affect ur finances if they see you not running a secure system
  • Attackers want overlapping but not identical sets of things

2. Attacker lists- idea of this technique is that you are tryna make a list of ppl who could attack you less technical

  • If you could help him picture what hackers would be like – could be more tangible
    • U may cancel out certain types of attackers
  • Might understand the motivation or skills better
    • BUT the modeller could be unconsciously biased!
  • Example of an attacker list [2 pdf 7]
    • Classified into 4 diff levels of hackers (kiddy ~~ specialist) && their goals (curiosity ~~ national interests) and made a chart out of it

3. Thinking about threats IN the actual software

  • Unstructured
    • Is to think about the ranges of techniques we could use by brainstorming -it won’t give you all the possibilities
  • So instead, Moderately structured
    • User case story and analyse the situation more thoroughly
    • Use a game approach to estimate as a group what the threats are and how serious they are
      • Protection poker – give each risk a scale from 0 -100 (10 units)
  • Highly structured
    • data flow diagrams, STRIDE, Attack tress

Data Flow Diagram

  • Dataflow – communication btwn diff elements in the system (btwn processes, btwn protocols)
  • !image

  • Example seen in page 09 – they all interact with the system, but there are boundaries

  • Trust boundaries are shown in dash line – shows the level of privilege it requires (btwn diff. users, physical computers, VMs, network segments) privilege spectrum
    • Authentication – and you need a privilege to acquire authentication from user/ admin
    • Principal – any active entity with access privileges that are distinct
      • Least privilege – end user
      • Most privilege – systems admin
    • And every time a principal talks to another gotta draw a trust boundary

</br>

  • Entry & Exit points
    • Place where control or data crosses a trust boundary
      • E.g. Config files and registry – is the entry point when this is attacked the whole application could be affected!
    • Entry points can be layered – URL shows the multiple entry
      • https – server listing you enter the web
      • login.jsp - request going into that login code another level entry
      • cmd=NewUser - specific operation being triggered another level
  • Why do Trust Boundaries?
    • We tryna figure out all sets of possibilities of how attack could take place shows attack surface
    • They tend to cluster in entry and exit point in the trust boundary
    • So by doing this (trust boundaries), we are mapping out where we are looking at! the value of it
      • But also gotta look at what the ACTUAL threats are

STRIDE

  • Spoofing identity - pretending to be someone that you are not
  • Tampering with data – modifying something in memory/ On disk/ on a network
  • Repudiation - being able to deny that you did something (when you did it)
  • Information disclosure – providing info to someone not authorised to see it
  • Denial of service – absorbing a server’s resources to prevent others from accessing it
  • Elevation of privilege – acquiring permission to do something that you are not authorised to do
    • User and sys admins – about moving up that spectrum of permission
  • Benefits of stride
    • DFD – we can think what could happen in each stage of the flow as a checklist
      • Is there an opportunity of spoofing, privilege in this stage? – more systematic compared to just guessing
    • Could prioritize – some are more important – elevation of privilege is usually the most imp
      • But the priority depends on the context
  • Stride per element - you could focus more on individual elements – different types of threats could be more relevant
    • Lets say we have external entity (as DFD element type) – most relevant are spoofing and repudiation.
    • For each element of DFD – assign at least one threat systematic

Other models – simple

  • IIMF – interception, interruption, modification, fabrication
  • CIA – (violation of) confidentiality, integrity, availability

Attack trees

  • How we explore the details of threats could be done by identifying paths
  • Root node: overall threat, and you decompose that in a hierarchical component
  • Child nodes: represent a condition that must be true
    • Top level condition for attack to be successful keep going down till you cant decompose
  • shows a detailed picture of the probability of the attack being successful based on the percentage
  • Attack path: leaf node to the root – could mark up (dash line- less likely etc )
  • In attack trees, bear in mind that! OR unless specified as AND
    • OR - Either of them could be the reason of attack, gotta explore all
    • And – shown by linking 2 nodes, and BOTH needs to fulfil to happen
  • Example of an attack tree [2 pdf 18]
    • Acquires valid username AND a valid password –
      • Could be trying random usernames and brute force attack for pw
        • And decompose down
    • When we are breaking it down, and its AND, eliminate one with less child leaf as this will cut down the workload
    • each nodes are conditions! So it does NOT imply any situations

Textual representation

  • Harder to use, but could be machine readable (xml, json to build it graphically further)

Risk Assessment: DREAD
: D amage potential
: R eproducibility (how often an attempt at exploiting a vulnerability actually works)
: E xploitability (effort required to exploit vulnerability)
: A ffected users (proportion of install base that would be affected if an exploit became widely available)
: D iscoverability (likelihood that a vulnerability will be found by external security researchers or black hats)

  • To explore the potential aftermath of risk – so use DREAD
  • However, could be very subjective and not all of those dimensions are useful in diff. contexts

CVSS – vulnerability scoring system – more rigorous approach

  • More thorough and objective way of scoring the vulnerability
    • attack vector, attack complexity, etc
  • Online calculator to find out

Mitigation

  • We can drop DFD, STRIDE to figure out the threats, but we also need to know how to stop it from happening!
  • Every threat we find should be mitigated by a security feature to cut down on overall sec. threat
  • Identify the most high risk threat and prioritize!
    could use attack trees to build a mitigation strategy
  • What are the attack paths and how do we mitigate it effectively?
  • We gotta count all attack paths – and how do we eliminate as many as possible?
    • When its an AND tree, we can lose the entire left had side!!! omg so efficient

Leave a comment