Application  Security  Wargame

Application  Threat  Modeling

Agenda

• Introduction• What  is  Threat  Modeling?• Approaches• Case  Study

Introduction:  Terminology

• Asset• Is  something  which  has  value  and  which  we  want  to  protect

• Threat• Is  something  bad  that  can  happen  to  an  Asset

• Threat  Agent  /  Actor• Is  something  or  someone  who  can  manifest  a  threat

• Attack• Is  a  process  by  which  a  threat  or  threat  agent  can  harm  an  asset

• Risk• Is  the  likelihood  that  a  particular  Threat  against  a  particular  asset  will  occur

• Control• One  or  more  measures  that  reduces  or  eliminates  a  Risk

What  is  Threat  Modeling

• Threat  Model  consists  of• Threats  to  a  system• Assets  threats  may  affect• Mapping  of  the  threats  to  assets• Risk  rating• Countermeasures

• Threat  modelling  is  a  repeatable  process  by  which  we  can  enumerate  the  threats  and  assets  of  a  system  and  how  the  threats  may  affect  the  assets.  It  may  also  optionally  score  the  risk  and  plan  countermeasures.

When  to  do  TM?

Analyze Design Implement Verify Deploy Respond

Security  Requirements

Secure  Design

Secure  Coding

Security  Testing

Secure  Deployment

Static  Analysis

Attack  Surface  Review

Incident  Response  Plan

Incident  Response

Penetration  Testing

Training  &  Awareness

Threat  Modeling

Predict Prevent Detect

Approaches

• Asset  centric• Traditional  Risk  Analysis• What  do  I  care  about  most• How  do  I  protect  it?

• Attacker  centric  aka  Attack  tree  approach• Who  are  the  attackers  ?• What  are  the  attackers’  goals  and  how  they  might  achieve  them  ?• How  do  it  stop  them?

• System  Centric  /  Design  centric  /  Architecture  Centric• Start  with  the  design  of  the  system

Asset-­‐Centric  Approach

• What  do  you  want  to  protect?  • List  of  Assets

• What  do  you  want  to  protect  it  from?    • List  of  Threats

• How  likely  is  it  that  you  will  need  to  protect  it?• Security  Requirements

• How  bad  are  the  consequences  if  you  fail?  • Risk  Rating

• How  much  trouble  are  you  will  to  go  through  in  order  to  try  to  prevent  those?  • Countermeasures  planning

Attacker  Centric  approach

• Attack  Trees• Represent  attacks  against  a  system  in  a  tree  structure• Goal  is  the  root  node• Attacks  as  leaf  nodes• Children  can  be  AND  nodes  or  OR  nodes

• Reference:  https://www.schneier.com/academic/archives/1999/12/attack_trees.html

Attack  Trees  /  Graphs

• Identify  Possible  Attack  Goals• Build  attack  tree  for  each  goal• Enumerate  attacks  against  each  goal  and  add  them  as  nodes• Repeat  the  process  down  the  tree• Merge  all  attack  trees  to  form  the  attack  graph• Prune  the  Graph

System  Centric  Approach

• Identify  Security  Objectives• Understand  the  system  /  application• Identify  the  threats• Calculate  risk• Countermeasures• Validate  the  threat  model

Security  Objectives

• Identity• Does  the  application  need  to  protect  user  identity  from  abuse?

• Financial• Assess  the  level  of  risk  the  organization  is  prepared  to  incur  in  remediation  as  potential  financial  loss.

• Reputation• Quantify  or  estimate  of  loss  of  reputation  due  to  application  being  misused  or  attacked

• Regulatory• Is  the  application  liable  to  adhere  to  standards  and  regulatory  compliances?

• Availability• SLA

Understand  the  System:  Enumerate

• Product  functionality• Technologies  in  use• Processes• Listening  ports• Firewall  rules• Databases

Understand  the  system:  DFD

• Dataflow• Contextual• High  level• Low  level

• Identify  trust  boundaries• Identify  Entry  points  aka  Attack  Surfaces

Data  flow  Diagram:  Symbols

External  Entity Process Complex  Process Data  Store

Data  Flow Trust  Boundary

Identify  Threats

• Identify• Network  Threats• Host  Threats• Application  threats

• Approaches• Use  STRIDE  to  Identify  threats• Use  Categorized  threat  list  /  library• Attack  Trees  &  Attack  patterns

STRIDEThreat Property  Violated Threat  Definition

S Spoofing Authentication Pretending   to  be  something or  someone  other  than  yourself

T Tampering Integrity Modifying something   on  disk,  network,  memory  or  elsewhere

R Repudiation Non-­‐Repudiation Claiming  that  you  didn’t   do  something or  were  not  responsible.  Can  be  honest  or  false

I Information  Disclosure

Confidentiality Providing   information   to  someone  not  authorized   to  accessit

D Denial  of  Service

Availability Exhausting  resources  needed   to  provide  service

E Elevation  of  Privilege

Authorization Allowing  someone   to  do  something   they  are  not  authorized  to  do

STRIDE-­‐per-­‐Element

S T R I D E

External  Entity x x

Process x x x x x X

Data Flow x x x

Data  Store x x x

STRIDE-­‐per-­‐interaction

• Interaction• tuple  of  (origin,  destination  and  interaction)

• Similar  to  STRIDE-­‐per-­‐entity• For  each  entity,  categorize  threats  by  their  interactions  

• More  complex  to  build  but  easier  to  understand

Other  approaches

• Attack  Trees• Attacker  Library• Barnard’s  List• Verizon’s  Lists• Aucsmith’s Attacker  Personas• Intel  Threat  Agent  Library  (TARA)• OWASP

• Attack  Library• OWASP  • WASC• CAPEC

Calculate  Risk

• RPD  Model• Risk  =  Probability  *  Damage  

• DREAD• Risk  =  (Damage  +  Reproducibility  +  Exploitability  +  Affected  Users  +  Discoverability  )  /  5  

• CVSS

Countermeasures

• Risk  Acceptance• Do  nothing

• Risk  Transfer• to  another  component  in  the  System

• Risk  Elimination• Remove  /  Disable  the  feature• Fix  the  bug

• Risk  Mitigation• Add  controls  to  reduce  or  mitigate  the  risk

Countermeasures

Threat Countermeasures

Spoofing  user  identity

Use  strong  authentication.

Do  not  store  secrets  (for  example,  passwords)  in  plaintext.

Do  not  pass  credentials  in  plaintext  over  the  wire.

Protect  authentication  cookies  with  Secure  Sockets  Layer  (SSL).

Tampering  with  data

Use  data  hashing  and  signing.

Use  digital  signatures.

Use  strong  authorization.

Use  tamper-­‐resistant  protocols  across  communication  links.

Secure  communication  links  with  protocols  that  provide  message  integrity.

Countermeasures

Threat Countermeasures

RepudiationCreate  secure  audit  trails.

Use  digital  signatures.

Information  disclosure

Use  strong  authorization.

Use  strong  encryption.

Secure  communication  links  with  protocols  that  provide  message  confidentiality.

Do  not  store  secrets  (for  example,  passwords)  in  plaintext.

Denial  of  service

Use  resource  and  bandwidth  throttling  techniques.

Validate  and  filter  input.

Elevation  of  privilege

Follow  the  principle  of  least  privilege  and  use  least  privileged  service  accounts  to  run  processes  and  access  resources.

Validation

• Penetration  Testing• Code  Review

Case  Study

• Web  Application• Microservices Architecture• Functionalities• Authenticate  user• Product  Search• Purchase  Product

Case  Study

Client  (browser)

API  Gateway

AuthService

Purchase

Search

Purchase  DB

Product  DB

Admin

User  DB

References

• Threat  Modeling  – Designing  for  Security,  Adam  Shostack• Attack  Trees  – Bruce  Schneier,  https://www.schneier.com/academic/archives/1999/12/attack_trees.html• Microsoft,  https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx• OWASP,  https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-­‐_Mobile_Threat_Model