application threat modeling
TRANSCRIPT
Introduction: Terminology
• Asset• Is something which has value and which we want to protect
• Threat• Is something bad that can happen to an Asset
• Threat Agent / Actor• Is something or someone who can manifest a threat
• Attack• Is a process by which a threat or threat agent can harm an asset
• Risk• Is the likelihood that a particular Threat against a particular asset will occur
• Control• One or more measures that reduces or eliminates a Risk
What is Threat Modeling
• Threat Model consists of• Threats to a system• Assets threats may affect• Mapping of the threats to assets• Risk rating• Countermeasures
• Threat modelling is a repeatable process by which we can enumerate the threats and assets of a system and how the threats may affect the assets. It may also optionally score the risk and plan countermeasures.
When to do TM?
Analyze Design Implement Verify Deploy Respond
Security Requirements
Secure Design
Secure Coding
Security Testing
Secure Deployment
Static Analysis
Attack Surface Review
Incident Response Plan
Incident Response
Penetration Testing
Training & Awareness
Threat Modeling
Predict Prevent Detect
Approaches
• Asset centric• Traditional Risk Analysis• What do I care about most• How do I protect it?
• Attacker centric aka Attack tree approach• Who are the attackers ?• What are the attackers’ goals and how they might achieve them ?• How do it stop them?
• System Centric / Design centric / Architecture Centric• Start with the design of the system
Asset-‐Centric Approach
• What do you want to protect? • List of Assets
• What do you want to protect it from? • List of Threats
• How likely is it that you will need to protect it?• Security Requirements
• How bad are the consequences if you fail? • Risk Rating
• How much trouble are you will to go through in order to try to prevent those? • Countermeasures planning
Attacker Centric approach
• Attack Trees• Represent attacks against a system in a tree structure• Goal is the root node• Attacks as leaf nodes• Children can be AND nodes or OR nodes
• Reference: https://www.schneier.com/academic/archives/1999/12/attack_trees.html
Attack Trees / Graphs
• Identify Possible Attack Goals• Build attack tree for each goal• Enumerate attacks against each goal and add them as nodes• Repeat the process down the tree• Merge all attack trees to form the attack graph• Prune the Graph
System Centric Approach
• Identify Security Objectives• Understand the system / application• Identify the threats• Calculate risk• Countermeasures• Validate the threat model
Security Objectives
• Identity• Does the application need to protect user identity from abuse?
• Financial• Assess the level of risk the organization is prepared to incur in remediation as potential financial loss.
• Reputation• Quantify or estimate of loss of reputation due to application being misused or attacked
• Regulatory• Is the application liable to adhere to standards and regulatory compliances?
• Availability• SLA
Understand the System: Enumerate
• Product functionality• Technologies in use• Processes• Listening ports• Firewall rules• Databases
Understand the system: DFD
• Dataflow• Contextual• High level• Low level
• Identify trust boundaries• Identify Entry points aka Attack Surfaces
Data flow Diagram: Symbols
External Entity Process Complex Process Data Store
Data Flow Trust Boundary
Identify Threats
• Identify• Network Threats• Host Threats• Application threats
• Approaches• Use STRIDE to Identify threats• Use Categorized threat list / library• Attack Trees & Attack patterns
STRIDEThreat Property Violated Threat Definition
S Spoofing Authentication Pretending to be something or someone other than yourself
T Tampering Integrity Modifying something on disk, network, memory or elsewhere
R Repudiation Non-‐Repudiation Claiming that you didn’t do something or were not responsible. Can be honest or false
I Information Disclosure
Confidentiality Providing information to someone not authorized to accessit
D Denial of Service
Availability Exhausting resources needed to provide service
E Elevation of Privilege
Authorization Allowing someone to do something they are not authorized to do
STRIDE-‐per-‐Element
S T R I D E
External Entity x x
Process x x x x x X
Data Flow x x x
Data Store x x x
STRIDE-‐per-‐interaction
• Interaction• tuple of (origin, destination and interaction)
• Similar to STRIDE-‐per-‐entity• For each entity, categorize threats by their interactions
• More complex to build but easier to understand
Other approaches
• Attack Trees• Attacker Library• Barnard’s List• Verizon’s Lists• Aucsmith’s Attacker Personas• Intel Threat Agent Library (TARA)• OWASP
• Attack Library• OWASP • WASC• CAPEC
Calculate Risk
• RPD Model• Risk = Probability * Damage
• DREAD• Risk = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability ) / 5
• CVSS
Countermeasures
• Risk Acceptance• Do nothing
• Risk Transfer• to another component in the System
• Risk Elimination• Remove / Disable the feature• Fix the bug
• Risk Mitigation• Add controls to reduce or mitigate the risk
Countermeasures
Threat Countermeasures
Spoofing user identity
Use strong authentication.
Do not store secrets (for example, passwords) in plaintext.
Do not pass credentials in plaintext over the wire.
Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with data
Use data hashing and signing.
Use digital signatures.
Use strong authorization.
Use tamper-‐resistant protocols across communication links.
Secure communication links with protocols that provide message integrity.
Countermeasures
Threat Countermeasures
RepudiationCreate secure audit trails.
Use digital signatures.
Information disclosure
Use strong authorization.
Use strong encryption.
Secure communication links with protocols that provide message confidentiality.
Do not store secrets (for example, passwords) in plaintext.
Denial of service
Use resource and bandwidth throttling techniques.
Validate and filter input.
Elevation of privilege
Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.
Case Study
• Web Application• Microservices Architecture• Functionalities• Authenticate user• Product Search• Purchase Product
Case Study
Client (browser)
API Gateway
AuthService
Purchase
Search
Purchase DB
Product DB
Admin
User DB
References
• Threat Modeling – Designing for Security, Adam Shostack• Attack Trees – Bruce Schneier, https://www.schneier.com/academic/archives/1999/12/attack_trees.html• Microsoft, https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx• OWASP, https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-‐_Mobile_Threat_Model