know your enemy - an introduction to threat modeling

@jschauma ConFoo Vancouver 2016

Jerry: Well, what makes them think you're a risk management expert? George: I guess it's on my resume.


@jschauma https://v.gd/ConFooThreatModel01 ConFoo Vancouver 2016

@jschauma

Ceci n’est pas un hacker.

ConFoo Vancouver 2016

@jschauma

Mais ceci oui ce sont des hackers.

dedicated, human adversaries ConFoo Vancouver 2016

https://v.gd/ConFooThreatModel02

Threat Model 101


By James Mickens

•  idenKfy assets •  idenKfy vulnerabiliKes •  idenKfy likely threat actors (categorized by objecKves & capabiliKes) •  idenKfy defensive capabiliKes •  determine risk score •  rinse and repeat

Threat Model 101


Figure out what you can defend against whom, eh?


A Concept is Stronger than a Fact. -‐ Charlo)e Perkins Gilman


WWW

Webservice

WWW

WWW Server

WWW

WWW Server @jschauma ConFoo Vancouver 2016

WWW

Webservice

Different / separate Threat Models @jschauma ConFoo Vancouver 2016

Threat Property

Spoofing AuthenKcaKon Tampering Integrity RepudiaKon Non-‐RepudiaKon InformaKon Disclosure ConfidenKality Denial of Service Availability ElevaKon of Privilege AuthorizaKon

STRIDE


DREAD Damage How bad would the a_ack be? Reproducability How easy to recreate the a_ack? Exploitability How easy to launch the a_ack? Affected Users How many are impacted? Discoverability How easy to discover for a_acker?


DREAD+D Damage How bad would the a_ack be? Reproducability How easy to recreate the a_ack? Exploitability How easy to launch the a_ack? Affected Users How many are impacted? Discoverability How easy to discover for a_acker? DetecKon How hard to detect for defender?


DREAD+D



•  competing incentives •  industry espionage •  covert operations •  low risk profile •  bound by (some) rules •  married to a supercomputer

Know Your Enemy https://v.gd/ConFooThreatModel04


•  low skill level •  opportunistic •  chaotic, yet predictable •  there may be more than you think •  never wears pants


Know Your Enemy


•  specific objective •  targeted attacks •  resourceful •  relentless •  only bound by gravity


Know Your Enemy


•  very powerful / resourceful •  may have privileged controls •  operates both clandestine & overt •  may utilize Wile E. Coyote,

Mayor Quimby, Fat Tony


Know Your Enemy


Understanding your adversaries' moKves and capabiliKes is criKcal.


https://xkcd.com/538/


Also works.

https://xkcd.com/538/


Threat Modeling Process •  idenKfy assets, assign values •  use STRIDE to idenKfy threats •  use DREAD+D to derive threat score •  determine / recommend defenses •  zoom out / zoom in & repeat


Your adversaries are people, too. Understand their moKves.


You can't defend against all threats all of the Kme.


A_ackers will go for the lowest hanging fruit.

Raising the cost of a_ack – not eliminaKng the enKre threat – is frequently sufficient.


@jschauma

•  Know your enemy. Understand their moKves. •  Know your vulnerabiliKes. Rank your threats. •  Know your defensive capabiliKes. Be realis6c.

PrioriKze what ma_ers.

ConFoo Vancouver 2016

know your enemy - an introduction to threat modeling

Technology