threat modeling - robert hurlbut is threat modeling? something we all do in our personal lives …...
TRANSCRIPT
![Page 1: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/1.jpg)
Threat Modeling
OWASP Hartford
February 9, 2016
Robert Hurlbut
![Page 2: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/2.jpg)
Robert Hurlbut
• Independent Software Security Consultant and Trainer– Owner / President of Robert Hurlbut Consulting Services– Microsoft MVP – Security Developer 2005-2009, 2015– (ISC)2 CSSLP 2014-2017– Group Leader – Boston .NET Arch Group, Amherst Sec Grp– Speaker at user groups, conferences, and other events
• Contacts– Web Site: https://roberthurlbut.com/– LinkedIn: https://www.linkedin.com/in/roberthurlbut/– Twitter: @RobertHurlbut– Email: robert at roberthurlbut.com– Slides Location:
https://roberthurlbut.com/training/presentations
2
![Page 3: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/3.jpg)
3
What is threat modeling?
Something we all do in our personal lives …
... when we lock our doors to our house
... when we lock the windows
... when we lock the doors to our car
We threat model by thinking ahead of what could go wrong and acting accordingly
![Page 4: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/4.jpg)
4
What is threat modeling?
Threat modeling is the process of understanding your system and potential threats against your system.
A threat model helps you assess the probability, potential harm, and priority of threats.
Based on the model you can try to minimize or eradicate the threats.
![Page 5: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/5.jpg)
5
Michael Howard @michael_howard Jan 7, 2015
A dev team with an awesome, complete and accurate threat model gets my admiration and not much of my time because they don’t need it!
![Page 6: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/6.jpg)
6
Brook Schoenfield @BrkSchoenfield June 29, 2015
As I practice it, threat modeling cannot be the province of a tech elite. It is best owned by all of a development team.
![Page 7: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/7.jpg)
7
Threat modeling helps you …
Identify threats your system faces
Challenge assumptions
Prioritize other security efforts (pen test, review, fuzzing)
Document what you have learned
![Page 8: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/8.jpg)
8
Definitions
Threat Agent
Someone (or a process) who could do harm to a system (also adversary or attacker)
![Page 9: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/9.jpg)
9
Definitions
Threat
An adversary’s goal
![Page 10: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/10.jpg)
10
Definitions
Vulnerability
A flaw in the system that could help a threat agent realize a threat
![Page 11: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/11.jpg)
11
Definitions
Attack
When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
![Page 12: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/12.jpg)
12
Definitions
AssetSomething of value to valid users and adversaries alike
![Page 13: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/13.jpg)
13
When?
Make threat modeling part of your secure software and architecture design
What if I didn’t? It’s not too late to start threat modeling, but it will be more difficult to change major design decisions
![Page 14: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/14.jpg)
14
Getting started
Gather documentation (requirements, high-level design, detailed design, etc.)Gather your team (don’t make this one person’s job only!)
Developers, QA, Architects, Project Managers, Business Stakeholders
Understand business goalsUnderstand technical goalsAgree on meeting date(s) and time(s)Plan on 1-2 hours at a time spread over a week or weeks – keep sessions focusedImportant: Be honest, leave ego at the door, no blaming!
![Page 15: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/15.jpg)
15
Threat Modeling Process –Making it work
1. Draw your picture - model the system
2. List the elements – entities, processes, data, data flows
3. Identity the threats - Ask questions
4. Determine mitigations and risks
5. Follow through
![Page 16: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/16.jpg)
Draw your picture
![Page 17: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/17.jpg)
17
Model the system
• DFD – Data Flow Diagrams (from Microsoft SDL)
External
Entity
Process Multi-Process
Data Store Dataflow Privilege
Boundary
![Page 18: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/18.jpg)
18
Model the System
ServerUsers Admin
Request
Response
Admin
Settings
Logging
Data
(Trust boundary)
![Page 19: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/19.jpg)
19
Model the system
User
Admin
Authn
Engine
Audit
Engine
Service
Mnmgt
ToolCredentials
Data Files
Audit DataRequest
Set/Get
Creds
Requested
File(s)
Audit
Re
qu
ests
Audit
Info
Audit
Re
ad
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
(Tru
st B
ou
nd
ary
)
![Page 20: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/20.jpg)
20
Your threat model now consists of …
1. Diagram / visual model of your system
![Page 21: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/21.jpg)
21
Identity the elements
User
Admin
Authn
Engine
Audit
Engine
Service
Mnmgt
ToolCredentials
Data Files
Audit DataRequest
Set/Get
Creds
Requested
File(s)
Audit
Re
qu
ests
Audit
Info
Audit
Re
ad
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
External Entities:
Users, Admin
Processes:
Service, Authn Engine,
Audit Engine, Mnmgt Tool
Data Store(s):
Data Files, Credentials
Data Flows:
Users <-> Service
Admin <-> Audit Engine
(Tru
st B
ou
nd
ary
)
![Page 22: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/22.jpg)
22
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
![Page 23: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/23.jpg)
Identify threats
Attack Trees (Bruce Schneier - Slidedeck)
Threat Libraries (CAPEC, OWASP Top 10, SANS Top 25)
Checklists (ex: OWASP Application Security Verification Standard (ASVS), OWASP Proactive Controls 2016))
Use Cases / Misuse Cases
23
![Page 24: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/24.jpg)
Identify threats
Games:
Elevation of Privilege (EoP)
OWASP Cornucopia
24
![Page 25: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/25.jpg)
25
OWASP Cornucopia
Suits:Data validation and encodingAuthenticationSession ManagementAuthorizationCryptographyCornucopia
13 cards per suit, 2 JokersPlay a round, highest value wins
![Page 26: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/26.jpg)
STRIDE Framework*
for finding threats
Threat Property we want
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
* Framework, not classification scheme. STRIDE is a good framework, bad taxonomy
![Page 27: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/27.jpg)
Identify threats
P.A.S.T.A. – Process for Attack Simulation and Threat Analysis
7 step process combining:
STRIDE + Attacks + Risk Analyses
27
![Page 28: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/28.jpg)
28
Identify Threats
Input and data validationAuthenticationAuthorizationConfiguration managementSensitive dataSession managementCryptographyParameter manipulationException managementAuditing and logging
![Page 29: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/29.jpg)
29
Ask questions
How is authentication handled?
What about authorization?
Are we sending data in the open?
Are we using cryptography properly?
Is there logging? What is stored?
Etc.
![Page 30: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/30.jpg)
30
One of the best questions …
Is there anything that keeps you up at night worrying about this system?
![Page 31: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/31.jpg)
31
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
![Page 32: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/32.jpg)
32
• Mitigation Options:
– Leave as-is
–Remove from product
–Remedy with technology countermeasure
–Warn user
• What is the risk associated with the vulnerability?
Determine mitigations and risks
![Page 33: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/33.jpg)
Determine mitigations and risks
Risk Management
Bug Bar (Critical / Important / Moderate / Low)
FAIR (Factor Analysis of Information Risk) – Jack Jones
Risk Rating (High, Medium, Low)
33
![Page 34: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/34.jpg)
Risk Rating
Overall risk of the threat expressed in High, Medium, or Low.
Risk is product of two factors:
Ease of exploitation
Business impact
34
![Page 35: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/35.jpg)
Risk Rating – Ease of Exploitation
© 2016 Robert Hurlbut Consulting Services 35
Risk Rating
Description
High • Tools and exploits are readily available on the Internet or other locations
• Exploitation requires no specialized knowledge of the system and little or no programming skills
• Anonymous users can exploit the issue
Medium • Tools and exploits are available but need to be modified to work successfully
• Exploitation requires basic knowledge of the system and may require some programming skills
• User-level access may be a pre-condition
Low • Working tools or exploits are not readily available• Exploitation requires in-depth knowledge of the system and/or
may require strong programming skills• User-level (or perhaps higher privilege) access may be one of a
number of pre-conditions
![Page 36: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/36.jpg)
Risk Rating – Business Impact
© 2016 Robert Hurlbut Consulting Services 36
Risk Rating
Description
High • Administrator-level access (for arbitrary code execution through privilege escalation for instance) or disclosure of sensitive information
• Depending on the criticality of the system, some denial-of-service issues are considered high impact
• All or significant number of users affected• Impact to brand or reputation
Medium • User-level access with no disclosure of sensitive information• Depending on the criticality of the system, some denial-of-
service issues are considered medium impact
Low • Disclosure of non-sensitive information, such as configuration details that may assist an attacker
• Failure to adhere to recommended best practices (which does not result in an immediately visible exploit) also falls into this bracket
• Low number of user affected
![Page 37: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/37.jpg)
Example – Medium Risk Threat
© 2016 Robert Hurlbut Consulting Services 37
ID - Risk RT-3
Threat Lack of CSRF protection allows attackers to submit commands on behalf of users
Description/Impact
Client applications could be subject to a CSRF attack where the attacker embeds commands in the client applications and uses it to submit commands to the server on behalf of the users
Countermeasures
Per transaction codes (nonce), thresholds, event visibility
Components Affected
CO-3
![Page 38: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/38.jpg)
38
Your threat model now consists of …
1. Diagram / visual model of your system2. Elements of your system and the
interactions3. Threats identified through answers to
questions4. Mitigations and risks identified to deal
with the threats
![Page 39: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/39.jpg)
39
Follow through
Document what you found and decisions you makeFile bugs or new requirementsVerify bugs fixed and new requirements implementedDid we miss anything? Review againAnything new? Review again
![Page 40: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/40.jpg)
40
Your threat model now consists of …
1. Diagram / visual model of your system2. Elements of your system and the
interactions3. Threats identified through answers to
questions4. Mitigations and risks identified to deal
with the threats5. Follow through
A living threat model!
![Page 41: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/41.jpg)
41
Your challenge
Add threat modeling to your toolkit
Consider threat modeling first (secure design, before new features, etc.)
Many ways … just do it!
![Page 42: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/42.jpg)
Resources - Books
Threat Modeling: Designing for Security
Adam Shostack
Securing Systems: Applied Architecture and Threat Models
Brook S.E. Schoenfield
Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
Marco Morana and Tony UcedaVelez
Measuring and Managing Information Risk: A FAIR Approach
Jack Jones and Jack Freund
42
![Page 43: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/43.jpg)
Resources - Tools
Whiteboard
Visio (or equivalent) for diagraming
Word (or equivalent) or Excel (or equivalent) for documenting
![Page 44: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/44.jpg)
Resources - Tools
Attack Trees – Bruce Schneier on Security
https://www.schneier.com/attacktrees.pdf
Microsoft Threat Modeling Tool 2016http://www.microsoft.com/en-us/download/details.aspx?id=49168
Threat Modeler Tool 3.0http://myappsecurity.com
44
![Page 45: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/45.jpg)
Resources - Tools
Elevation of Privilege (EoP) Gamehttp://www.microsoft.com/en-us/download/details.aspx?id=20303
OWASP Cornucopiahttps://www.owasp.org/index.php/OWASP_Cornucopia
OWASP Application Security Verification Standard (ASVS)
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP Proactive Controls (especially current 2016 work)
https://www.owasp.org/index.php/OWASP_Proactive_Controls
45
![Page 46: Threat Modeling - Robert Hurlbut is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house... when we lock the windows... when we …](https://reader031.vdocuments.net/reader031/viewer/2022030420/5aa790a07f8b9ad31c8c181e/html5/thumbnails/46.jpg)
Questions?
• Contacts
– Web Site: https://roberthurlbut.com/
– LinkedIn: https://www.linkedin.com/in/roberthurlbut/
– Twitter: @RobertHurlbut
46