Threat modeling the security of the enterprise


Published on

Many IT Security professionals simply do not understand "threat modeling" - or how an attack at component A can ultimately affect component B, C, and D ... this example-based (and very, very high-level) talk hopes to get you interested in threat modeling and understanding how things are connected - in orer to give you a chance to build your defenses.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Threat modeling the security of the enterprise

  1. 1. Threat Modeling the Securityof Your Enterprise How not to panic all the timeRafal M. LosEnterprise & Cloud Security Strategist©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  3. 3. First the Basics
  4. 4. What is threat modeling?“Threat modeling is a procedure for optimizing security by identifying objectivesand vulnerabilities, and then defining countermeasures to prevent, or mitigatethe effects of, threats to the system.” --
  5. 5. What is threat modeling? What is this asset? What are all the ways that it can be attacked? …how can I effectively protect it from exploit? …and if it gets successfully exploited, what does that …and how does it affect mean? these other assets?
  6. 6. Why learn threat modeling?In order to enact effective strategies to protect the most critical assets andsystems, we first need to understand how they will be potentially abused, orattacked.If you cannot understand a system, you cannot defend it.
  7. 7. The ProblemPoorvisibility• Where are logically and physically critical processes, data, and systems?• How are critical systems, networks, and applications connected? 7 Enterprise Security – HP Confidential
  8. 8. The Problem Limited insight • What is the difference between a legitimate transaction, and an attack … or fraud? • How does an event in one system impact others?8 Enterprise Security – HP Confidential
  9. 9. Benefits of Threat Modeling• Gain understanding of real attack surface of enterprise assets• Identify inter-connectedness of systems, applications, etc• Plot attack scenarios based on probability, impact, connectedness• Gain comprehensive understanding of real exploit impact9 Enterprise Security – HP Confidential
  10. 10. Fundamentals ofThreat Modeling
  11. 11. When to Use Threat Modeling• designing a threat mitigation for a system, application, or asset• desire to understand how a compromised component can impact others• security testing a component with limited time• demonstrating inter-dependence of various enterprise components• comprehending failure modes and risk scoring11 Enterprise Security – HP Confidential
  12. 12. Approaches to Threat Modeling • Attacker-centric – Start with attacker, evaluate their goals, methods and means – Completely centered around the „actor‟ in the attack • System-centric – Start with a system, architecture, or software and define ways in which it can be attacked – Build out system (or software, etc) map then define exposures, ways to attack system • Asset-centric – Start with assets entrusted to a system such as data – Understand how assets relate to a system, move within a systemSource: Wikipedia[1] 12 Enterprise Security – HP Confidential
  13. 13. High Level Threat Modeling Steps1. Understand the target2. Model the target3. Identify threats to the target4. Determine exploit impact5. Perform risk-based scoring6. Determine counter-measures, re-model13 Enterprise Security – HP Confidential
  14. 14. The Basic Threat Model Threat: Target: Vector: The attack System or The method agent or asset under of the attack potential attack risk14 Enterprise Security – HP Confidential
  15. 15. 3 Things to RememberThings you must remember when threat modeling1. Spend enough time understanding your target – Be thorough in evaluating the target‟s requirements and goals – Evaluate how your target is connected to other potential pieces2. Don‟t miss relationships – Systems, applications, threats all have relationships which may be relevant – Follow processes, data flows, to their logical „dead end‟3. Dig deep into the details – The more details present the more complete, accurate the threat model is – Balance completeness vs. getting lost in the details15 Enterprise Security – HP Confidential
  16. 16. Practical Threat Modeling
  17. 17. Important PreparationSelect the appropriate approach Attacker-Centric System-Centric Asset-CentricIdeal for: Ideal for: Ideal for:• understanding an attacker • modeling complex system • defending specific assets• setting up penetration test • modeling applications • assessing public systems• when threat actor is known • attacking business with private data processesStrengths: Strengths: Strengths:• motivations often drive attack • ability to see complex • focuses on the most basic strategy at all levels relationships in system component, the assetWeaknesses: Weaknesses: Weaknesses:• often impossible to fully • requires a tremendous • potential to miss system- understand attacker amount of effort level mitigations, defenses17 Enterprise Security – HP Confidential
  18. 18. Practical: Building a Threat Model• Building a threat model against an enterprise application• Taking the most appropriate approach for the requirement• Start with basic information, build knowledge• Utilize failure mode analysis, risk scoring• Derive weaknesses in system, create defensive strategy18 Enterprise Security – HP Confidential
  19. 19. Understanding the TargetComponent Notes“External” web interface • Exposed to the Internet External • Written in Flash App • Mixed content • SSL-required“Internal” customer • Protected contentrepresentative interface • Written in Java • Access multiple customer dataMobile application • Mixed content Mobile • iOS and Android OS App • Encrypted httpsAutomated API for 3rd • REST-based APIparty access • Access basic sensitive 3rd Party information API • Certificate-based access 19 Enterprise Security – HP Confidential
  20. 20. Model the Target – Iteration 1 JavaScrip t Adobe Flash Web MS MQ Browser MS SQL Serve r WebSpher Web e App Server Browser Applet Webkit/ Safari JavaScrip t iOS REST 3rd Party Web Service UNTRUSTED TRUSTED20 Enterprise Security – HP Confidential
  21. 21. Model the Target – Iteration 2 JavaScrip t Adobe Flash Web MS MQ Google Browser MS SQL Serve r Gears WebSpher Web e App Server Browser Applet Webkit/ Safari JavaScrip t iOS Oracle REST 3rd Party Web CS R Service mySQL UNTRUSTED TRUSTED21 Enterprise Security – HP Confidential
  22. 22. Model the Target – Iteration 3 JavaScrip SQLit t e Adobe Flash Web MS MQ Google Browser MS SQL Serve r Gears SQLit e WebSpher Web e App Server Browser Applet SQLit Webkit/ e Safari JavaScrip t iOS Oracle REST 3rd Party Web CS R Service mySQL UNTRUSTED TRUSTED22 Enterprise Security – HP Confidential
  23. 23. Identify Threats to the Target 1 JavaScrip SQLit t e 2 Adobe Flash Web MS MQ Google Browser MS SQL 3 Serve r Attack local Gears 1 database of external SQLit e user WebSpher Web 2 Attack Flash client of e App external user Server Browser Applet Attack main SQLit application db Webkit/ e 3 4 through SQL Safari JavaScrip t iOS injection Oracle Attack secondary application db REST 4 3rd Party through SQL Web CS injection R Service 5 … mySQL UNTRUSTED TRUSTED23 Enterprise Security – HP Confidential
  24. 24. Identify Threats to the TargetItem Attack Description Effectiveness Difficulty 1 Attack local cache/database of external user Medium High 2 Exploit flash client of external user High Medium Attack main application database through SQL 3 High Low injection Attack secondary application database through 4 High Low SQL injection 5 … … …24 Enterprise Security – HP Confidential
  25. 25. Determine Exploit Impact JavaScrip t SQLit e Focus on one Adobe Flash Web MS MQ attack at a time. Google Browser MS SQL Serve r Gears SQLit e If #4 is successful WebSpher Web (penetrate secondary e App Server Browser database) what can SQLit Applet the exploit impact be? Webkit/ e 4 Safari JavaScrip t iOS Oracle REST 3rd Party Web CS R Service mySQL UNTRUSTED TRUSTED25 Enterprise Security – HP Confidential
  26. 26. Determine Exploit Impact JavaScrip t SQLit e Relationships Adobe Flash Web MS MQ help us visualize Google Browser MS SQL Serve Gears r the impact of a SQLit e successful exploit WebSpher Web on any given e App Server Browser Applet component. SQLit Webkit/ e 4 Safari JavaScrip t iOS Oracle REST 3rd Party Web CS R Service mySQL UNTRUSTED TRUSTED26 Enterprise Security – HP Confidential
  27. 27. Perform Risk-Based ScoringScore each threat scenario based on – Criticality – Likelihood – Difficulty – ImpactCreate matrix called a “Failure Mode Analysis” – Assign numerical values to modifiers for analysis – Compute mathematical risk impact for objective analysis27 Enterprise Security – HP Confidential
  28. 28. Sample Failure Mode Analysis Matrix Criticality Likelihood Exploitability ImpactThreat Scenario TotalLocal cache (db) 1 1 1 1 4Flash client 4 4 9 4 21 High = 9 Medium = 4Primary SQL Injection 9 9 9 9 36 Low = 1Secondary SQL 9 9 9 4 31Injection28 Enterprise Security – HP Confidential
  29. 29. Determine Counter-MeasuresMathematical, objective analysis will determine countermeasuresMost critical failures modes aren‟t always obviousMost critical failure modes aren‟t always most complex or difficult to protectCounter-measures should be appropriate to the threat criticality…after formulating counter-measures, re-run threat scenario to validate.29 Enterprise Security – HP Confidential
  30. 30. Resources
  31. 31. Prior work …1. Wikipedia - OWASP “Threat Modeling” by Martin Knobloch - John Steven, Citical (OWASP presentations, various works)
  32. 32. THANK YOU