SlideShare a Scribd company logo

Threat modeling demystified

Priyanka Aash
Priyanka Aash

Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs. (Source : RSA Conference USA 2017)

Technology
1 of 98
Download to read offline
Threat Modeling Demystified Brook S.E. Schoenfield Author, Principal Engineer, Lead Product Security Architect, Intel Security Curious questioner
2 Table of Contents INTRODUCTION..................................................................................................................... 3 THREAT MODELING IS DESIGN-TIME ANALYSIS .......................................................................... 4 We have a Secure Design Problem..............................................................................................4 Threat Modeling Is Applied to an Architecture ...........................................................................4 Secure Software Imperatives.......................................................................................................5 A PROCESS ............................................................................................................................ 6 Knowledge Required Before the Threat Model...........................................................................6 There is no book of “correct” answers. Each organization is different..................................................6 Who Should Participate in The Threat Model? ...........................................................................6 Identifying Important Requirements...........................................................................................6 Assessing Risk ........................................................................................................................................6 ATASM..........................................................................................................................................8 Structure and Flow.......................................................................................................................9 Threat Agents.............................................................................................................................10 A Threat Agent Matrix .........................................................................................................................11 EXAMPLE ANALYSIS..............................................................................................................12 Mobile Security Application.......................................................................................................12 Simple ATASM Steps............................................................................................................................12 Analysis background and structural points..........................................................................................13 Documenting the Model......................................................................................................................14 CLOSING THOUGHTS ............................................................................................................14 Suggestions To Increase Skill .....................................................................................................14 RESOURCES..........................................................................................................................15
3 Introduction Many thanks to the people who spent 2 hours with me, Wednesday morning at RSAC 2017, San Francisco. Without your active participation, learning to threat model is a great deal harder. It turns out, after years of trying to help others climb into the art of seeing systems through the eyes of attackers that groups are one of the best ways to learn. Indeed, threat modeling is best done by the entire development team, anyway. So, by learning in groups, we model the way we are likely to get our best results when analyzing our own systems. Spending a few hours with people in this activity, or even an entire day, is one of the most rewarding activities that I am privileged to do. Thank you for taking the journey with me. In this document, I hope to summarize the main points we covered, as well as top provide just a little bit more than the slides for the Lab. I did fill in the notes for most of my slides as well, so they should be a useful reference, too.
4 Threat Modeling Is Design-Time Analysis We have a Secure Design Problem While some security issues (vulnerabilities) are implementation errors, a fair number of security issues are the result of a lack of security thinking while creating the structure of software (architecture) and then expressing the structure and the requirements in a codable/implementable design. Several obvious design issues were presented, most notably:  The hacked Jeep Wrangler (failed low level access control)  A pacemaker that joins open WiFi (open communications that assume all communications are benevolent)  The Target stores payment terminal hack (failure to isolate sensitive assets and to grant only required access) Threat Modeling Is Applied to an Architecture Architecture is the process of ordering the structure of things (e.g., buildings, cities, software systems, an enterprise, software, anything that is sufficiently complex such that the builders wish to structure it). Architecture uses abstraction in order to understand the system and in order to play with particular aspects of it. Threat modeling is an analysis technique to foster secure design. A threat model is not a “design”. Threat models output security requirements which then must be expressed in the design and then implemented and validated. Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood. Revisit the threat model when the architecture materially changes. That is, revisit when components are added or removed, or lines/forms of communication are added or changed. Threat models are living documents. That is, the analysis may be done as a point in time, but material changes must be reflected in the threat model. This is particularly important for iterative forms of development. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately (whenever there are structural changes). Threat modeling may be thought of as applied security architecture. Security architecture is the practice of building defense-in-depth based upon considering how attackers will try to use a system in order for the attacker(s) to achieve her/his/their goals.
5 Secure Software Imperatives We took the time to define the qualities that secure software exhibits. The following design/architecture imperatives describe the behaviors of “secure software”. We noted that only the first imperative directly deals with implementation errors (commonly called “vulnerabilities”). The other 4 imperatives will be fulfilled through secure design practices.  Be free from errors that can be maliciously manipulated, ergo, vulnerabilities  Have the security features that customers require for the intended use cases  Be self-protective; resist the types of attacks that will be promulgated against the software  In the event of a failure, software must “fail well”, that is fail in such a manner as to minimize consequences of successful attack  Install with sensible, “closed” defaults
6 A Process Knowledge Required Before the Threat Model The contributing knowledge domains are “The 3 S’s: Strategy, Structures, and Specifications.” “The 3 S’s” encompass: security strategy for the organization and this system, any infrastructure and security services (structures), and things like data classifications, runtime and execution environment, deployment methods, and the like (specifications):  Strategy o Threat landscape o The organization’s and system’s required risk posture  Structures o Existing and implementable security controls o Security infrastructure that does not exist (limitations)  Specification o Data sensitivities o The runtime and execution environment o How do code and systems get deployed? There is no book of “correct” answers. Each organization is different. Who Should Participate in The Threat Model? At the very least, all the domain experts and someone familiar with the threat landscape that is relevant to the system under analysis and the exploits commonly tried against such systems (“security expertise”). Even better, involve everyone who will help to build the software/system. Simply remind everyone who participates that threat models are very sensitive analyses. Identifying Important Requirements As was noted earlier, context matters. Without understanding organizational goals and the goals of attackers, all avenues of attack will appear to be equal. In a universe of limited resources, there will be a strong need to focus in on the attacks that pose the most danger to the organization. Importantly, what risks can be tolerated? Assessing Risk Set priorities with risk. How much risk is highly context dependent, and is often unique to an organization. Risk != vulnerability
7 Threat != vulnerability Threat != exploit Participants were introduced to Just Good Enough Risk Rating (JGERR) which is based on Factor Analysis of Information Risk (FAIR), an Open Group standard. JGERR breaks down an attack into 5 terms, 4 of which can be treated as essentially Boolean for the purposes of rating possible attacks when threat modeling. JGERR does not purport to calculate risk, but rather to quickly identify the important attack possibilities, as well as to deprioritize the less important attacks. "Credible Attack Vector" (CAV) was defined as one method for analyzing attack types. CAV == Threat & Exploit & Exposure & Vulnerability Interrupt any CAV term and you interrupt the kill chain, that is the entire CAV. Defenses should negate at least 1 term in the CAV. Sometimes a defense makes it more difficult to achieve one of the terms. We examined how authentication in some cases provides little prevention, and may be used solely to tie an action to a user’s ID. (break the kill chain; eliminate the CAV; lower risk exposure) *Given 0 < CAV < 1, then risk might be expressed as: *Risk Rating = CAV * Impact Still, there is no risk if there is no impact. Impact is used since some attacks are stepping stones towards the attacker’s goals. If an attack offers no additional attacker value to achieve ultimate goals, then the attack will not be used in the wild (though security researchers may be interested). This is a type of low impact situation. We examined the situation where a buffer overflow can only be achieved at very high privilege. In such a case, the exploitation does not provide additional attacker value because the attacker already has control of the operating system. It is important to think not only about harm to a system and organization, but also about whether exploitation provides attacker value.
8 ATASM I presented threat modeling as a linear progression. But the process is often fractal, as previously uninvestigated components open up further unknown areas where the investigation begins afresh. The analysis may have to recourse back to the start again, complete for that area, then return informed to the area that had been under analysis previously. Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations Each of these high level activities breaks into sub-steps. It doesn’t matter where the analysis starts: assets, use cases, structure, threat landscape, attack surfaces. Each area has to be analyzed for any given system. And each area will have dependencies on the others. How the analysis proceeds seem to be largely a matter of preference and thinking style. Begin where you are comfortable and proceed. The point is to arrive at a prioritized list of security requirements that will need to be built in order to bring the system to the desired defensive posture.
9 By Sung Lee; concept by David Wheeler; used with permission Structure and Flow There is no perfect architecture view. Component, functional, or logical1 architecture is often a good place to start. But views can range from the enterprise view (“Conceptual”) to detailed physical or technological views. Each view may add important knowledge as different aspects of a complex system are analyzed. Architecture is at least in part about abstraction to consider an aspect of complexity without getting bogged down in details that aren’t relevant for that consideration. Some parts of the structure are highlighted (abstracted from the whole) while details are obscured. Since security 1 Depending upon the architecture methodology, component, functional, and logical may be distinct views or may be different names for the same view. In some systems, these can also be combined. So I have listed them all in the hopes that one of these names will fit with your local architecture methodology.
10 operates at all levels and across most if not all domains, for a security analysis, many different views may have to be considered. A data flow diagram (DFD) can highlight inputs and outputs. Inputs are a great place to identify potential attack points (“attack surfaces”). Still, one must decide at what level of abstraction to draw the system. Generally, the architecture of the intra-process call tree will be too granular. Still, where untrusted operating system communications or where the operating system itself may be compromised, even intra-process calls may have to be considered. In any event, complex systems generally get considered at their coarsest grain structure, and then sub-views, breaking these large structures into component parts (“factoring” the architecture) may be needed in order to keep views understandable and uncluttered. Threat Agents We played with categorizing the goals and capabilities of varying threat agents (human actors who attack computer systems). Each work group created their own list from which to work.
11 A Threat Agent Matrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium Low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low None Occasional Insider Revenge Varies Very high None Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low Low low Security Researcher Career enhancement High None High medium
12 Example Analysis Mobile Security Application Simple ATASM Steps  Enumerate CAV  Define and score impacts  Enumerate existing mitigations  Develop requirements to bring system to desired posture  Prioritize  Share and review with entire team + product management
13 2 Analysis background and structural points  Must reside in OS application sandbox  Intercept in system to grab privileged events of interest for examination 2 Copyright Brook S.E. Schoenfield, 2015. Used with permission
14  Intercept at higher privilege  Intercept initialized early boot  Intercept proxies events to engine  Engine contains decision logic  UI starts engine & communicate  Files parsed/normalized by file opener  External communications proxied through communicate  Notifications from cloud through OS push notifications  All message exchanges are initiated from device  Response to notification  Device certificate/private key issued at enrollment  Messages/updates signed by cloud services Documenting the Model • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls Closing Thoughts Suggestions to Increase Skill  Find an experienced mentor and 2 peer reviewers  Having one reviewer who is Independent from the development team, the architecture the threat model helps to increase the power of the review  Just do it!  Threat models need to be revisited when architecture, threat landscape, and security features change  Experienced threat modelers, please make yourself available!  Start with your own projects  Gather the team and wrestle with the threat model  To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
15 Resources https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321 http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf https://www.facebook.com/securingsystems http://www.amazon.com/Securing-Systems-Applied-Security-Architecture/dp/1482233975 https://www.facebook.com/softwaresec www.amazon.com/Core-Software-Security-Source http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf brook.e.schoenfield@intel.com (before March 31, 2017) brook_schoenfield@mcafee.com (after March 31, 2017) http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield
SESSION ID:SESSION ID: #RSAC Brook Stephan Schoenfield Threat Modeling Demystified LAB3-W04 Product Architect Product Security Intel Security @BrkSchoenfield
#RSAC Brook S.E. Schoenfield, MBA Principal Engineer >1000 security reviews 16+ years security 30+ years software/hi-tech Real-time OS, TCP/IP stack down to hardware 5th virtual team lead, 9th technical leader role 4th software security lead @ 4th organization • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum
#RSAC • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum • >1000 security reviews • 16+ years security • 30+ years software/hi-tech • Real-time OS, TCP/IP stack down to hardware • 5th virtual team lead, 9th technical leader role • 4th software security lead @ 4th organization
#RSAC First Comments • ATASM1 is a pedagogy • ATASM is a mnemonic, a high level abstraction for a process that is often non-linear, and highly recursive • “Peel the onion” is close to reality, but harder to learn and to coach: a real threat model process is often quite fractal • You are encouraged to use ATASM; if useful, please teach 1. ATASM/risk material © Brook S.E. Schoenfield, 2010-2015, all rights reserved, CRC Press, 2015. Used with permission
#RSAC Possible Outcomes From This Session • Newbies: Introduction to threat modeling concepts • Learners: Dig deeper, gain consistency, increase comfort, practice • Practitioners: Conceptualization and explanation; a method that fosters inclusion • Experts: Articulate in order to present and to teach • Everyone: Hopefully, some new tricks of the trade?
#RSAC What Can Be Said About This “Architecture”?
#RSAC Is This Any Better?
#RSAC Break into work groups (4-6) to brainstorm examples of insecure design.
#RSAC Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 9 Design brainstorm report back from workgroups
#RSAC Consider Recent Design Misses That Jeep Wrangler Open WiFi Pacemaker The Target breach was a system design failure
#RSAC A start… Creative Commons Attribution-ShareAlike 3.0 license. http://cybersecurity.ieee.org/images/files/images/pdf/ CybersecurityInitiative-online.pdf
#RSAC Threat modeling is a technique to identify the attacks a system1 must resist and the defenses that will bring the system to a desired defensive state 1. “system” is defined inclusively
#RSAC 13 The Timing Component: Earlier is Better
#RSAC 14 Acknowledgement and Planning
#RSAC Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood Revisit the threat model when the architecture materially changes. Threat models are living documents. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately.
#RSAC Tool Belt Architecture is a tool for structuring complexity Architecture provides a playground for potential changes Architecture Risk Assessment (ARA) is a tool for applying a threat landscape to an architecture to uncover security needs Threat modeling is a tool for secure design. A threat model is not a “design” Threat model is dependent upon architectural understanding Threat models output security requirements
#RSAC Everything You Know About Security…
#RSAC “Secure” Software Must: • Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
#RSAC Design Secure Software • Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
#RSAC What Can We Infer? What More Do We Need And Why?
#RSAC Securing Systems, CRC Press, 2015 Prework: The 3 S’s
#RSAC Securing Systems, CRC Press, 2015 Background Information Is Critical
#RSAC A threat model is a crossroads of knowledge from architecture experts, domain experts, and security experts Absence of one or more stakeholders cripples the model and its usefulness
#RSAC Personal accelerometer • Measures movement of body • Worn on wrist • Extremely low power • Long battery life • Minimal operating system and CPU
#RSAC Low Power Bluetooth Specification • There is no protection of communications! • E.g., TLS not used over open air • Authentication by device ID only • Devices only exchange movement data
#RSAC Understanding system architecture is key Differing views and levels of detail each solve distinct problems There is no perfect view or level
#RSAC A Threat Model From This?
#RSAC Web-Sock-A-Rama: Any More Information?
#RSAC Web-Sock-A-Rama Web Business • Successful Online Sock store • All kinds of socks: men, women, children, specialty, sports, artistic, novelty • Takes no public political positions • Relatively risk averse • Customers are considered the business’ greatest resource • Customer security and privacy prime objectives • Assume that the support and administration of the infrastructure is run rigorously: • strong access controls and need-to-know (e.g., NIST-800-53): networks, hosts, execution environments • External network separated from internal • Administration is via highly controlled management network
#RSAC Start At High Level What is the organization’s purpose? What is this system’s purpose? How does this system contribute to the organization goals? To an enterprise architecture? What are the major functions? How do these interact? Why? Derive, if you can, the intended risk posture
#RSAC Web-Sock-A-Rama Find an attack vector
#RSAC Logical Or Component Level
#RSAC Useful View?
#RSAC Securing Systems, CRC Press, 2015 ATASM Threat Modeling = Applied security architecture
#RSAC "ISecG ESPT Security Test Plan Report”, April 14, 2014, by Eoin Carroll Substeps ISecG ESPT Security Test Plan Report [Product] Architecture/Design Review ATAM Securing Systems: Applied Security Architecture and Threat Models, Brook S.E Schoenfield [2015]
#RSAC Securing System, CRC Press, 2015 Fractal  Recursive
Threats Attack Surfaces Mitigations Revisit/revise Use Cases Architecture Assets Security Requirements Threat modeling is a technique to identify the attacks a system must resist and the defenses that will bring the system to a desired defensive state By Sung Lee; concept by David Wheeler; used with permission
Threats Attack Surfaces Mitigations Use Cases Architecture Assets Security Requirements Adapted from original by Sung Lee; concept by David Wheeler; used with permission
#RSAC The outcome, the ”point” is to discover the necessary security requirements “Security needs tend to get expressed as system constraints” – Erik Simmons
#RSAC Digging into threat agents and their methods Focus on human actors Adversaries are adaptable and creative
#RSAC Threat Attributes © Brook S.E. Schoenfield, Securing Systems, 2015, all rights reserved
#RSAC
#RSAC Threat Landscape
#RSAC • Divide paper into 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
#RSAC • Divide paper into 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
#RSAC Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 46 Put our matrices together
#RSAC Set priority with risk Risk != vulnerability Threat != vulnerability Threat != exploit
#RSAC Set Priority With Risk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss
#RSAC Set Priority With Risk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss We haven’t actuarial tables
#RSAC Successful attack requires an active threat agent who has the motivation to attack that particular system and who uses the threat agent's skills (exploit) via an exposed (attack surface) exploitable weakness (vulnerability) that can be manipulated by that attacker. Threat + exploit + exposure + vulnerability
#RSAC For Threat Models Only! "Credible Attack Vector" (CAV) CAV == Threat & Exploit & Exposure & Vulnerability (consider each term as essentially boolean for this narrow context) Interrupt any CAV term and you interrupt the kill chain E.g., Threat & Exploit & !Exposure & Vulnerability != CAV (break the kill chain; eliminate the CAV; lower risk exposure) Given 0 < CAV < 1, then risk might be expressed as: Risk Rating = CAV * Impact (essentially how JGERR rates risks)
#RSAC Yes, I switched the order for teaching purposes Now That You Know, Let’s Have Some Fun… Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations
#RSAC Threat modeling Examples Fictitious but based on real systems
#RSAC Logical Or Component Level
#RSAC Business Intelligence (Analytics) @Digital Diskus
#RSAC Analytics Data Harvesting
#RSAC Analytics Data Harvesting Attack Surface
#RSAC System Components
#RSAC Holistic Analysis Will Protect Data Sources
#RSAC System Components Attack Surfaces
#RSAC System Components Attacks At Assets
#RSAC User Roles & Flows
#RSAC User Roles & Flows Attack Surfaces
#RSAC Identity Services: Who’s In Danger?
#RSAC Mobile Security System • Must reside in OS application sandbox • Intercept in system to grab privileged events of interest for examination • Intercept at higher privilege • Intercept initialized early boot • Intercept proxies events to engine • Engine contains decision logic • UI starts engine & communicate • Files parsed/normalized by file opener • External communications proxied through communicate • Notifications from cloud through OS push notifications • All message exchanges are initiated from device • Response to notification • Device certificate/private key issued at enrollment • Messages/updates signed by cloud services
#RSAC Mobile Security App Break Into Teams To Analyze
#RSAC Consider Server-side Components
#RSAC After the threat model, then what? Prioritization is one of the hardest problems
#RSAC Simple Threat Model Steps (Won’t likely be linear) Enumerate CAV Define and score impacts Enumerate existing mitigations Develop requirements to bring system to desired posture Prioritize Share and review with entire team + product management
#RSAC How Do We Prioritize? o Risk rate each CAV+impact that is not sufficiently protected o Decide where the risk “line” is (low, medium, only high) o Engage stakeholders in constructive dialog o Write exceptions for items that should get implemented but must wait
#RSAC Getting requirements implemented is an entirely different story… (feel free to ask)
#RSAC Getting requirements implemented is an entirely different story… (feel free to ask) Composing requirements that can and will be built is a distinct discipline Effective Requirements
#RSAC Hints For Clearer Requirements • Separate the functional need from any solution • Tell designers what function is required, not how to build that function • Give implementers room for creativity and innovation • Don’t lock in obsolescence • The amount of detail required is inverse to the amount of skill and knowledge of the implementers • Skilled teams need only understand what functionality is required • Unskilled implementers will need lots of detail
#RSAC Closing thoughts
#RSAC What kind of docs must you have? • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls
#RSAC Next Steps Find an experienced mentor and 2 peer reviewers Independence helps Just do it! Threat models need to be revisited when architecture, threat landscape, and security features change Experienced threat modelers, please make yourself available! Start with your own projects Gather the team and wrestle with the threat model To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
#RSAC Shameless Self-promotion https://www.facebook.com/securingsystems
#RSAC A Threat Modeling Library https://www.facebook.com/securingsystems
#RSAC Some Resources https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321 http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment .pdf https://www.facebook.com/securingsystems http://www.amazon.com/Securing-Systems-Applied-Security- Architecture/dp/1482233975 https://www.facebook.com/softwaresec www.amazon.com/Core-Software-Security-Source
#RSAC Where To Find Me Brook.e.schoenfield@intel.com http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
#RSAC Brook’s Social Networking https://www.linkedin.com/in/brookschoenfield 1 http://www.amazon.com/Brook-S.-E.-Schoenfield/e/B00XQFZLSW 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
#RSAC www.brookschoenfield.com
A Threat Agent Matrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low none Occasional Insider Revenge Varies Very high none Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low low low Security Researcher Career enhancement High None high medium

Recommended

How to write a movie review
How to write a movie reviewHow to write a movie review
How to write a movie reviewMyAssignmenthelp.com
 
Les activités économiques de l'europe
Les activités économiques de l'europeLes activités économiques de l'europe
Les activités économiques de l'europejlealleon
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13Angela Gunn
 

Recommended

How to write a movie review
How to write a movie reviewHow to write a movie review
How to write a movie reviewMyAssignmenthelp.com
 
Les activités économiques de l'europe
Les activités économiques de l'europeLes activités économiques de l'europe
Les activités économiques de l'europejlealleon
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13Angela Gunn
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Threat modelling
Threat modellingThreat modelling
Threat modellingRajeev Venkata
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...franco_bb
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxjolleybendicty
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignIJCSIS Research Publications
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
smpef
smpefsmpef
smpefrsharmam
 
Testing software security
Testing software securityTesting software security
Testing software securityAbdul Basit
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
Developing secure software using Aspect oriented programming
Developing secure software using Aspect oriented programmingDeveloping secure software using Aspect oriented programming
Developing secure software using Aspect oriented programmingIOSR Journals
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to Threat modeling demystified

Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...franco_bb
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxjolleybendicty
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignIJCSIS Research Publications
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
Testing software security
Testing software securityTesting software security
Testing software securityAbdul Basit
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
Developing secure software using Aspect oriented programming
Developing secure software using Aspect oriented programmingDeveloping secure software using Aspect oriented programming
Developing secure software using Aspect oriented programmingIOSR Journals
 

Similar to Threat modeling demystified (20)

Software risk management
Software risk managementSoftware risk management
Software risk management
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Threat modelling
Threat modellingThreat modelling
Threat modelling
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docx
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class Design
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
smpef
smpefsmpef
smpef
 
Testing software security
Testing software securityTesting software security
Testing software security
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
 
Developing secure software using Aspect oriented programming
Developing secure software using Aspect oriented programmingDeveloping secure software using Aspect oriented programming
Developing secure software using Aspect oriented programming
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Threat modeling demystified

  • 1. Threat Modeling Demystified Brook S.E. Schoenfield Author, Principal Engineer, Lead Product Security Architect, Intel Security Curious questioner
  • 2. 2 Table of Contents INTRODUCTION..................................................................................................................... 3 THREAT MODELING IS DESIGN-TIME ANALYSIS .......................................................................... 4 We have a Secure Design Problem..............................................................................................4 Threat Modeling Is Applied to an Architecture ...........................................................................4 Secure Software Imperatives.......................................................................................................5 A PROCESS ............................................................................................................................ 6 Knowledge Required Before the Threat Model...........................................................................6 There is no book of “correct” answers. Each organization is different..................................................6 Who Should Participate in The Threat Model? ...........................................................................6 Identifying Important Requirements...........................................................................................6 Assessing Risk ........................................................................................................................................6 ATASM..........................................................................................................................................8 Structure and Flow.......................................................................................................................9 Threat Agents.............................................................................................................................10 A Threat Agent Matrix .........................................................................................................................11 EXAMPLE ANALYSIS..............................................................................................................12 Mobile Security Application.......................................................................................................12 Simple ATASM Steps............................................................................................................................12 Analysis background and structural points..........................................................................................13 Documenting the Model......................................................................................................................14 CLOSING THOUGHTS ............................................................................................................14 Suggestions To Increase Skill .....................................................................................................14 RESOURCES..........................................................................................................................15
  • 3. 3 Introduction Many thanks to the people who spent 2 hours with me, Wednesday morning at RSAC 2017, San Francisco. Without your active participation, learning to threat model is a great deal harder. It turns out, after years of trying to help others climb into the art of seeing systems through the eyes of attackers that groups are one of the best ways to learn. Indeed, threat modeling is best done by the entire development team, anyway. So, by learning in groups, we model the way we are likely to get our best results when analyzing our own systems. Spending a few hours with people in this activity, or even an entire day, is one of the most rewarding activities that I am privileged to do. Thank you for taking the journey with me. In this document, I hope to summarize the main points we covered, as well as top provide just a little bit more than the slides for the Lab. I did fill in the notes for most of my slides as well, so they should be a useful reference, too.
  • 4. 4 Threat Modeling Is Design-Time Analysis We have a Secure Design Problem While some security issues (vulnerabilities) are implementation errors, a fair number of security issues are the result of a lack of security thinking while creating the structure of software (architecture) and then expressing the structure and the requirements in a codable/implementable design. Several obvious design issues were presented, most notably:  The hacked Jeep Wrangler (failed low level access control)  A pacemaker that joins open WiFi (open communications that assume all communications are benevolent)  The Target stores payment terminal hack (failure to isolate sensitive assets and to grant only required access) Threat Modeling Is Applied to an Architecture Architecture is the process of ordering the structure of things (e.g., buildings, cities, software systems, an enterprise, software, anything that is sufficiently complex such that the builders wish to structure it). Architecture uses abstraction in order to understand the system and in order to play with particular aspects of it. Threat modeling is an analysis technique to foster secure design. A threat model is not a “design”. Threat models output security requirements which then must be expressed in the design and then implemented and validated. Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood. Revisit the threat model when the architecture materially changes. That is, revisit when components are added or removed, or lines/forms of communication are added or changed. Threat models are living documents. That is, the analysis may be done as a point in time, but material changes must be reflected in the threat model. This is particularly important for iterative forms of development. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately (whenever there are structural changes). Threat modeling may be thought of as applied security architecture. Security architecture is the practice of building defense-in-depth based upon considering how attackers will try to use a system in order for the attacker(s) to achieve her/his/their goals.
  • 5. 5 Secure Software Imperatives We took the time to define the qualities that secure software exhibits. The following design/architecture imperatives describe the behaviors of “secure software”. We noted that only the first imperative directly deals with implementation errors (commonly called “vulnerabilities”). The other 4 imperatives will be fulfilled through secure design practices.  Be free from errors that can be maliciously manipulated, ergo, vulnerabilities  Have the security features that customers require for the intended use cases  Be self-protective; resist the types of attacks that will be promulgated against the software  In the event of a failure, software must “fail well”, that is fail in such a manner as to minimize consequences of successful attack  Install with sensible, “closed” defaults
  • 6. 6 A Process Knowledge Required Before the Threat Model The contributing knowledge domains are “The 3 S’s: Strategy, Structures, and Specifications.” “The 3 S’s” encompass: security strategy for the organization and this system, any infrastructure and security services (structures), and things like data classifications, runtime and execution environment, deployment methods, and the like (specifications):  Strategy o Threat landscape o The organization’s and system’s required risk posture  Structures o Existing and implementable security controls o Security infrastructure that does not exist (limitations)  Specification o Data sensitivities o The runtime and execution environment o How do code and systems get deployed? There is no book of “correct” answers. Each organization is different. Who Should Participate in The Threat Model? At the very least, all the domain experts and someone familiar with the threat landscape that is relevant to the system under analysis and the exploits commonly tried against such systems (“security expertise”). Even better, involve everyone who will help to build the software/system. Simply remind everyone who participates that threat models are very sensitive analyses. Identifying Important Requirements As was noted earlier, context matters. Without understanding organizational goals and the goals of attackers, all avenues of attack will appear to be equal. In a universe of limited resources, there will be a strong need to focus in on the attacks that pose the most danger to the organization. Importantly, what risks can be tolerated? Assessing Risk Set priorities with risk. How much risk is highly context dependent, and is often unique to an organization. Risk != vulnerability
  • 7. 7 Threat != vulnerability Threat != exploit Participants were introduced to Just Good Enough Risk Rating (JGERR) which is based on Factor Analysis of Information Risk (FAIR), an Open Group standard. JGERR breaks down an attack into 5 terms, 4 of which can be treated as essentially Boolean for the purposes of rating possible attacks when threat modeling. JGERR does not purport to calculate risk, but rather to quickly identify the important attack possibilities, as well as to deprioritize the less important attacks. "Credible Attack Vector" (CAV) was defined as one method for analyzing attack types. CAV == Threat & Exploit & Exposure & Vulnerability Interrupt any CAV term and you interrupt the kill chain, that is the entire CAV. Defenses should negate at least 1 term in the CAV. Sometimes a defense makes it more difficult to achieve one of the terms. We examined how authentication in some cases provides little prevention, and may be used solely to tie an action to a user’s ID. (break the kill chain; eliminate the CAV; lower risk exposure) *Given 0 < CAV < 1, then risk might be expressed as: *Risk Rating = CAV * Impact Still, there is no risk if there is no impact. Impact is used since some attacks are stepping stones towards the attacker’s goals. If an attack offers no additional attacker value to achieve ultimate goals, then the attack will not be used in the wild (though security researchers may be interested). This is a type of low impact situation. We examined the situation where a buffer overflow can only be achieved at very high privilege. In such a case, the exploitation does not provide additional attacker value because the attacker already has control of the operating system. It is important to think not only about harm to a system and organization, but also about whether exploitation provides attacker value.
  • 8. 8 ATASM I presented threat modeling as a linear progression. But the process is often fractal, as previously uninvestigated components open up further unknown areas where the investigation begins afresh. The analysis may have to recourse back to the start again, complete for that area, then return informed to the area that had been under analysis previously. Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations Each of these high level activities breaks into sub-steps. It doesn’t matter where the analysis starts: assets, use cases, structure, threat landscape, attack surfaces. Each area has to be analyzed for any given system. And each area will have dependencies on the others. How the analysis proceeds seem to be largely a matter of preference and thinking style. Begin where you are comfortable and proceed. The point is to arrive at a prioritized list of security requirements that will need to be built in order to bring the system to the desired defensive posture.
  • 9. 9 By Sung Lee; concept by David Wheeler; used with permission Structure and Flow There is no perfect architecture view. Component, functional, or logical1 architecture is often a good place to start. But views can range from the enterprise view (“Conceptual”) to detailed physical or technological views. Each view may add important knowledge as different aspects of a complex system are analyzed. Architecture is at least in part about abstraction to consider an aspect of complexity without getting bogged down in details that aren’t relevant for that consideration. Some parts of the structure are highlighted (abstracted from the whole) while details are obscured. Since security 1 Depending upon the architecture methodology, component, functional, and logical may be distinct views or may be different names for the same view. In some systems, these can also be combined. So I have listed them all in the hopes that one of these names will fit with your local architecture methodology.
  • 10. 10 operates at all levels and across most if not all domains, for a security analysis, many different views may have to be considered. A data flow diagram (DFD) can highlight inputs and outputs. Inputs are a great place to identify potential attack points (“attack surfaces”). Still, one must decide at what level of abstraction to draw the system. Generally, the architecture of the intra-process call tree will be too granular. Still, where untrusted operating system communications or where the operating system itself may be compromised, even intra-process calls may have to be considered. In any event, complex systems generally get considered at their coarsest grain structure, and then sub-views, breaking these large structures into component parts (“factoring” the architecture) may be needed in order to keep views understandable and uncluttered. Threat Agents We played with categorizing the goals and capabilities of varying threat agents (human actors who attack computer systems). Each work group created their own list from which to work.
  • 11. 11 A Threat Agent Matrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium Low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low None Occasional Insider Revenge Varies Very high None Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low Low low Security Researcher Career enhancement High None High medium
  • 12. 12 Example Analysis Mobile Security Application Simple ATASM Steps  Enumerate CAV  Define and score impacts  Enumerate existing mitigations  Develop requirements to bring system to desired posture  Prioritize  Share and review with entire team + product management
  • 13. 13 2 Analysis background and structural points  Must reside in OS application sandbox  Intercept in system to grab privileged events of interest for examination 2 Copyright Brook S.E. Schoenfield, 2015. Used with permission
  • 14. 14  Intercept at higher privilege  Intercept initialized early boot  Intercept proxies events to engine  Engine contains decision logic  UI starts engine & communicate  Files parsed/normalized by file opener  External communications proxied through communicate  Notifications from cloud through OS push notifications  All message exchanges are initiated from device  Response to notification  Device certificate/private key issued at enrollment  Messages/updates signed by cloud services Documenting the Model • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls Closing Thoughts Suggestions to Increase Skill  Find an experienced mentor and 2 peer reviewers  Having one reviewer who is Independent from the development team, the architecture the threat model helps to increase the power of the review  Just do it!  Threat models need to be revisited when architecture, threat landscape, and security features change  Experienced threat modelers, please make yourself available!  Start with your own projects  Gather the team and wrestle with the threat model  To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
  • 15. 15 Resources https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321 http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf https://www.facebook.com/securingsystems http://www.amazon.com/Securing-Systems-Applied-Security-Architecture/dp/1482233975 https://www.facebook.com/softwaresec www.amazon.com/Core-Software-Security-Source http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf brook.e.schoenfield@intel.com (before March 31, 2017) brook_schoenfield@mcafee.com (after March 31, 2017) http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield
  • 16. SESSION ID:SESSION ID: #RSAC Brook Stephan Schoenfield Threat Modeling Demystified LAB3-W04 Product Architect Product Security Intel Security @BrkSchoenfield
  • 17. #RSAC Brook S.E. Schoenfield, MBA Principal Engineer >1000 security reviews 16+ years security 30+ years software/hi-tech Real-time OS, TCP/IP stack down to hardware 5th virtual team lead, 9th technical leader role 4th software security lead @ 4th organization • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum
  • 18. #RSAC • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum • >1000 security reviews • 16+ years security • 30+ years software/hi-tech • Real-time OS, TCP/IP stack down to hardware • 5th virtual team lead, 9th technical leader role • 4th software security lead @ 4th organization
  • 19. #RSAC First Comments • ATASM1 is a pedagogy • ATASM is a mnemonic, a high level abstraction for a process that is often non-linear, and highly recursive • “Peel the onion” is close to reality, but harder to learn and to coach: a real threat model process is often quite fractal • You are encouraged to use ATASM; if useful, please teach 1. ATASM/risk material © Brook S.E. Schoenfield, 2010-2015, all rights reserved, CRC Press, 2015. Used with permission
  • 20. #RSAC Possible Outcomes From This Session • Newbies: Introduction to threat modeling concepts • Learners: Dig deeper, gain consistency, increase comfort, practice • Practitioners: Conceptualization and explanation; a method that fosters inclusion • Experts: Articulate in order to present and to teach • Everyone: Hopefully, some new tricks of the trade?
  • 21. #RSAC What Can Be Said About This “Architecture”?
  • 22. #RSAC Is This Any Better?
  • 23. #RSAC Break into work groups (4-6) to brainstorm examples of insecure design.
  • 24. #RSAC Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 9 Design brainstorm report back from workgroups
  • 25. #RSAC Consider Recent Design Misses That Jeep Wrangler Open WiFi Pacemaker The Target breach was a system design failure
  • 26. #RSAC A start… Creative Commons Attribution-ShareAlike 3.0 license. http://cybersecurity.ieee.org/images/files/images/pdf/ CybersecurityInitiative-online.pdf
  • 27. #RSAC Threat modeling is a technique to identify the attacks a system1 must resist and the defenses that will bring the system to a desired defensive state 1. “system” is defined inclusively
  • 28. #RSAC 13 The Timing Component: Earlier is Better
  • 30. #RSAC Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood Revisit the threat model when the architecture materially changes. Threat models are living documents. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately.
  • 31. #RSAC Tool Belt Architecture is a tool for structuring complexity Architecture provides a playground for potential changes Architecture Risk Assessment (ARA) is a tool for applying a threat landscape to an architecture to uncover security needs Threat modeling is a tool for secure design. A threat model is not a “design” Threat model is dependent upon architectural understanding Threat models output security requirements
  • 32. #RSAC Everything You Know About Security…
  • 33. #RSAC “Secure” Software Must: • Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
  • 34. #RSAC Design Secure Software • Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
  • 35. #RSAC What Can We Infer? What More Do We Need And Why?
  • 36. #RSAC Securing Systems, CRC Press, 2015 Prework: The 3 S’s
  • 37. #RSAC Securing Systems, CRC Press, 2015 Background Information Is Critical
  • 38. #RSAC A threat model is a crossroads of knowledge from architecture experts, domain experts, and security experts Absence of one or more stakeholders cripples the model and its usefulness
  • 39. #RSAC Personal accelerometer • Measures movement of body • Worn on wrist • Extremely low power • Long battery life • Minimal operating system and CPU
  • 40. #RSAC Low Power Bluetooth Specification • There is no protection of communications! • E.g., TLS not used over open air • Authentication by device ID only • Devices only exchange movement data
  • 41. #RSAC Understanding system architecture is key Differing views and levels of detail each solve distinct problems There is no perfect view or level
  • 42. #RSAC A Threat Model From This?
  • 44. #RSAC Web-Sock-A-Rama Web Business • Successful Online Sock store • All kinds of socks: men, women, children, specialty, sports, artistic, novelty • Takes no public political positions • Relatively risk averse • Customers are considered the business’ greatest resource • Customer security and privacy prime objectives • Assume that the support and administration of the infrastructure is run rigorously: • strong access controls and need-to-know (e.g., NIST-800-53): networks, hosts, execution environments • External network separated from internal • Administration is via highly controlled management network
  • 45. #RSAC Start At High Level What is the organization’s purpose? What is this system’s purpose? How does this system contribute to the organization goals? To an enterprise architecture? What are the major functions? How do these interact? Why? Derive, if you can, the intended risk posture
  • 49. #RSAC Securing Systems, CRC Press, 2015 ATASM Threat Modeling = Applied security architecture
  • 50. #RSAC "ISecG ESPT Security Test Plan Report”, April 14, 2014, by Eoin Carroll Substeps ISecG ESPT Security Test Plan Report [Product] Architecture/Design Review ATAM Securing Systems: Applied Security Architecture and Threat Models, Brook S.E Schoenfield [2015]
  • 51. #RSAC Securing System, CRC Press, 2015 Fractal  Recursive
  • 52. Threats Attack Surfaces Mitigations Revisit/revise Use Cases Architecture Assets Security Requirements Threat modeling is a technique to identify the attacks a system must resist and the defenses that will bring the system to a desired defensive state By Sung Lee; concept by David Wheeler; used with permission
  • 53. Threats Attack Surfaces Mitigations Use Cases Architecture Assets Security Requirements Adapted from original by Sung Lee; concept by David Wheeler; used with permission
  • 54. #RSAC The outcome, the ”point” is to discover the necessary security requirements “Security needs tend to get expressed as system constraints” – Erik Simmons
  • 55. #RSAC Digging into threat agents and their methods Focus on human actors Adversaries are adaptable and creative
  • 56. #RSAC Threat Attributes © Brook S.E. Schoenfield, Securing Systems, 2015, all rights reserved
  • 57. #RSAC
  • 59. #RSAC • Divide paper into 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
  • 60. #RSAC • Divide paper into 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
  • 61. #RSAC Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 46 Put our matrices together
  • 62. #RSAC Set priority with risk Risk != vulnerability Threat != vulnerability Threat != exploit
  • 63. #RSAC Set Priority With Risk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss
  • 64. #RSAC Set Priority With Risk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss We haven’t actuarial tables
  • 65. #RSAC Successful attack requires an active threat agent who has the motivation to attack that particular system and who uses the threat agent's skills (exploit) via an exposed (attack surface) exploitable weakness (vulnerability) that can be manipulated by that attacker. Threat + exploit + exposure + vulnerability
  • 66. #RSAC For Threat Models Only! "Credible Attack Vector" (CAV) CAV == Threat & Exploit & Exposure & Vulnerability (consider each term as essentially boolean for this narrow context) Interrupt any CAV term and you interrupt the kill chain E.g., Threat & Exploit & !Exposure & Vulnerability != CAV (break the kill chain; eliminate the CAV; lower risk exposure) Given 0 < CAV < 1, then risk might be expressed as: Risk Rating = CAV * Impact (essentially how JGERR rates risks)
  • 67. #RSAC Yes, I switched the order for teaching purposes Now That You Know, Let’s Have Some Fun… Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations
  • 68. #RSAC Threat modeling Examples Fictitious but based on real systems
  • 74. #RSAC Holistic Analysis Will Protect Data Sources
  • 78. #RSAC User Roles & Flows Attack Surfaces
  • 80. #RSAC Mobile Security System • Must reside in OS application sandbox • Intercept in system to grab privileged events of interest for examination • Intercept at higher privilege • Intercept initialized early boot • Intercept proxies events to engine • Engine contains decision logic • UI starts engine & communicate • Files parsed/normalized by file opener • External communications proxied through communicate • Notifications from cloud through OS push notifications • All message exchanges are initiated from device • Response to notification • Device certificate/private key issued at enrollment • Messages/updates signed by cloud services
  • 81. #RSAC Mobile Security App Break Into Teams To Analyze
  • 83. #RSAC After the threat model, then what? Prioritization is one of the hardest problems
  • 84. #RSAC Simple Threat Model Steps (Won’t likely be linear) Enumerate CAV Define and score impacts Enumerate existing mitigations Develop requirements to bring system to desired posture Prioritize Share and review with entire team + product management
  • 85. #RSAC How Do We Prioritize? o Risk rate each CAV+impact that is not sufficiently protected o Decide where the risk “line” is (low, medium, only high) o Engage stakeholders in constructive dialog o Write exceptions for items that should get implemented but must wait
  • 86. #RSAC Getting requirements implemented is an entirely different story… (feel free to ask)
  • 87. #RSAC Getting requirements implemented is an entirely different story… (feel free to ask) Composing requirements that can and will be built is a distinct discipline Effective Requirements
  • 88. #RSAC Hints For Clearer Requirements • Separate the functional need from any solution • Tell designers what function is required, not how to build that function • Give implementers room for creativity and innovation • Don’t lock in obsolescence • The amount of detail required is inverse to the amount of skill and knowledge of the implementers • Skilled teams need only understand what functionality is required • Unskilled implementers will need lots of detail
  • 90. #RSAC What kind of docs must you have? • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls
  • 91. #RSAC Next Steps Find an experienced mentor and 2 peer reviewers Independence helps Just do it! Threat models need to be revisited when architecture, threat landscape, and security features change Experienced threat modelers, please make yourself available! Start with your own projects Gather the team and wrestle with the threat model To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
  • 93. #RSAC A Threat Modeling Library https://www.facebook.com/securingsystems
  • 95. #RSAC Where To Find Me Brook.e.schoenfield@intel.com http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
  • 96. #RSAC Brook’s Social Networking https://www.linkedin.com/in/brookschoenfield 1 http://www.amazon.com/Brook-S.-E.-Schoenfield/e/B00XQFZLSW 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
  • 98. A Threat Agent Matrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low none Occasional Insider Revenge Varies Very high none Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low low low Security Researcher Career enhancement High None high medium