Threats, Threat Modeling and
                  Analysis




                                                              ...
Today’s Current
        Threats




                                                                                      ...
The Hard Truth

      2008: 285+
      million records
      compromised


                                               ...
The Hard Truth
      91% of all compromised
      records were attributed to
      organized criminal groups

      99.6% ...
The Hard Truth

      69% were discovered by a 3rd
      party

      67% were aided by significant
      errors

      32%...
The Hard Truth

      an average of
      $202 per
      compromised
      record


                                      ...
Common Threats

           SANS Top Risks

           OWASP Top 10 for
           2010

           The OWASP Code
        ...
SANS
                         Application vulnerabilities

                         Webapp attacks

                      ...
SANS


                         Mostly stuff anyone everyone
                         here has heard about




           ...
Typical Targeted Attack

               Malware placed somewhere




                                                     ...
Typical Targeted Attack

               Executed




                                                                     ...
Typical Targeted Attack
               HTTPS or some other
               common tunnel back to
               control con...
Typical Targeted Attack
               Credential dump, keylogger,
               or sniffing for example




             ...
Typical Targeted Attack

               Escalation and looting




                                                       ...
OWASP Top 10


                      Stands for Open Web
                      Security Project

                      Foc...
OWASP Top 10
                     A1: Injection                              A6: Security Misconfiguration

               ...
The Owasp Code Review Top 9
                        Input validation                     API usage
                       ...
Defending from Attackers

Simple Threat Modeling

Reactive Defense

Proactive Defense

Defense in Depth




              ...
Simple Threat Modeling

            It’s simplified

            Glorified brainstorming

            Better than nothing

 ...
Reactive Modeling
             Driven by:
              Blackbox testing

              Grey/Whitebox testing

           ...
Reactive Modeling
            Driven by:
              Blackbox testing

              Grey/Whitebox testing

            ...
Proactive Modeling
        Driven by:
          Data Flow Diagrams [DFD]

          Data classification

          Secure c...
Data Flow Diagram [DFD]




                                                23

http://en.wikipedia.org/wiki/Data_flow_diag...
Data Flow Diagram [DFD]




                                                24

http://en.wikipedia.org/wiki/Data_flow_diag...
Data Flow Diagram [DFD]




                                                25

http://en.wikipedia.org/wiki/Data_flow_diag...
Data Flow Diagram [DFD]




                                                26

http://en.wikipedia.org/wiki/Data_flow_diag...
Threat Model
           Defining a set of attacks to
           consider

           What can you trust?

           What c...
Threat Model

            Three types:
             Attacker centric

             Software centric

             Asset ce...
Attacker


                What do they want?

                What resources do they
                have to get it?




...
Software
             Anticipate possible attacks

             Can do beyond secure
             code

              Vali...
Software
         Attacks and code
         countermeasures

         Methodologies

          STRIDE / DREAD

          C...
Asset
            Start modeling with things
            with asset tags
             Webservers

             Disk arrays...
Change Management
       A good name. Goals:
         Eliminate unauthorized changes

         Eliminate unauthorized acce...
Change Management
       Related important activities:
         Patching

         Known-good or gold standard
         co...
Security Controls
     Covers what software does
     not

     Reinforces what software
     does cover

     Defense in ...
Security Controls
          Physical access control

          Auditing of changes and
          user access

          In...
Security Controls

           Anomaly detection

           Incident management and
           handling

           Single...
Security Development [SDL]
            In Seattle most like
            Microsoft. At Microsoft,
            they like the...
Security Development [SDL]
          In a nutshell:
            Requirements            Verification

            Design   ...
Security Development [SDL]
           OWASP SDL:
           OpenSAMM
             Open and free

             Scoring matu...
Security Development [SDL]
Program quality scored from 0 to 3

0 representing none

3 representing comprehensive
mastery

...
Security Development [SDL]
           Figure it out yourself
             Make your process fit
             your business ...
Horrible Consequences

Something didn’t work out

There was an incident

The breach was on the
news

What might happen now...
Horrible Consequences
             You may be called to a
             meeting to explain

             Your company brand...
The Unexpected
             Unintended uses for software

             Landscapes change

             Future hard to pred...
Thanks




            Ian Gorrie




                                  46

I am Ian.
http://gorrie.org
@gorrie
Upcoming SlideShare
Loading in...5
×

Threats, Threat Modeling and Analysis

4,299

Published on

I'm Ian. I do that geek thing.

This is an introductory deck on why an SDL or quality/secure software program is a good idea.

I can be found here:
http://gorrie.org
@gorrie

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • good presentation. Could you please share this at rakeshpratap@hotmail.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,299
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Threats, Threat Modeling and Analysis

  1. 1. Threats, Threat Modeling and Analysis 1 Super high level presentation of stuff everyone should already know who is developing applications, infrastructure, and operations! :D
  2. 2. Today’s Current Threats 2 Some mention of current threatspace and how to formulate a defense for your code and/or service.
  3. 3. The Hard Truth 2008: 285+ million records compromised 3 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  4. 4. The Hard Truth 91% of all compromised records were attributed to organized criminal groups 99.6% of records were compromised from servers and applications 74% resulted from external sources 4 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  5. 5. The Hard Truth 69% were discovered by a 3rd party 67% were aided by significant errors 32% implicated business partners 5 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  6. 6. The Hard Truth an average of $202 per compromised record 6 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US %20Cost%20of%20Data%20Breach%20Report%20Final.pdf
  7. 7. Common Threats SANS Top Risks OWASP Top 10 for 2010 The OWASP Code Review Top 9 7 http://www.sans.org/top-cyber-security-risks/ http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9
  8. 8. SANS Application vulnerabilities Webapp attacks Slow patching 0days Not having good configs 8 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  9. 9. SANS Mostly stuff anyone everyone here has heard about 9 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  10. 10. Typical Targeted Attack Malware placed somewhere 10 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  11. 11. Typical Targeted Attack Executed 11 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  12. 12. Typical Targeted Attack HTTPS or some other common tunnel back to control console 12 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  13. 13. Typical Targeted Attack Credential dump, keylogger, or sniffing for example 13 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  14. 14. Typical Targeted Attack Escalation and looting 14 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  15. 15. OWASP Top 10 Stands for Open Web Security Project Focused on Webapps 15 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ■ A1: Injection ■ A2: Cross-Site Scripting (XSS) ■ A3: Broken Authentication and Session Management ■ A4: Insecure Direct Object References ■ A5: Cross-Site Request Forgery (CSRF) ■ A6: Security Misconfiguration ■ A7: Insecure Cryptographic Storage ■ A8: Failure to Restrict URL Access ■ A9: Insufficient Transport Layer Protection ■ A10: Unvalidated Redirects and Forwards
  16. 16. OWASP Top 10 A1: Injection A6: Security Misconfiguration A2: Cross-Site Scripting (XSS) A7: Insecure Cryptographic Storage A3: Broken Authentication and Session Management A8: Failure to Restrict URL Access A4: Insecure Direct Object References A9: Insufficient Transport Layer Protection A5: Cross-Site Request Forgery (CSRF) A10: Unvalidated Redirects 16 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  17. 17. The Owasp Code Review Top 9 Input validation API usage Source code design Best practices violation Information leakage and Weak Session improper error handling Management Direct object reference Using HTTP GET query strings Resource usage 17 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 The Nine Source Code Flaw Categories ■ Input validation ■ Source code design ■ Information leakage and improper error handling ■ Direct object reference ■ Resource usage ■ API usage ■ Best practices violation ■ Weak Session Management ■ Using HTTP GET query strings
  18. 18. Defending from Attackers Simple Threat Modeling Reactive Defense Proactive Defense Defense in Depth 18
  19. 19. Simple Threat Modeling It’s simplified Glorified brainstorming Better than nothing A worthwhile exercise 19 Really a simplified brainstorming activity
  20. 20. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 20 Really a less simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
  21. 21. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 21 Really a simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
  22. 22. Proactive Modeling Driven by: Data Flow Diagrams [DFD] Data classification Secure coding practices Continuous testing/ improvement Rugged software design 22 Cheeseball but appropriate Sun Tsu quotation: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Fixing problems before they are created is an enormous cost and time savings This method prevents bugs from happening instead of remediating them after the fact http://en.wikipedia.org/wiki/Proactive_Cyber_Defence http://en.wikipedia.org/wiki/Operational_risk#Methods_of_operational_risk_management http://en.wikipedia.org/wiki/Risk_modeling (beware use or financial risk management in complex systems) Rugged Software Manifesto: http://ruggedsoftware.org/ http://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1
  23. 23. Data Flow Diagram [DFD] 23 http://en.wikipedia.org/wiki/Data_flow_diagram
  24. 24. Data Flow Diagram [DFD] 24 http://en.wikipedia.org/wiki/Data_flow_diagram
  25. 25. Data Flow Diagram [DFD] 25 http://en.wikipedia.org/wiki/Data_flow_diagram
  26. 26. Data Flow Diagram [DFD] 26 http://en.wikipedia.org/wiki/Data_flow_diagram
  27. 27. Threat Model Defining a set of attacks to consider What can you trust? What can you not mitigate in the code or environment? Think defense in depth here 27 http://en.wikipedia.org/wiki/Threat_modeling http://www.owasp.org/index.php/Threat_Risk_Modeling
  28. 28. Threat Model Three types: Attacker centric Software centric Asset centric 28 http://en.wikipedia.org/wiki/Threat_modeling
  29. 29. Attacker What do they want? What resources do they have to get it? 29 This is likely of little interest to us in this context http://www.egadss.org/security.html
  30. 30. Software Anticipate possible attacks Can do beyond secure code Validating inputs Least privilege Fail closed 30 http://www.owasp.org/index.php/Threat_Risk_Modeling
  31. 31. Software Attacks and code countermeasures Methodologies STRIDE / DREAD CVSS OCTAVE 31 http://www.owasp.org/index.php/Threat_Risk_Modeling STRIDE http://msdn.microsoft.com/en-us/magazine/cc163519.aspx CVSS http://www.first.org/cvss/ OCTAVE http://www.cert.org/octave/
  32. 32. Asset Start modeling with things with asset tags Webservers Disk arrays Databases Routers Data channels 32 For those who aren’t programmers, but want to perform some operational threat modeling and risk mitigation, this is a popular choice.
  33. 33. Change Management A good name. Goals: Eliminate unauthorized changes Eliminate unauthorized access and vulnerability exposure Raise communication and awareness Leads to better security 33 Many incidents are caused by a gap in proper configuration. This speaks to an immature change management program Photo: www.flickr.com/photos/ spursfan_ace/2328879637/
  34. 34. Change Management Related important activities: Patching Known-good or gold standard configurations and builds System security Role-based access and least privilege controls 34 http://en.wikipedia.org/wiki/Principle_of_least_privilege
  35. 35. Security Controls Covers what software does not Reinforces what software does cover Defense in depth They are best when they are fed data 35 A nice ancient picture from our friends at the RAND corporation
  36. 36. Security Controls Physical access control Auditing of changes and user access Intrusion detection/ prevention Monitoring 36 There are more, these are just examples
  37. 37. Security Controls Anomaly detection Incident management and handling Single Sign-on 37 ..and much much more
  38. 38. Security Development [SDL] In Seattle most like Microsoft. At Microsoft, they like their SDL Flavors available: Classic Agile Light 38 http://www.microsoft.com/security/sdl/ There are other models and I have my favorites. Ask me if you can’t get enough of this SDL business.
  39. 39. Security Development [SDL] In a nutshell: Requirements Verification Design Release Implementation 39 With the optional stage zero of Training and a post-release stage of Response
  40. 40. Security Development [SDL] OWASP SDL: OpenSAMM Open and free Scoring maturity in skill/ process zones Like all things OWASP, pretty awesome 40 http://www.opensamm.org/2009/03/samm-10-released/ http://blogs.gartner.com/neil_macdonald/2009/08/04/another-excellent-application- security-maturity-model/
  41. 41. Security Development [SDL] Program quality scored from 0 to 3 0 representing none 3 representing comprehensive mastery 41
  42. 42. Security Development [SDL] Figure it out yourself Make your process fit your business needs and team skillsets Define more or less based on your in house framework or other needs 42 http://securosis.com/blog/firestarter-secure-development-lifecycle-your-doing-it-wrong/ Same failing argument used against QA 20 years ago: http://erratasec.blogspot.com/2010/05/you-may-not-need-sdl.html Do what you can do well and farm the rest out or delegate to someone who can do better.
  43. 43. Horrible Consequences Something didn’t work out There was an incident The breach was on the news What might happen now? 43
  44. 44. Horrible Consequences You may be called to a meeting to explain Your company brand or stock price may suffer There may be truly amazingly large fines Businesses can fold over such things 44 Whatever happens, you will not like them, no one will be pleased, and life will not be cool.
  45. 45. The Unexpected Unintended uses for software Landscapes change Future hard to predict Dependencies Legacy 45 Example: IP over HTTP and DNS Futurists thought that we would be on Mars and communicating with telepathy by now. It’s no wonder there is no trust model in TCP/IP. Smurf (and other amplification attacks) and IP spoofing likely not in the TCP/IP design considerations. Try to think about possible applications of the infrastructure you’re developing as, if you do it well, it may be around for a long time.
  46. 46. Thanks Ian Gorrie 46 I am Ian. http://gorrie.org @gorrie

×