The document discusses using threat-driven methodologies to achieve defendable system architectures. It describes a threat analysis methodology that involves identifying assets, attack vectors, threat actors, and controls. A case study applies this methodology to analyze threats to a smart card system. Key threats are identified and addressed through controls that focus on visibility, manageability, and survivability of the system. The presentation emphasizes starting with threat intelligence and analysis to select appropriate protections and designing systems to be defended.

1. #RSAC
SESSION ID:
Michael Muckin Scott Fitch
Achieving Defendable
Architectures via
Threat-Driven Methodologies
ANF-F03
LM Fellow, Cyber Architect
Lockheed Martin
LM Fellow, Cyber Architect
Lockheed Martin

2. #RSAC
2
The system shall encrypt data at rest.

3. #RSAC
3
System Threat
Analysis
Threat
Intelligence
The Threat Driven Approach

4. #RSAC
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
Synthesis
Threat Intelligence
Analysis

5. #RSAC
System Threat Analysis Methodology
5
Discovery Phase
Implementation Phase
There are no IDDIL (idle) Threats; they ATC (attack)
Identify the Assets
Define the Attack Surface
Decompose the System
Identify Attack Vectors
List Threat Actors
Analysis and Assessment
Triage
Controls

6. #RSAC
System Threat Analysis Methodology
6
Identify the Assets
Define the Attack Surface
Decompose the System
Identify Attack Vectors
List Threat Actors
Analysis and Assessment
Triage
Controls
Critical Assets
Knowledge of Industry
Mission Impacts
Mission Needs
Targeted Assets
Tactics, Techniques, & Procedures
Tactics, Techniques, & Procedures
Campaigns, Motivation, Skill
Inputs on likelihood
Threat Intelligence
Control Effectiveness
System Threat Analysis

7. #RSAC
Threat Methodology Integration
7
Concept Reqs Design Build Test/QA Deploy Ops
Threat Modeling & Analysis
Threat Intelligence
I D D I L A T C
Testing Aligned
to Threat Model
Threat Actors, TTPs,
Existing Controls
Infrastructure & Service
Enhancements
Current TTPs and
Targeting Intel

8. #RSAC
Threat Methodology Practices
 Threat Models
 Attack Trees
 Threat Profiles
 Cyber Kill Chain®
 Controls Effectiveness Matrix
8

9. #RSAC
Case Study
9
Assets:
 Smart Card
 OS and Applet
 ID codes
 Keys
 I&AM Systems
 Workstations
 Facilities
Threat Actors/Attack Vectors:
1. Man-in-Manufacturer (a)
2. Man-in-Manufacturer (b)
3. Interception of Master Key
4. Compromise of I&AM System
5. Malicious Insider
6. Compromise Critical Role
7. Compromise middleware
8. Physical attacks
Provisioning
Credentialing
PKI Interface
Physical Security
HR Interface
Critical Roles:
Role A
Role X
Service Acct

10. #RSAC
Determining Focus Threats
10
System Threats
Physical Attacks
Malicious Insider
Threat Intelligence
Adversary Objectives
TTPs
Focus
Threats
Mission and
Business Needs
Malicious Code on Card
Compromised Middleware
Lateral Movement
Disclosure of Keys
Critical Role Exploited

11. #RSAC
Addressing Threats
Asset/
Objective
Threat Types Resultant
Condition(s)
Attack Surface/
Vector
Controls
SmartCard OS • Tampering
• Disclosure
• Elevation of Privilege
• Lateral Movement
Dependent upon # of
cards and level of
access of user
• Card
• Card OS code
• APDU manipulation
• Code Audits
• Contract language
• Privileged account
restrictions
Critical Role • Spoofing
• Repudiation
• Elevation of Privilege
• Lateral Movement
Unauthorized,
privileged and
potentially untraceable
activity to critical
infrastructure
• I&AM Systems
• Specific interfaces
• Specific services
• Targeted user and
service accounts
• Admin gateways
• Multi-factor AuthN
• Local accounts
wherever possible
• Privileged account
password controls
Workstation • Disclosure
• Elevation of Privilege
• Lateral Movement
Exfil data and/or
credentials;
Use machine as
foothold for further
actions
• SmartCard
• Middleware
• Memory
• System patching
• HIPS
• Memory protections
• Penetration testing /
assessment
• Configuration controls
11

12. #RSAC
Defend the System as a Whole
 Visibility into current and
historical system activity
 Manageability of system
configuration, updates, and
control settings
 Survivability to deliver
services through attack,
detection, and recovery
12

13. #RSAC
Designing for Defense
13
 Visibility
 Server logging
 Workstation
logging
 Network
monitoring
 Cardstock
inventory
 Insider detection
Provisioning
Credentialing
PKI Interface
Physical Security
HR Interface
Critical Roles:
Role A
Role X
Service Acct

14. #RSAC
Designing for Defense
14
 Visibility
 Manageability
 Rules based on
new threat intel
 Control points
for tactical
mitigations
 System patching
 Controlled
admin access
Provisioning
Credentialing
PKI Interface
Physical Security
HR Interface
Critical Roles:
Role A
Role X
Service Acct

15. #RSAC
Designing for Defense
15
 Visibility
 Manageability
 Survivability
 System
segmentation
 Strong admin
authentication
 Separate card
use from issuance
 Assured system
recovery
Provisioning
Credentialing
PKI Interface
Physical Security
HR Interface
Critical Roles:
Role A
Role X
Service Acct

16. #RSAC
16
System Threat
Analysis
Threat
Intelligence
Use IDDIL/ATC to select protection and appropriate compensating controls
Design the system to be defended through visibility, manageability, and survivability

17. #RSAC
Building Defendable Architectures and
Applying Threat-Driven Methodologies
17
Start identifying your organization’s critical systems and assets
Use IDDIL/ATC to select protection and appropriate compensating controls
Design the system to be defended through visibility, manageability, and survivability
For the next system you build, modify, operate, or assess
Integrate threat intelligence into design, development, and operations
As your cyber defense capabilities mature

18. #RSAC
18
http://lockheedmartin.com/cyber