This document discusses application threat modeling. It begins with introducing key terminology used in threat modeling like assets, threats, attacks, and risks. It then explains what threat modeling is and when it should be performed. The document outlines three main approaches to threat modeling: asset-centric, attacker-centric using attack trees, and system-centric. It provides examples of each approach and discusses how to identify threats, calculate risks, and plan countermeasures as part of the system-centric threat modeling process.

1. Application
Security
Wargame
Application
Threat
Modeling

2. Agenda
• Introduction
• What
is
Threat
Modeling?
• Approaches
• Case
Study

3. Introduction:
Terminology
• Asset
• Is
something
which
has
value
and
which
we
want
to
protect
• Threat
• Is
something
bad
that
can
happen
to
an
Asset
• Threat
Agent
/
Actor
• Is
something
or
someone
who
can
manifest
a
threat
• Attack
• Is
a
process
by
which
a
threat
or
threat
agent
can
harm
an
asset
• Risk
• Is
the
likelihood
that
a
particular
Threat
against
a
particular
asset
will
occur
• Control
• One
or
more
measures
that
reduces
or
eliminates
a
Risk

4. What
is
Threat
Modeling
• Threat
Model
consists
of
• Threats
to
a
system
• Assets
threats
may
affect
• Mapping
of
the
threats
to
assets
• Risk
rating
• Countermeasures
• Threat
modelling
is
a
repeatable
process
by
which
we
can
enumerate
the
threats
and
assets
of
a
system
and
how
the
threats
may
affect
the
assets.
It
may
also
optionally
score
the
risk
and
plan
countermeasures.

5. When
to
do
TM?
Analyze Design Implement Verify Deploy Respond
Security
Requirements
Secure
Design
Secure
Coding
Security
Testing
Secure
Deployment
Static
Analysis
Attack
Surface
Review
Incident
Response
Plan
Incident
Response
Penetration
Testing
Training
&
Awareness
Threat
Modeling
Predict Prevent Detect

6. Approaches
• Asset
centric
• Traditional
Risk
Analysis
• What
do
I
care
about
most
• How
do
I
protect
it?
• Attacker
centric
aka
Attack
tree
approach
• Who
are
the
attackers
?
• What
are
the
attackers’
goals
and
how
they
might
achieve
them
?
• How
do
it
stop
them?
• System
Centric
/
Design
centric
/
Architecture
Centric
• Start
with
the
design
of
the
system

7. Asset-­‐Centric
Approach
• What
do
you
want
to
protect?
• List
of
Assets
• What
do
you
want
to
protect
it
from?
• List
of
Threats
• How
likely
is
it
that
you
will
need
to
protect
it?
• Security
Requirements
• How
bad
are
the
consequences
if
you
fail?
• Risk
Rating
• How
much
trouble
are
you
will
to
go
through
in
order
to
try
to
prevent
those?
• Countermeasures
planning

8. Attacker
Centric
approach
• Attack
Trees
• Represent
attacks
against
a
system
in
a
tree
structure
• Goal
is
the
root
node
• Attacks
as
leaf
nodes
• Children
can
be
AND
nodes
or
OR
nodes
• Reference:
https://www.schneier.com/aca
demic/archives/1999/12/attack
_trees.html

9. Attack
Trees
/
Graphs
• Identify
Possible
Attack
Goals
• Build
attack
tree
for
each
goal
• Enumerate
attacks
against
each
goal
and
add
them
as
nodes
• Repeat
the
process
down
the
tree
• Merge
all
attack
trees
to
form
the
attack
graph
• Prune
the
Graph

10. System
Centric
Approach
• Identify
Security
Objectives
• Understand
the
system
/
application
• Identify
the
threats
• Calculate
risk
• Countermeasures
• Validate
the
threat
model

11. Security
Objectives
• Identity
• Does
the
application
need
to
protect
user
identity
from
abuse?
• Financial
• Assess
the
level
of
risk
the
organization
is
prepared
to
incur
in
remediation
as
potential
financial
loss.
• Reputation
• Quantify
or
estimate
of
loss
of
reputation
due
to
application
being
misused
or
attacked
• Regulatory
• Is
the
application
liable
to
adhere
to
standards
and
regulatory
compliances?
• Availability
• SLA

12. Understand
the
System:
Enumerate
• Product
functionality
• Technologies
in
use
• Processes
• Listening
ports
• Firewall
rules
• Databases

13. Understand
the
system:
DFD
• Dataflow
• Contextual
• High
level
• Low
level
• Identify
trust
boundaries
• Identify
Entry
points
aka
Attack
Surfaces

14. Data
flow
Diagram:
Symbols
External
Entity Process
Complex
Process
Data
Store
Data
Flow Trust
Boundary

15. Identify
Threats
• Identify
• Network
Threats
• Host
Threats
• Application
threats
• Approaches
• Use
STRIDE
to
Identify
threats
• Use
Categorized
threat
list
/
library
• Attack
Trees
&
Attack
patterns

16. STRIDE
Threat Property
Violated Threat
Definition
S Spoofing Authentication Pretending
to
be
something or
someone
other
than
yourself
T Tampering Integrity Modifying something
on
disk,
network,
memory
or
elsewhere
R Repudiation Non-­‐Repudiation Claiming
that
you
didn’t
do
something or
were
not
responsible.
Can
be
honest
or
false
I Information
Disclosure
Confidentiality Providing
information
to
someone
not
authorized
to
access
it
D Denial
of
Service
Availability Exhausting
resources
needed
to
provide
service
E Elevation
of
Privilege
Authorization Allowing
someone
to
do
something
they
are
not
authorized
to
do

17. STRIDE-­‐per-­‐Element
S T R I D E
External
Entity x x
Process x x x x x X
Data Flow x x x
Data
Store x x x

18. STRIDE-­‐per-­‐interaction
• Interaction
• tuple
of
(origin,
destination
and
interaction)
• Similar
to
STRIDE-­‐per-­‐entity
• For
each
entity,
categorize
threats
by
their
interactions
• More
complex
to
build
but
easier
to
understand

19. Other
approaches
• Attack
Trees
• Attacker
Library
• Barnard’s
List
• Verizon’s
Lists
• Aucsmith’s Attacker
Personas
• Intel
Threat
Agent
Library
(TARA)
• OWASP
• Attack
Library
• OWASP
• WASC
• CAPEC

20. Calculate
Risk
• RPD
Model
• Risk
=
Probability
*
Damage
• DREAD
• Risk
=
(Damage
+
Reproducibility
+
Exploitability
+
Affected
Users
+
Discoverability
)
/
5
• CVSS

21. Countermeasures
• Risk
Acceptance
• Do
nothing
• Risk
Transfer
• to
another
component
in
the
System
• Risk
Elimination
• Remove
/
Disable
the
feature
• Fix
the
bug
• Risk
Mitigation
• Add
controls
to
reduce
or
mitigate
the
risk

22. Countermeasures
Threat Countermeasures
Spoofing
user
identity
Use
strong
authentication.
Do
not
store
secrets
(for
example,
passwords)
in
plaintext.
Do
not
pass
credentials
in
plaintext
over
the
wire.
Protect
authentication
cookies
with
Secure
Sockets
Layer
(SSL).
Tampering
with
data
Use
data
hashing
and
signing.
Use
digital
signatures.
Use
strong
authorization.
Use
tamper-­‐resistant
protocols
across
communication
links.
Secure
communication
links
with
protocols
that
provide
message
integrity.

23. Countermeasures
Threat Countermeasures
Repudiation
Create
secure
audit
trails.
Use
digital
signatures.
Information
disclosure
Use
strong
authorization.
Use
strong
encryption.
Secure
communication
links
with
protocols
that
provide
message
confidentiality.
Do
not
store
secrets
(for
example,
passwords)
in
plaintext.
Denial
of
service
Use
resource
and
bandwidth
throttling
techniques.
Validate
and
filter
input.
Elevation
of
privilege
Follow
the
principle
of
least
privilege
and
use
least
privileged
service
accounts
to
run
processes
and
access
resources.

24. Validation
• Penetration
Testing
• Code
Review

25. Case
Study
• Web
Application
• Microservices Architecture
• Functionalities
• Authenticate
user
• Product
Search
• Purchase
Product

26. Case
Study
Client
(browser)
API
Gateway
Auth
Service
Purchase
Search
Purchase
DB
Product
DB
Admin
User
DB

27. References
• Threat
Modeling
– Designing
for
Security,
Adam
Shostack
• Attack
Trees
– Bruce
Schneier,
https://www.schneier.com/academic/archives/1999/12/attack_trees.
html
• Microsoft,
https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
• OWASP,
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security
_Project_-­‐_Mobile_Threat_Model