Threat Modelling aims to identify threats and vulnerabilities to apply controls to mitigate the risks. Killing the Cyber Security Kill Chain is an approach for Threat Modelling with ISO 27001 controls.
Here is the link to the presentation (c) Creative Commons Attributed
4. CYBER SECURITY KILL CHAIN
● A GENERIC ATTACK MODEL.
● STAGES OF AN ATTACKER.
● DESIGNED FOR A SUCCESSFUL ATTACK.
● REQUIRES DEFENCE IN EVERY STEP.
5. ATTACK STEPS OF KILL CHAIN
RECONNAISSANCE WEAPONIZATION
DELIVERY
EXPLOITATION
INSTALLATION COMMAND & CONTROL
ACTION ON OBJECTIVE
6. RECONNAISSANCE
GATHER INFORMATION ABOUT THE TARGET
PASSIVE
WHOIS
ARIN
GOOGLE
SHODAN
COMPANY WEBSITE
JOB LISTINGS
PROTECTION
LIMIT PUBLIC INFORMATION
ACCEPTABLE SOCIAL MEDIA USE
MODIFY SERVER ERROR MESSAGES
DOMAIN PRIVACY CONTROLS
SCREENING PEOPLE
7. RECONNAISSANCE
GATHER INFORMATION ABOUT THE TARGET
ACTIVE
NMAP
PORT SCANNING
BANNER GRABBING
VULNERABILITY
SCANNING
PROTECTION
DISABLE UNUSED PORTS
DISABLE UNUSED SERVICES
HONEYPOTS
FIREWALL, IDS/ IPS
TOR AND VPNs
INBOUND BLOCKING
8. WEAPONIZATION
FIND OR CREATE THE ATTACK THE WEAKNESS
TOOLS
METASPLOIT
AIRCRACK NG
BURP SUITE
SOCIAL ENGINEERING TOOLKIT
VEIL FRAMEWORK
SQLMAP
WAPITI
AND MORE ….
DEFENSES
PATCH MANAGEMENT
DISABLE OFFICE MACROS
BROWSER PLUGINS
ANTI VIRUS
EMAIL SECURITY
AUDIT LOGGING
ADMINISTRATIVE CONTROLS
TECHNICAL CONTROLS
9. DELIVERY
SELECTING WHICH AVENUE TO DELIVER THE EXPLOIT
ATTACK
WEBSITES
SOCIAL MEDIA
WIRELESS ACCESS USER
INPUT
EMAIL
USB
INSIDER
DEFENCE
USER AWARENESS
WEB FILTERING
IDS/IPS
DKIM/SPF
DISABLE USB
LIMIT ADMIN RIGHTS
DNS FILTERING
ENCRYPTION
10. EXPLOITATION
WEAPONS DELIVERED AND ATTACK CARRIED OUT
ATTACK
SQL INJECTION
MALWARE
BUFFER OVERFLOW
JAVASCRIPT HIJACK
DDOS ATTACKS
DEFENCE
LINUX CHROOT
DISABLE POWERSHELL
UBA/EDR SOLUTION
INCIDENT RESPONSE
RECOVERY PLAN
11. INSTALLATION
GAIN BETTER ACCESS
ATTACK
PAYLOAD INJECTION
REMOTE ACCESS TOOLS
REGISTRY CHANGES
POWERSHELL COMMANDS
GAIN PERSISTENT ACCESS
DEFENCE
ANIT-EXPLOIT
SECURE PROGRAMMING
WEB FILTERING
IPS/IDS
ADVANCED PERSISTENT THREAT (APT)
12. COMMAND AND CONTROL
REMOTE CONTROL BY THE ATTACKER
ATTACK
REMOTE LOGIN
BOTNETS
TROJANS
PRIVILEGE ESCALATION
ADVANCED PERSISTENCE
DEFENCE
NETWORK SEGMENTATION
NGFW : C & C BLOCKING
DNS REDIRECT
APPLICATION CONTROLS
RESTRICT PROTOCOLS
ISOLATION
IOC: INDICATORS OF COMPROMISE
13. ACTION ON OBJECTIVE
ATTACKER EXECUTES DESIRED ACTION
ATTACK
MOTIVATION
FINANCIAL
POLITICAL
ESPIONAGE
MALICIOUS INSIDER
LATERAL MOVEMENT
DEFENCE
DATA LEAKAGE PREVENTION (DLP)
USER BEHAVIOR ANALYSIS
ZERO TRUST SECURITY
DETECT > RESPOND > RECOVER
DEVELOP MULTIPLE LAYERS OF SECURITY
14. DEFENCE FOR THE KILL CHAIN
RECONNAISSANCE WEAPONIZATION
DELIVERY
EXPLOITATION
INSTALLATION COMMAND & CONTROL
ACTION ON OBJECTIVE
● PHYSICAL CONTROLS
● ADMINISTRATIVE CONTROLS
● TECHNICAL CONTROLS
15. ISO 27001: ANNEX A CONTROLS
A.5 SECURITY POLICIES
A.6 DATA SECURITY
A.7 HUMAN SECURITY
A.8 ASSET MANAGEMENT
A.9 ACCESS CONTROL
A.10 CRYPTOGRAPHY
A.11 PHYSICAL SECURITY
A.12 OPERATIONAL SECURITY (PENTESTING)
A.13 COMMUNICATIONS SECURITY
A.14 SYSTEM ACQUISITION & MAINTENANCE
A.15 SUPPLIER RELATIONSHIPS
A.16 INCIDENT RESPONSE
A.17 BUSINESS CONTINUITY
A.18 COMPLIANCE
ADMINISTRATIVE - PHYSICAL - TECHNICAL
THREAT
RISK
CONTROL
MITIGATION
16. Niranjan Meegammana
MSc in Cyber Security (2022)
Sri Lanka Institute of Information Technology
Thank you