The document outlines Acme Payroll Company's (APC) implementation of threat modeling using the PASTA approach. It describes APC's systems, identifies potential threats, analyzes vulnerabilities, and proposes a strategy for conducting simulated attacks against APC's network and systems. The strategy involves scanning for vulnerabilities, attempting to exploit them using tools like Nessus and Metasploit, and using social engineering techniques like phishing emails to try and obtain credentials or sensitive information from employees. The goal is to help APC identify weaknesses before real attackers can compromise their systems.

1. PASTA: Risk-Centric
Threat Modeling
Acme Payroll Company decides to implement
the PASTA threat-modeling approach
February
2019

2. Target: Acme Payroll Company
Acme Payroll Company (APC) is a small business
that processes payroll for other companies.
They have a home-grown application
and an SFTP server. Both are accessible by clients.
They have client PII in both locations.
A data breach would be very damaging
to their reputation in the industry.
2

3. Threats to APC
There are several threats
To APC’s network and client PII
 Exposure of private information
 Cryptographic failures
 Deserialization – remote code execution
 Broken access control – authorization bypass
 Insufficient monitoring or logging
 Phishing emails
 Zero-day malware
 Brute-force attacks
 Cross-site scripting
 DoS and DDoS attacks
 Emotet Malware
 Overflow attacks
 Cloud email hacking
3

4. OWASP
Survey 2017
• CWE-359 Exposure
of Private Information
• CWE-310 Cryptographic Failures
• CWE-502 Deserialization
of Untrusted Data
• CWE-639 Authorization Bypass
Through User-Controlled Key
• CWE-778 - Insufficient
Logging and Monitoring
0
100
200
300
400
500
600
700
800
900
1000
CWE-778 CWE-639 CWE-502 CWE-310 CWE-359
4
Industry-Ranked Top Five
Web Application Threats
Number of cases reported

5. The Attack
A high-level overview
of the planned attack on APC
An attack will be performed on APC’s web server,
SFTP server, and other infrastructure targets.
5

6. The Attack
A high-level overview
of the planned attack on APC
The attackers will use Nessus Pro
to scan for vulnerabilities.
They will then use Metasploit to attempt
to exploit the identified weaknesses.
6

7. The Attack
A high-level overview
of the planned attack on APC
They will also employ social-engineering techniques,
including phishing emails, phone calls, and an onsite
visit to try to exfiltrate data from the company.
7

8. Conducting the Attack
Acme Payroll Company’s security staff will perform the attacks
in conjunction with Hippo Security, a trusted third-party vendor
8

9. The Team
Members of the Team
Conducting the Attack
 APC Infrastructure Department
• Network Administrator
• Help Desk Technicians
• IT Manager
 APC Security Department
• CISO
• Information Security Officer
 Hippo Security
• Security Engineers
• Pen Tester
• Project Manager
9

10. Attack Strategy
Methodology of the planned attack:
Phase 1: Attack APC Client-accessible services
Perform attack on client portal web server
 Use Nessus Pro to scan for vulnerabilities
 Use Metasploit to exploit identified vulnerabilities
 Attempt brute-force, authorization, and overflow attacks
 Attempt cross-site scripting attack
 Perform denial of service attack
 Attempt weak-ciphers attack
10

11. Attack Strategy
Methodology of the planned attack:
Phase 1: Attack APC Client-accessible services
Perform attack on SFTP server
 Attempt brute-force attack
 Attempt weak-ciphers attack
 Attempt anonymous authentication attack
 Perform denial-of-service attack
11

12. Attack Strategy
Methodology of the planned attack:
Phase 2: Attack Infrastructure Targets
Attempt to attack perimeter of APC network
 Use nmap to scan IP ranges
 Use Nessus to scan for vulnerabilities
 Use Metasploit to exploit vulnerabilities
 Attempt to breach firewalls
 Attempt brute-force attack on any login or web pages
12

13. Attack Strategy
Methodology of the planned attack:
Phase 2: Attack Infrastructure Targets
Attempt to breach cloud email
 Attempt to brute-force email login
 Attempt to breach employee phones over wireless
 Send phishing email to steal credentials
 Attempt to get employees to give credentials over the phone
13

14. Attack Strategy
Methodology of the planned attack:
Phase 2: Attack Infrastructure Targets
Social Engineering Attack
 Send Phishing emails
 Call users and ask for information
 Attempt to get credentials from users
 Attempt to get users to give information about their computers
14

15. Attack Strategy
Methodology of the planned attack:
Phase 2: Attack Infrastructure Targets
On-site Reconnaissance Attack
 Send security engineer to office dressed as phone technician
 Attempt to get access to phone closet
 Look for information on empty desks or in printers
 Talk to employees in break room and try to get information
 Attempt to get access to onsite server room
15

16. Threat
Categorization
Threats to APC
Organized by Category
Category Threat
Tampering or Theft of Data
Change records to sabotage client reports
Steal PII for ID theft crimes
Brute-force
Impersonate email user or SFTP user
Denial of Service
DoS or DDoS, overflow attacks
Repudiation Attacks go undiscovered or can’t be analyzed
Intelligence-Gathering Scan for online credentials and employee names and titles,
social engineering, onsite reconnaissance,
phishing emails, port scanning
Elevation of Privilege
Deserialization attacks, Cross-site scripting, malware,
overflow attacks, broken access control
Unauthorized access Taking advantage of cryptographic failures
or broken access control
Take control of email account to send spam
16

17. Threat
Categorization
Threats to APC
Organized by Motive
Motive Threat
Sabotage/industry competition Change records to sabotage client reports
Steal PII to damage reputation
Launch DDoS attack to damage SLA
Take control of email to send phishing email to clients
Steal trade secrets
Financial/exfiltration of data Steal PII for sale on dark net
Steal trade secrets
ransomware
Accessibility
DoS or DDoS, overflow attacks
Obfuscation Deleting or damaging logs
Reconnaissance Scanning for online credentials and employee names and
titles, social engineering, onsite reconnaissance,
phishing emails, port scanning
Elevation of Privilege
Deserialization attacks, Cross-site scripting, malware,
overflow attacks, broken access control
Unauthorized access
Cryptographic failures, broken access control,
Take control of email account to send spam
17

18. Vulnerability Analysis
Identifying Vulnerabilities in Acme Payroll Company’s Systems
that May Allow Successful Attacks
18

19. Vulnerabilities
There Are Several Vulnerabilities
In APC’s Systems That Could Allow
a Successful Attack
APC uses Windows Server and IIS
on their web servers.
There are many vulnerabilities associated
with Windows Server and IIS:
 Remote-code execution CVE-2015-1635
 Buffer Overflow CVE-2017-7269
 Cross-site Scripting CVE-2000-0942
 Authentication bypass CVE-2009-1122
 Denial-of-service CVE-2002-0224
 Elevation of privilege CVE-2017-0055
19

20. Vulnerabilities
There Are Several Vulnerabilities
In APC’s Systems That Could Allow
a Successful Attack
APC uses SFTP to transfer files
to and from their clients.
SFTP has some vulnerabilities:
 SSH input validation CVE-2008-3081
 Directory Traversal CVE-2016-5725
 Information disclosure CVE-2016-10104
 Memory leak CVE-2015-8677
 Weak encryption CVE-2016-10102
 Brute-force vulnerability when using passwords
for authentication
20

21. Vulnerabilities
There Are Several Vulnerabilities
In APC’s Systems That Could Allow
a Successful Attack
APCs users are likely to be the weakest
point in their system.
Human susceptibility to social engineering
gives these attacks a high rate of success.
 The desire to be helpful
 Wanting to help someone who is in a hurry
 Desire to help someone who could get in trouble
 Laziness
 Fear of reprisal
21

22. Vulnerabilities
There Are Several Vulnerabilities
In APC’s Systems That Could Allow
a Successful Attack
Cloud-based email has many vulnerabilities.
APC uses Office 365, which has several vulnerabilities:
 Remote code execution CVE-2019-0585
 Information disclosure CVE-2019-0559
 Denial of service CVE-2018-8546
 Token hijacking CVE-2013-5054
 password discovery CVE-2013-2308 22

23. Exploit Testing
Phase 1:
• The pen tester at Hippo Security does a reconnaissance scan
of open ports on APCs network
• He then performs a vulnerability scan
using Nessus Pro
• He then attempts to exploit
these vulnerabilities using Metasploit
23

24. Exploit Testing
Phase 2:
• The Security Engineer performs
a denial-of-service attack on the SFTP and web servers
• She then performs brute-force attacks
on any web pages or logins she can reach
• She then launches manual attacks using overflows, XSS,
and injection techniques.
24

25. Exploit Testing
Phase 3:
• The Security Engineer sends out phishing emails
to APC staff to try to steal credentials
• She then calls several employees of APC
to see if she can get them to divulge any information
• A Security Engineer from Hippo Security goes onsite
to see if he can exfiltrate any information
25

26. Thank
You
Craig
Walker
Email
cwalker023@my.wilmu.edu