Priyanka Aash, profile picture
Uploaded byPriyanka Aash
1,211 views

Threat modeling demystified

The document focuses on threat modeling as a crucial process in secure software design, emphasizing the need for collaborative involvement from the entire development team. It outlines the importance of understanding the threat landscape, assessing risks, and creating living documents that evolve with system architecture. Through structured analyses and methodologies, including the ATASM framework, the document guides practitioners in identifying security requirements to enhance system defenses against potential attacks.

Embed presentation

Downloaded 37 times
Threat Modeling Demystified Brook S.E. Schoenfield Author, Principal Engineer, Lead Product Security Architect, Intel Security Curious questioner
2 Table of Contents INTRODUCTION..................................................................................................................... 3 THREAT MODELING IS DESIGN-TIME ANALYSIS .......................................................................... 4 We have a Secure Design Problem..............................................................................................4 Threat Modeling Is Applied to an Architecture ...........................................................................4 Secure Software Imperatives.......................................................................................................5 A PROCESS ............................................................................................................................ 6 Knowledge Required Before the Threat Model...........................................................................6 There is no book of “correct” answers. Each organization is different..................................................6 Who Should Participate in The Threat Model? ...........................................................................6 Identifying Important Requirements...........................................................................................6 Assessing Risk ........................................................................................................................................6 ATASM..........................................................................................................................................8 Structure and Flow.......................................................................................................................9 Threat Agents.............................................................................................................................10 A Threat Agent Matrix .........................................................................................................................11 EXAMPLE ANALYSIS..............................................................................................................12 Mobile Security Application.......................................................................................................12 Simple ATASM Steps............................................................................................................................12 Analysis background and structural points..........................................................................................13 Documenting the Model......................................................................................................................14 CLOSING THOUGHTS ............................................................................................................14 Suggestions To Increase Skill .....................................................................................................14 RESOURCES..........................................................................................................................15
3 Introduction Many thanks to the people who spent 2 hours with me, Wednesday morning at RSAC 2017, San Francisco. Without your active participation, learning to threat model is a great deal harder. It turns out, after years of trying to help others climb into the art of seeing systems through the eyes of attackers that groups are one of the best ways to learn. Indeed, threat modeling is best done by the entire development team, anyway. So, by learning in groups, we model the way we are likely to get our best results when analyzing our own systems. Spending a few hours with people in this activity, or even an entire day, is one of the most rewarding activities that I am privileged to do. Thank you for taking the journey with me. In this document, I hope to summarize the main points we covered, as well as top provide just a little bit more than the slides for the Lab. I did fill in the notes for most of my slides as well, so they should be a useful reference, too.
4 Threat Modeling Is Design-Time Analysis We have a Secure Design Problem While some security issues (vulnerabilities) are implementation errors, a fair number of security issues are the result of a lack of security thinking while creating the structure of software (architecture) and then expressing the structure and the requirements in a codable/implementable design. Several obvious design issues were presented, most notably:  The hacked Jeep Wrangler (failed low level access control)  A pacemaker that joins open WiFi (open communications that assume all communications are benevolent)  The Target stores payment terminal hack (failure to isolate sensitive assets and to grant only required access) Threat Modeling Is Applied to an Architecture Architecture is the process of ordering the structure of things (e.g., buildings, cities, software systems, an enterprise, software, anything that is sufficiently complex such that the builders wish to structure it). Architecture uses abstraction in order to understand the system and in order to play with particular aspects of it. Threat modeling is an analysis technique to foster secure design. A threat model is not a “design”. Threat models output security requirements which then must be expressed in the design and then implemented and validated. Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood. Revisit the threat model when the architecture materially changes. That is, revisit when components are added or removed, or lines/forms of communication are added or changed. Threat models are living documents. That is, the analysis may be done as a point in time, but material changes must be reflected in the threat model. This is particularly important for iterative forms of development. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately (whenever there are structural changes). Threat modeling may be thought of as applied security architecture. Security architecture is the practice of building defense-in-depth based upon considering how attackers will try to use a system in order for the attacker(s) to achieve her/his/their goals.
5 Secure Software Imperatives We took the time to define the qualities that secure software exhibits. The following design/architecture imperatives describe the behaviors of “secure software”. We noted that only the first imperative directly deals with implementation errors (commonly called “vulnerabilities”). The other 4 imperatives will be fulfilled through secure design practices.  Be free from errors that can be maliciously manipulated, ergo, vulnerabilities  Have the security features that customers require for the intended use cases  Be self-protective; resist the types of attacks that will be promulgated against the software  In the event of a failure, software must “fail well”, that is fail in such a manner as to minimize consequences of successful attack  Install with sensible, “closed” defaults
6 A Process Knowledge Required Before the Threat Model The contributing knowledge domains are “The 3 S’s: Strategy, Structures, and Specifications.” “The 3 S’s” encompass: security strategy for the organization and this system, any infrastructure and security services (structures), and things like data classifications, runtime and execution environment, deployment methods, and the like (specifications):  Strategy o Threat landscape o The organization’s and system’s required risk posture  Structures o Existing and implementable security controls o Security infrastructure that does not exist (limitations)  Specification o Data sensitivities o The runtime and execution environment o How do code and systems get deployed? There is no book of “correct” answers. Each organization is different. Who Should Participate in The Threat Model? At the very least, all the domain experts and someone familiar with the threat landscape that is relevant to the system under analysis and the exploits commonly tried against such systems (“security expertise”). Even better, involve everyone who will help to build the software/system. Simply remind everyone who participates that threat models are very sensitive analyses. Identifying Important Requirements As was noted earlier, context matters. Without understanding organizational goals and the goals of attackers, all avenues of attack will appear to be equal. In a universe of limited resources, there will be a strong need to focus in on the attacks that pose the most danger to the organization. Importantly, what risks can be tolerated? Assessing Risk Set priorities with risk. How much risk is highly context dependent, and is often unique to an organization. Risk != vulnerability
7 Threat != vulnerability Threat != exploit Participants were introduced to Just Good Enough Risk Rating (JGERR) which is based on Factor Analysis of Information Risk (FAIR), an Open Group standard. JGERR breaks down an attack into 5 terms, 4 of which can be treated as essentially Boolean for the purposes of rating possible attacks when threat modeling. JGERR does not purport to calculate risk, but rather to quickly identify the important attack possibilities, as well as to deprioritize the less important attacks. "Credible Attack Vector" (CAV) was defined as one method for analyzing attack types. CAV == Threat & Exploit & Exposure & Vulnerability Interrupt any CAV term and you interrupt the kill chain, that is the entire CAV. Defenses should negate at least 1 term in the CAV. Sometimes a defense makes it more difficult to achieve one of the terms. We examined how authentication in some cases provides little prevention, and may be used solely to tie an action to a user’s ID. (break the kill chain; eliminate the CAV; lower risk exposure) *Given 0 < CAV < 1, then risk might be expressed as: *Risk Rating = CAV * Impact Still, there is no risk if there is no impact. Impact is used since some attacks are stepping stones towards the attacker’s goals. If an attack offers no additional attacker value to achieve ultimate goals, then the attack will not be used in the wild (though security researchers may be interested). This is a type of low impact situation. We examined the situation where a buffer overflow can only be achieved at very high privilege. In such a case, the exploitation does not provide additional attacker value because the attacker already has control of the operating system. It is important to think not only about harm to a system and organization, but also about whether exploitation provides attacker value.
8 ATASM I presented threat modeling as a linear progression. But the process is often fractal, as previously uninvestigated components open up further unknown areas where the investigation begins afresh. The analysis may have to recourse back to the start again, complete for that area, then return informed to the area that had been under analysis previously. Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations Each of these high level activities breaks into sub-steps. It doesn’t matter where the analysis starts: assets, use cases, structure, threat landscape, attack surfaces. Each area has to be analyzed for any given system. And each area will have dependencies on the others. How the analysis proceeds seem to be largely a matter of preference and thinking style. Begin where you are comfortable and proceed. The point is to arrive at a prioritized list of security requirements that will need to be built in order to bring the system to the desired defensive posture.
9 By Sung Lee; concept by David Wheeler; used with permission Structure and Flow There is no perfect architecture view. Component, functional, or logical1 architecture is often a good place to start. But views can range from the enterprise view (“Conceptual”) to detailed physical or technological views. Each view may add important knowledge as different aspects of a complex system are analyzed. Architecture is at least in part about abstraction to consider an aspect of complexity without getting bogged down in details that aren’t relevant for that consideration. Some parts of the structure are highlighted (abstracted from the whole) while details are obscured. Since security 1 Depending upon the architecture methodology, component, functional, and logical may be distinct views or may be different names for the same view. In some systems, these can also be combined. So I have listed them all in the hopes that one of these names will fit with your local architecture methodology.
10 operates at all levels and across most if not all domains, for a security analysis, many different views may have to be considered. A data flow diagram (DFD) can highlight inputs and outputs. Inputs are a great place to identify potential attack points (“attack surfaces”). Still, one must decide at what level of abstraction to draw the system. Generally, the architecture of the intra-process call tree will be too granular. Still, where untrusted operating system communications or where the operating system itself may be compromised, even intra-process calls may have to be considered. In any event, complex systems generally get considered at their coarsest grain structure, and then sub-views, breaking these large structures into component parts (“factoring” the architecture) may be needed in order to keep views understandable and uncluttered. Threat Agents We played with categorizing the goals and capabilities of varying threat agents (human actors who attack computer systems). Each work group created their own list from which to work.
11 A Threat Agent Matrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium Low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low None Occasional Insider Revenge Varies Very high None Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low Low low Security Researcher Career enhancement High None High medium
12 Example Analysis Mobile Security Application Simple ATASM Steps  Enumerate CAV  Define and score impacts  Enumerate existing mitigations  Develop requirements to bring system to desired posture  Prioritize  Share and review with entire team + product management
13 2 Analysis background and structural points  Must reside in OS application sandbox  Intercept in system to grab privileged events of interest for examination 2 Copyright Brook S.E. Schoenfield, 2015. Used with permission
14  Intercept at higher privilege  Intercept initialized early boot  Intercept proxies events to engine  Engine contains decision logic  UI starts engine & communicate  Files parsed/normalized by file opener  External communications proxied through communicate  Notifications from cloud through OS push notifications  All message exchanges are initiated from device  Response to notification  Device certificate/private key issued at enrollment  Messages/updates signed by cloud services Documenting the Model • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls Closing Thoughts Suggestions to Increase Skill  Find an experienced mentor and 2 peer reviewers  Having one reviewer who is Independent from the development team, the architecture the threat model helps to increase the power of the review  Just do it!  Threat models need to be revisited when architecture, threat landscape, and security features change  Experienced threat modelers, please make yourself available!  Start with your own projects  Gather the team and wrestle with the threat model  To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
15 Resources https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321 http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf https://www.facebook.com/securingsystems http://www.amazon.com/Securing-Systems-Applied-Security-Architecture/dp/1482233975 https://www.facebook.com/softwaresec www.amazon.com/Core-Software-Security-Source http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf brook.e.schoenfield@intel.com (before March 31, 2017) brook_schoenfield@mcafee.com (after March 31, 2017) http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield
SESSION ID:SESSION ID: #RSAC Brook Stephan Schoenfield Threat Modeling Demystified LAB3-W04 Product Architect Product Security Intel Security @BrkSchoenfield
#RSAC Brook S.E. Schoenfield, MBA Principal Engineer >1000 security reviews 16+ years security 30+ years software/hi-tech Real-time OS, TCP/IP stack down to hardware 5th virtual team lead, 9th technical leader role 4th software security lead @ 4th organization • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum
#RSAC • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum • >1000 security reviews • 16+ years security • 30+ years software/hi-tech • Real-time OS, TCP/IP stack down to hardware • 5th virtual team lead, 9th technical leader role • 4th software security lead @ 4th organization
#RSAC First Comments • ATASM1 is a pedagogy • ATASM is a mnemonic, a high level abstraction for a process that is often non-linear, and highly recursive • “Peel the onion” is close to reality, but harder to learn and to coach: a real threat model process is often quite fractal • You are encouraged to use ATASM; if useful, please teach 1. ATASM/risk material © Brook S.E. Schoenfield, 2010-2015, all rights reserved, CRC Press, 2015. Used with permission
#RSAC Possible Outcomes From This Session • Newbies: Introduction to threat modeling concepts • Learners: Dig deeper, gain consistency, increase comfort, practice • Practitioners: Conceptualization and explanation; a method that fosters inclusion • Experts: Articulate in order to present and to teach • Everyone: Hopefully, some new tricks of the trade?
#RSAC What Can Be Said About This “Architecture”?
#RSAC Is This Any Better?
#RSAC Break into work groups (4-6) to brainstorm examples of insecure design.
#RSAC Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 9 Design brainstorm report back from workgroups
#RSAC Consider Recent Design Misses That Jeep Wrangler Open WiFi Pacemaker The Target breach was a system design failure
#RSAC A start… Creative Commons Attribution-ShareAlike 3.0 license. http://cybersecurity.ieee.org/images/files/images/pdf/ CybersecurityInitiative-online.pdf
#RSAC Threat modeling is a technique to identify the attacks a system1 must resist and the defenses that will bring the system to a desired defensive state 1. “system” is defined inclusively
#RSAC 13 The Timing Component: Earlier is Better
#RSAC 14 Acknowledgement and Planning
#RSAC Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood Revisit the threat model when the architecture materially changes. Threat models are living documents. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately.
#RSAC Tool Belt Architecture is a tool for structuring complexity Architecture provides a playground for potential changes Architecture Risk Assessment (ARA) is a tool for applying a threat landscape to an architecture to uncover security needs Threat modeling is a tool for secure design. A threat model is not a “design” Threat model is dependent upon architectural understanding Threat models output security requirements
#RSAC Everything You Know About Security…
#RSAC “Secure” Software Must: • Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
#RSAC Design Secure Software • Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
#RSAC What Can We Infer? What More Do We Need And Why?
#RSAC Securing Systems, CRC Press, 2015 Prework: The 3 S’s
#RSAC Securing Systems, CRC Press, 2015 Background Information Is Critical
#RSAC A threat model is a crossroads of knowledge from architecture experts, domain experts, and security experts Absence of one or more stakeholders cripples the model and its usefulness
#RSAC Personal accelerometer • Measures movement of body • Worn on wrist • Extremely low power • Long battery life • Minimal operating system and CPU
#RSAC Low Power Bluetooth Specification • There is no protection of communications! • E.g., TLS not used over open air • Authentication by device ID only • Devices only exchange movement data
#RSAC Understanding system architecture is key Differing views and levels of detail each solve distinct problems There is no perfect view or level
#RSAC A Threat Model From This?
#RSAC Web-Sock-A-Rama: Any More Information?
#RSAC Web-Sock-A-Rama Web Business • Successful Online Sock store • All kinds of socks: men, women, children, specialty, sports, artistic, novelty • Takes no public political positions • Relatively risk averse • Customers are considered the business’ greatest resource • Customer security and privacy prime objectives • Assume that the support and administration of the infrastructure is run rigorously: • strong access controls and need-to-know (e.g., NIST-800-53): networks, hosts, execution environments • External network separated from internal • Administration is via highly controlled management network
#RSAC Start At High Level What is the organization’s purpose? What is this system’s purpose? How does this system contribute to the organization goals? To an enterprise architecture? What are the major functions? How do these interact? Why? Derive, if you can, the intended risk posture
#RSAC Web-Sock-A-Rama Find an attack vector
#RSAC Logical Or Component Level
#RSAC Useful View?
#RSAC Securing Systems, CRC Press, 2015 ATASM Threat Modeling = Applied security architecture
#RSAC "ISecG ESPT Security Test Plan Report”, April 14, 2014, by Eoin Carroll Substeps ISecG ESPT Security Test Plan Report [Product] Architecture/Design Review ATAM Securing Systems: Applied Security Architecture and Threat Models, Brook S.E Schoenfield [2015]
#RSAC Securing System, CRC Press, 2015 Fractal  Recursive
Threats Attack Surfaces Mitigations Revisit/revise Use Cases Architecture Assets Security Requirements Threat modeling is a technique to identify the attacks a system must resist and the defenses that will bring the system to a desired defensive state By Sung Lee; concept by David Wheeler; used with permission
Threats Attack Surfaces Mitigations Use Cases Architecture Assets Security Requirements Adapted from original by Sung Lee; concept by David Wheeler; used with permission
#RSAC The outcome, the ”point” is to discover the necessary security requirements “Security needs tend to get expressed as system constraints” – Erik Simmons
#RSAC Digging into threat agents and their methods Focus on human actors Adversaries are adaptable and creative
#RSAC Threat Attributes © Brook S.E. Schoenfield, Securing Systems, 2015, all rights reserved
#RSAC
#RSAC Threat Landscape
#RSAC • Divide paper into 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
#RSAC • Divide paper into 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
#RSAC Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 46 Put our matrices together
#RSAC Set priority with risk Risk != vulnerability Threat != vulnerability Threat != exploit
#RSAC Set Priority With Risk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss
#RSAC Set Priority With Risk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss We haven’t actuarial tables
#RSAC Successful attack requires an active threat agent who has the motivation to attack that particular system and who uses the threat agent's skills (exploit) via an exposed (attack surface) exploitable weakness (vulnerability) that can be manipulated by that attacker. Threat + exploit + exposure + vulnerability
#RSAC For Threat Models Only! "Credible Attack Vector" (CAV) CAV == Threat & Exploit & Exposure & Vulnerability (consider each term as essentially boolean for this narrow context) Interrupt any CAV term and you interrupt the kill chain E.g., Threat & Exploit & !Exposure & Vulnerability != CAV (break the kill chain; eliminate the CAV; lower risk exposure) Given 0 < CAV < 1, then risk might be expressed as: Risk Rating = CAV * Impact (essentially how JGERR rates risks)
#RSAC Yes, I switched the order for teaching purposes Now That You Know, Let’s Have Some Fun… Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations
#RSAC Threat modeling Examples Fictitious but based on real systems
#RSAC Logical Or Component Level
#RSAC Business Intelligence (Analytics) @Digital Diskus
#RSAC Analytics Data Harvesting
#RSAC Analytics Data Harvesting Attack Surface
#RSAC System Components
#RSAC Holistic Analysis Will Protect Data Sources
#RSAC System Components Attack Surfaces
#RSAC System Components Attacks At Assets
#RSAC User Roles & Flows
#RSAC User Roles & Flows Attack Surfaces
#RSAC Identity Services: Who’s In Danger?
#RSAC Mobile Security System • Must reside in OS application sandbox • Intercept in system to grab privileged events of interest for examination • Intercept at higher privilege • Intercept initialized early boot • Intercept proxies events to engine • Engine contains decision logic • UI starts engine & communicate • Files parsed/normalized by file opener • External communications proxied through communicate • Notifications from cloud through OS push notifications • All message exchanges are initiated from device • Response to notification • Device certificate/private key issued at enrollment • Messages/updates signed by cloud services
#RSAC Mobile Security App Break Into Teams To Analyze
#RSAC Consider Server-side Components
#RSAC After the threat model, then what? Prioritization is one of the hardest problems
#RSAC Simple Threat Model Steps (Won’t likely be linear) Enumerate CAV Define and score impacts Enumerate existing mitigations Develop requirements to bring system to desired posture Prioritize Share and review with entire team + product management
#RSAC How Do We Prioritize? o Risk rate each CAV+impact that is not sufficiently protected o Decide where the risk “line” is (low, medium, only high) o Engage stakeholders in constructive dialog o Write exceptions for items that should get implemented but must wait
#RSAC Getting requirements implemented is an entirely different story… (feel free to ask)
#RSAC Getting requirements implemented is an entirely different story… (feel free to ask) Composing requirements that can and will be built is a distinct discipline Effective Requirements
#RSAC Hints For Clearer Requirements • Separate the functional need from any solution • Tell designers what function is required, not how to build that function • Give implementers room for creativity and innovation • Don’t lock in obsolescence • The amount of detail required is inverse to the amount of skill and knowledge of the implementers • Skilled teams need only understand what functionality is required • Unskilled implementers will need lots of detail
#RSAC Closing thoughts
#RSAC What kind of docs must you have? • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls
#RSAC Next Steps Find an experienced mentor and 2 peer reviewers Independence helps Just do it! Threat models need to be revisited when architecture, threat landscape, and security features change Experienced threat modelers, please make yourself available! Start with your own projects Gather the team and wrestle with the threat model To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
#RSAC Shameless Self-promotion https://www.facebook.com/securingsystems
#RSAC A Threat Modeling Library https://www.facebook.com/securingsystems
#RSAC Some Resources https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321 http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment .pdf https://www.facebook.com/securingsystems http://www.amazon.com/Securing-Systems-Applied-Security- Architecture/dp/1482233975 https://www.facebook.com/softwaresec www.amazon.com/Core-Software-Security-Source
#RSAC Where To Find Me Brook.e.schoenfield@intel.com http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
#RSAC Brook’s Social Networking https://www.linkedin.com/in/brookschoenfield 1 http://www.amazon.com/Brook-S.-E.-Schoenfield/e/B00XQFZLSW 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
#RSAC www.brookschoenfield.com
A Threat Agent Matrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low none Occasional Insider Revenge Varies Very high none Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low low low Security Researcher Career enhancement High None high medium

More Related Content

DOCX
Hacking'in Mavi Tarafı -2
byTurkhackteam Blue Team
 
PDF
Webinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
byBGA Cyber Security
 
PPSX
Ids 005 computer viruses
byjyoti_lakhani
 
PDF
Embedded Operating System - Linux
byEmertxe Information Technologies Pvt Ltd
 
PDF
[db tech showcase Tokyo 2017] C23: Lessons from SQLite4 by SQLite.org - Richa...
byInsight Technology, Inc.
 
PDF
Burp suite
byhamdi_sevben
 
PPTX
Revisit DCA, PCIe TPH and DDIO
byHisaki Ohara
 
PPTX
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 
Hacking'in Mavi Tarafı -2
byTurkhackteam Blue Team
 
Webinar: Siber Güvenlikte Olgunluk Seviyesini Arttırmak
byBGA Cyber Security
 
Ids 005 computer viruses
byjyoti_lakhani
 
Embedded Operating System - Linux
byEmertxe Information Technologies Pvt Ltd
 
[db tech showcase Tokyo 2017] C23: Lessons from SQLite4 by SQLite.org - Richa...
byInsight Technology, Inc.
 
Burp suite
byhamdi_sevben
 
Revisit DCA, PCIe TPH and DDIO
byHisaki Ohara
 
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 

What's hot

PDF
Sandbox Atlatma Teknikleri ve Öneriler
byBGA Cyber Security
 
PDF
Metasploit El Kitabı
byBGA Cyber Security
 
PDF
Super Easy Memory Forensics
byIIJ
 
PDF
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
byMasahiko Sawada
 
PDF
Demystifying Initial Access in Azure
byGabriel Mathenge
 
PPTX
Pentesting Android Apps
byAbdelhamid Limami
 
PDF
OpenSearch.pdf
byAbhi Jain
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PDF
Biscuit: an operating system written in go
bySeongJae Park
 
PPTX
ASH and AWR on DB12c
byKellyn Pot'Vin-Gorman
 
PPTX
Introduction to Malware Detection and Reverse Engineering
byintertelinvestigations
 
PDF
Mobile Application Penetration Testing
byBGA Cyber Security
 
PPT
Pentesting Using Burp Suite
byjasonhaddix
 
PPTX
Understanding my database through SQL*Plus using the free tool eDB360
byCarlos Sierra
 
PDF
FreeRTOS API
byVincent Claes
 
PDF
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
byAnne Nicolas
 
ZIP
WebLogic Administration und Deployment mit WLST
byenpit GmbH & Co. KG
 
PPT
OpenSearch
byhchen1
 
PDF
Nessus Software
byMegha Sahu
 
DOC
Malicious file upload attacks - a case study
byOktawian Powazka
 
Sandbox Atlatma Teknikleri ve Öneriler
byBGA Cyber Security
 
Metasploit El Kitabı
byBGA Cyber Security
 
Super Easy Memory Forensics
byIIJ
 
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
byMasahiko Sawada
 
Demystifying Initial Access in Azure
byGabriel Mathenge
 
Pentesting Android Apps
byAbdelhamid Limami
 
OpenSearch.pdf
byAbhi Jain
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Biscuit: an operating system written in go
bySeongJae Park
 
ASH and AWR on DB12c
byKellyn Pot'Vin-Gorman
 
Introduction to Malware Detection and Reverse Engineering
byintertelinvestigations
 
Mobile Application Penetration Testing
byBGA Cyber Security
 
Pentesting Using Burp Suite
byjasonhaddix
 
Understanding my database through SQL*Plus using the free tool eDB360
byCarlos Sierra
 
FreeRTOS API
byVincent Claes
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
byAnne Nicolas
 
WebLogic Administration und Deployment mit WLST
byenpit GmbH & Co. KG
 
OpenSearch
byhchen1
 
Nessus Software
byMegha Sahu
 
Malicious file upload attacks - a case study
byOktawian Powazka
 

Similar to Threat modeling demystified

PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Security architecture, engineering and operations
byPiyush Jain
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PPT
Software Security Testing
byankitmehta21
 
PDF
Security Fundamentals and Threat Modelling
byKnoldus Inc.
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PPT
Security Overview - Updates and Trends In Detail
byMohanArumugam24
 
PPTX
Networks
byjanani thirupathi
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
PPTX
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
PPTX
Acoustic based target recognition based on machien learning
byGulZamanKhan15
 
PPTX
MODELING THREATS HAER YERE SINIRR JKOA A
byjuan60m3zz
 
PPT
Software Security in the Real World
byMark Curphey
 
PPTX
Moving Security to the Left
byJavier Godinez
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Security architecture, engineering and operations
byPiyush Jain
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Software Security Testing
byankitmehta21
 
Security Fundamentals and Threat Modelling
byKnoldus Inc.
 
Application Threat Modeling
byPriyanka Aash
 
Application Threat Modeling In Risk Management
byMel Drews
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Security Overview - Updates and Trends In Detail
byMohanArumugam24
 
Networks
byjanani thirupathi
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
Null bachav
byNaga Venkata Sunil Alamuri
 
Architecting for Security Resilience
byJoel Aleburu
 
Acoustic based target recognition based on machien learning
byGulZamanKhan15
 
MODELING THREATS HAER YERE SINIRR JKOA A
byjuan60m3zz
 
Software Security in the Real World
byMark Curphey
 
Moving Security to the Left
byJavier Godinez
 

More from Priyanka Aash

PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
December Patch Tuesday
byIvanti
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
The year in review - MarvelClient in 2025
bypanagenda
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
AI Technology important knowledge ......
byutkarshj2007
 
In this document
Powered by AI

Overview of threat modeling, its importance in security, and introduction to key principles of analysis.

Threat modeling as part of secure design, focusing on architecture evaluation and creating a threat model.

Discussion on categorizing threat agents by their goals, abilities, and characteristics, and how they impact security.

Procedure through threat modeling with focus on documenting the model and operational insights.Concluding suggestions on developing skills in threat modeling and additional resources for learning.

The importance of iterative threat modeling assessments and how it works alongside architecture and design.

Final insights and actionable steps for effective threat modeling and continuous improvement in security practices.

Various links and resources to support further learning in threat modeling and security strategies.

Threat modeling demystified

  • 1.
    Threat Modeling Demystified BrookS.E. Schoenfield Author, Principal Engineer, Lead Product Security Architect, Intel Security Curious questioner
  • 2.
    2 Table of Contents INTRODUCTION.....................................................................................................................3 THREAT MODELING IS DESIGN-TIME ANALYSIS .......................................................................... 4 We have a Secure Design Problem..............................................................................................4 Threat Modeling Is Applied to an Architecture ...........................................................................4 Secure Software Imperatives.......................................................................................................5 A PROCESS ............................................................................................................................ 6 Knowledge Required Before the Threat Model...........................................................................6 There is no book of “correct” answers. Each organization is different..................................................6 Who Should Participate in The Threat Model? ...........................................................................6 Identifying Important Requirements...........................................................................................6 Assessing Risk ........................................................................................................................................6 ATASM..........................................................................................................................................8 Structure and Flow.......................................................................................................................9 Threat Agents.............................................................................................................................10 A Threat Agent Matrix .........................................................................................................................11 EXAMPLE ANALYSIS..............................................................................................................12 Mobile Security Application.......................................................................................................12 Simple ATASM Steps............................................................................................................................12 Analysis background and structural points..........................................................................................13 Documenting the Model......................................................................................................................14 CLOSING THOUGHTS ............................................................................................................14 Suggestions To Increase Skill .....................................................................................................14 RESOURCES..........................................................................................................................15
  • 3.
    3 Introduction Many thanks tothe people who spent 2 hours with me, Wednesday morning at RSAC 2017, San Francisco. Without your active participation, learning to threat model is a great deal harder. It turns out, after years of trying to help others climb into the art of seeing systems through the eyes of attackers that groups are one of the best ways to learn. Indeed, threat modeling is best done by the entire development team, anyway. So, by learning in groups, we model the way we are likely to get our best results when analyzing our own systems. Spending a few hours with people in this activity, or even an entire day, is one of the most rewarding activities that I am privileged to do. Thank you for taking the journey with me. In this document, I hope to summarize the main points we covered, as well as top provide just a little bit more than the slides for the Lab. I did fill in the notes for most of my slides as well, so they should be a useful reference, too.
  • 4.
    4 Threat Modeling IsDesign-Time Analysis We have a Secure Design Problem While some security issues (vulnerabilities) are implementation errors, a fair number of security issues are the result of a lack of security thinking while creating the structure of software (architecture) and then expressing the structure and the requirements in a codable/implementable design. Several obvious design issues were presented, most notably:  The hacked Jeep Wrangler (failed low level access control)  A pacemaker that joins open WiFi (open communications that assume all communications are benevolent)  The Target stores payment terminal hack (failure to isolate sensitive assets and to grant only required access) Threat Modeling Is Applied to an Architecture Architecture is the process of ordering the structure of things (e.g., buildings, cities, software systems, an enterprise, software, anything that is sufficiently complex such that the builders wish to structure it). Architecture uses abstraction in order to understand the system and in order to play with particular aspects of it. Threat modeling is an analysis technique to foster secure design. A threat model is not a “design”. Threat models output security requirements which then must be expressed in the design and then implemented and validated. Start the threat model at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood. Revisit the threat model when the architecture materially changes. That is, revisit when components are added or removed, or lines/forms of communication are added or changed. Threat models are living documents. That is, the analysis may be done as a point in time, but material changes must be reflected in the threat model. This is particularly important for iterative forms of development. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately (whenever there are structural changes). Threat modeling may be thought of as applied security architecture. Security architecture is the practice of building defense-in-depth based upon considering how attackers will try to use a system in order for the attacker(s) to achieve her/his/their goals.
  • 5.
    5 Secure Software Imperatives Wetook the time to define the qualities that secure software exhibits. The following design/architecture imperatives describe the behaviors of “secure software”. We noted that only the first imperative directly deals with implementation errors (commonly called “vulnerabilities”). The other 4 imperatives will be fulfilled through secure design practices.  Be free from errors that can be maliciously manipulated, ergo, vulnerabilities  Have the security features that customers require for the intended use cases  Be self-protective; resist the types of attacks that will be promulgated against the software  In the event of a failure, software must “fail well”, that is fail in such a manner as to minimize consequences of successful attack  Install with sensible, “closed” defaults
  • 6.
    6 A Process Knowledge RequiredBefore the Threat Model The contributing knowledge domains are “The 3 S’s: Strategy, Structures, and Specifications.” “The 3 S’s” encompass: security strategy for the organization and this system, any infrastructure and security services (structures), and things like data classifications, runtime and execution environment, deployment methods, and the like (specifications):  Strategy o Threat landscape o The organization’s and system’s required risk posture  Structures o Existing and implementable security controls o Security infrastructure that does not exist (limitations)  Specification o Data sensitivities o The runtime and execution environment o How do code and systems get deployed? There is no book of “correct” answers. Each organization is different. Who Should Participate in The Threat Model? At the very least, all the domain experts and someone familiar with the threat landscape that is relevant to the system under analysis and the exploits commonly tried against such systems (“security expertise”). Even better, involve everyone who will help to build the software/system. Simply remind everyone who participates that threat models are very sensitive analyses. Identifying Important Requirements As was noted earlier, context matters. Without understanding organizational goals and the goals of attackers, all avenues of attack will appear to be equal. In a universe of limited resources, there will be a strong need to focus in on the attacks that pose the most danger to the organization. Importantly, what risks can be tolerated? Assessing Risk Set priorities with risk. How much risk is highly context dependent, and is often unique to an organization. Risk != vulnerability
  • 7.
    7 Threat != vulnerability Threat!= exploit Participants were introduced to Just Good Enough Risk Rating (JGERR) which is based on Factor Analysis of Information Risk (FAIR), an Open Group standard. JGERR breaks down an attack into 5 terms, 4 of which can be treated as essentially Boolean for the purposes of rating possible attacks when threat modeling. JGERR does not purport to calculate risk, but rather to quickly identify the important attack possibilities, as well as to deprioritize the less important attacks. "Credible Attack Vector" (CAV) was defined as one method for analyzing attack types. CAV == Threat & Exploit & Exposure & Vulnerability Interrupt any CAV term and you interrupt the kill chain, that is the entire CAV. Defenses should negate at least 1 term in the CAV. Sometimes a defense makes it more difficult to achieve one of the terms. We examined how authentication in some cases provides little prevention, and may be used solely to tie an action to a user’s ID. (break the kill chain; eliminate the CAV; lower risk exposure) *Given 0 < CAV < 1, then risk might be expressed as: *Risk Rating = CAV * Impact Still, there is no risk if there is no impact. Impact is used since some attacks are stepping stones towards the attacker’s goals. If an attack offers no additional attacker value to achieve ultimate goals, then the attack will not be used in the wild (though security researchers may be interested). This is a type of low impact situation. We examined the situation where a buffer overflow can only be achieved at very high privilege. In such a case, the exploitation does not provide additional attacker value because the attacker already has control of the operating system. It is important to think not only about harm to a system and organization, but also about whether exploitation provides attacker value.
  • 8.
    8 ATASM I presented threatmodeling as a linear progression. But the process is often fractal, as previously uninvestigated components open up further unknown areas where the investigation begins afresh. The analysis may have to recourse back to the start again, complete for that area, then return informed to the area that had been under analysis previously. Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations Each of these high level activities breaks into sub-steps. It doesn’t matter where the analysis starts: assets, use cases, structure, threat landscape, attack surfaces. Each area has to be analyzed for any given system. And each area will have dependencies on the others. How the analysis proceeds seem to be largely a matter of preference and thinking style. Begin where you are comfortable and proceed. The point is to arrive at a prioritized list of security requirements that will need to be built in order to bring the system to the desired defensive posture.
  • 9.
    9 By Sung Lee;concept by David Wheeler; used with permission Structure and Flow There is no perfect architecture view. Component, functional, or logical1 architecture is often a good place to start. But views can range from the enterprise view (“Conceptual”) to detailed physical or technological views. Each view may add important knowledge as different aspects of a complex system are analyzed. Architecture is at least in part about abstraction to consider an aspect of complexity without getting bogged down in details that aren’t relevant for that consideration. Some parts of the structure are highlighted (abstracted from the whole) while details are obscured. Since security 1 Depending upon the architecture methodology, component, functional, and logical may be distinct views or may be different names for the same view. In some systems, these can also be combined. So I have listed them all in the hopes that one of these names will fit with your local architecture methodology.
  • 10.
    10 operates at alllevels and across most if not all domains, for a security analysis, many different views may have to be considered. A data flow diagram (DFD) can highlight inputs and outputs. Inputs are a great place to identify potential attack points (“attack surfaces”). Still, one must decide at what level of abstraction to draw the system. Generally, the architecture of the intra-process call tree will be too granular. Still, where untrusted operating system communications or where the operating system itself may be compromised, even intra-process calls may have to be considered. In any event, complex systems generally get considered at their coarsest grain structure, and then sub-views, breaking these large structures into component parts (“factoring” the architecture) may be needed in order to keep views understandable and uncluttered. Threat Agents We played with categorizing the goals and capabilities of varying threat agents (human actors who attack computer systems). Each work group created their own list from which to work.
  • 11.
    11 A Threat AgentMatrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium Low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low None Occasional Insider Revenge Varies Very high None Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low Low low Security Researcher Career enhancement High None High medium
  • 12.
    12 Example Analysis Mobile SecurityApplication Simple ATASM Steps  Enumerate CAV  Define and score impacts  Enumerate existing mitigations  Develop requirements to bring system to desired posture  Prioritize  Share and review with entire team + product management
  • 13.
    13 2 Analysis background andstructural points  Must reside in OS application sandbox  Intercept in system to grab privileged events of interest for examination 2 Copyright Brook S.E. Schoenfield, 2015. Used with permission
  • 14.
    14  Intercept athigher privilege  Intercept initialized early boot  Intercept proxies events to engine  Engine contains decision logic  UI starts engine & communicate  Files parsed/normalized by file opener  External communications proxied through communicate  Notifications from cloud through OS push notifications  All message exchanges are initiated from device  Response to notification  Device certificate/private key issued at enrollment  Messages/updates signed by cloud services Documenting the Model • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls Closing Thoughts Suggestions to Increase Skill  Find an experienced mentor and 2 peer reviewers  Having one reviewer who is Independent from the development team, the architecture the threat model helps to increase the power of the review  Just do it!  Threat models need to be revisited when architecture, threat landscape, and security features change  Experienced threat modelers, please make yourself available!  Start with your own projects  Gather the team and wrestle with the threat model  To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
  • 15.
    15 Resources https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321 http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf https://www.facebook.com/securingsystems http://www.amazon.com/Securing-Systems-Applied-Security-Architecture/dp/1482233975 https://www.facebook.com/softwaresec www.amazon.com/Core-Software-Security-Source http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf brook.e.schoenfield@intel.com (before March31, 2017) brook_schoenfield@mcafee.com (after March 31, 2017) http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield
  • 16.
    SESSION ID:SESSION ID: #RSAC BrookStephan Schoenfield Threat Modeling Demystified LAB3-W04 Product Architect Product Security Intel Security @BrkSchoenfield
  • 17.
    #RSAC Brook S.E. Schoenfield,MBA Principal Engineer >1000 security reviews 16+ years security 30+ years software/hi-tech Real-time OS, TCP/IP stack down to hardware 5th virtual team lead, 9th technical leader role 4th software security lead @ 4th organization • SANS Institute Featured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum
  • 18.
    #RSAC • SANS InstituteFeatured Speaker, contributor GWEB certification • Author: – Securing Systems, CRC Press, 2015 – Core Software Security, CRC Press, 2014 – Avoiding The Top 10 Security Design Flaws, IEEE – Various SANS Smart Guides, papers, etc. • Founding member IEEE Center for Secure Design • Featured security architect at Bletchley Park Cyber Museum • >1000 security reviews • 16+ years security • 30+ years software/hi-tech • Real-time OS, TCP/IP stack down to hardware • 5th virtual team lead, 9th technical leader role • 4th software security lead @ 4th organization
  • 19.
    #RSAC First Comments • ATASM1is a pedagogy • ATASM is a mnemonic, a high level abstraction for a process that is often non-linear, and highly recursive • “Peel the onion” is close to reality, but harder to learn and to coach: a real threat model process is often quite fractal • You are encouraged to use ATASM; if useful, please teach 1. ATASM/risk material © Brook S.E. Schoenfield, 2010-2015, all rights reserved, CRC Press, 2015. Used with permission
  • 20.
    #RSAC Possible Outcomes FromThis Session • Newbies: Introduction to threat modeling concepts • Learners: Dig deeper, gain consistency, increase comfort, practice • Practitioners: Conceptualization and explanation; a method that fosters inclusion • Experts: Articulate in order to present and to teach • Everyone: Hopefully, some new tricks of the trade?
  • 21.
    #RSAC What Can BeSaid About This “Architecture”?
  • 22.
  • 23.
    #RSAC Break into workgroups (4-6) to brainstorm examples of insecure design.
  • 24.
    #RSAC Cisco Confidential© 2010Cisco and/or its affiliates. All rights reserved. 9 Design brainstorm report back from workgroups
  • 25.
    #RSAC Consider Recent DesignMisses That Jeep Wrangler Open WiFi Pacemaker The Target breach was a system design failure
  • 26.
    #RSAC A start… Creative CommonsAttribution-ShareAlike 3.0 license. http://cybersecurity.ieee.org/images/files/images/pdf/ CybersecurityInitiative-online.pdf
  • 27.
    #RSAC Threat modeling isa technique to identify the attacks a system1 must resist and the defenses that will bring the system to a desired defensive state 1. “system” is defined inclusively
  • 28.
  • 29.
  • 30.
    #RSAC Start the threatmodel at the point when the architecture is sufficiently defined such that most if not all of the major functional components are understood Revisit the threat model when the architecture materially changes. Threat models are living documents. Threat modeling is compatible with iterative development practices. Iterate the threat model appropriately.
  • 31.
    #RSAC Tool Belt Architecture isa tool for structuring complexity Architecture provides a playground for potential changes Architecture Risk Assessment (ARA) is a tool for applying a threat landscape to an architecture to uncover security needs Threat modeling is a tool for secure design. A threat model is not a “design” Threat model is dependent upon architectural understanding Threat models output security requirements
  • 32.
    #RSAC Everything You KnowAbout Security…
  • 33.
    #RSAC “Secure” Software Must: •Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
  • 34.
    #RSAC Design Secure Software •Be rid of implementation errors with exploitable effects • Contain customers’ security features • Be self-protective • Minimize consequences of successful attack (“fail well”) • Install with sensible, “closed” defaults
  • 35.
    #RSAC What Can WeInfer? What More Do We Need And Why?
  • 36.
    #RSAC Securing Systems, CRCPress, 2015 Prework: The 3 S’s
  • 37.
    #RSAC Securing Systems, CRCPress, 2015 Background Information Is Critical
  • 38.
    #RSAC A threat modelis a crossroads of knowledge from architecture experts, domain experts, and security experts Absence of one or more stakeholders cripples the model and its usefulness
  • 39.
    #RSAC Personal accelerometer • Measuresmovement of body • Worn on wrist • Extremely low power • Long battery life • Minimal operating system and CPU
  • 40.
    #RSAC Low Power BluetoothSpecification • There is no protection of communications! • E.g., TLS not used over open air • Authentication by device ID only • Devices only exchange movement data
  • 41.
    #RSAC Understanding system architectureis key Differing views and levels of detail each solve distinct problems There is no perfect view or level
  • 42.
  • 43.
  • 44.
    #RSAC Web-Sock-A-Rama Web Business •Successful Online Sock store • All kinds of socks: men, women, children, specialty, sports, artistic, novelty • Takes no public political positions • Relatively risk averse • Customers are considered the business’ greatest resource • Customer security and privacy prime objectives • Assume that the support and administration of the infrastructure is run rigorously: • strong access controls and need-to-know (e.g., NIST-800-53): networks, hosts, execution environments • External network separated from internal • Administration is via highly controlled management network
  • 45.
    #RSAC Start At HighLevel What is the organization’s purpose? What is this system’s purpose? How does this system contribute to the organization goals? To an enterprise architecture? What are the major functions? How do these interact? Why? Derive, if you can, the intended risk posture
  • 46.
  • 47.
  • 48.
  • 49.
    #RSAC Securing Systems, CRCPress, 2015 ATASM Threat Modeling = Applied security architecture
  • 50.
    #RSAC "ISecG ESPT SecurityTest Plan Report”, April 14, 2014, by Eoin Carroll Substeps ISecG ESPT Security Test Plan Report [Product] Architecture/Design Review ATAM Securing Systems: Applied Security Architecture and Threat Models, Brook S.E Schoenfield [2015]
  • 51.
    #RSAC Securing System, CRCPress, 2015 Fractal  Recursive
  • 52.
    Threats Attack Surfaces Mitigations Revisit/revise Use Cases Architecture Assets Security Requirements Threat modelingis a technique to identify the attacks a system must resist and the defenses that will bring the system to a desired defensive state By Sung Lee; concept by David Wheeler; used with permission
  • 53.
    Threats Attack Surfaces Mitigations Use Cases Architecture Assets Security Requirements Adaptedfrom original by Sung Lee; concept by David Wheeler; used with permission
  • 54.
    #RSAC The outcome, the”point” is to discover the necessary security requirements “Security needs tend to get expressed as system constraints” – Erik Simmons
  • 55.
    #RSAC Digging into threatagents and their methods Focus on human actors Adversaries are adaptable and creative
  • 56.
    #RSAC Threat Attributes © BrookS.E. Schoenfield, Securing Systems, 2015, all rights reserved
  • 57.
  • 58.
  • 59.
    #RSAC • Divide paperinto 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
  • 60.
    #RSAC • Divide paperinto 5 columns Threat Agent, Goals, Technical ability (Methods), Risk tolerance, Work Factor • Start by asking, “Who will want to attack this piece of software, when it runs under its normal, expected deployment?” • No discussion about the merits of an idea. (brainstorm principle) • Collate brainstorm ideas into the larger buckets. Be stereotypical • Derive your group’s threat agent landscape
  • 61.
    #RSAC Cisco Confidential© 2010Cisco and/or its affiliates. All rights reserved. 46 Put our matrices together
  • 62.
    #RSAC Set priority withrisk Risk != vulnerability Threat != vulnerability Threat != exploit
  • 63.
    #RSAC Set Priority WithRisk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss
  • 64.
    #RSAC Set Priority WithRisk A usable risk rating method should be: • Lightweight • Fast • Simple and understandable • Intuitive Risk = Probability * Annualized loss We haven’t actuarial tables
  • 65.
    #RSAC Successful attack requiresan active threat agent who has the motivation to attack that particular system and who uses the threat agent's skills (exploit) via an exposed (attack surface) exploitable weakness (vulnerability) that can be manipulated by that attacker. Threat + exploit + exposure + vulnerability
  • 66.
    #RSAC For Threat ModelsOnly! "Credible Attack Vector" (CAV) CAV == Threat & Exploit & Exposure & Vulnerability (consider each term as essentially boolean for this narrow context) Interrupt any CAV term and you interrupt the kill chain E.g., Threat & Exploit & !Exposure & Vulnerability != CAV (break the kill chain; eliminate the CAV; lower risk exposure) Given 0 < CAV < 1, then risk might be expressed as: Risk Rating = CAV * Impact (essentially how JGERR rates risks)
  • 67.
    #RSAC Yes, I switchedthe order for teaching purposes Now That You Know, Let’s Have Some Fun… Threats ⤵ Architecture ⤵ Attack Surfaces ⤵ Mitigations
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
    #RSAC Holistic Analysis WillProtect Data Sources
  • 75.
  • 76.
  • 77.
  • 78.
    #RSAC User Roles &Flows Attack Surfaces
  • 79.
  • 80.
    #RSAC Mobile Security System •Must reside in OS application sandbox • Intercept in system to grab privileged events of interest for examination • Intercept at higher privilege • Intercept initialized early boot • Intercept proxies events to engine • Engine contains decision logic • UI starts engine & communicate • Files parsed/normalized by file opener • External communications proxied through communicate • Notifications from cloud through OS push notifications • All message exchanges are initiated from device • Response to notification • Device certificate/private key issued at enrollment • Messages/updates signed by cloud services
  • 81.
    #RSAC Mobile Security App BreakInto Teams To Analyze
  • 82.
  • 83.
    #RSAC After the threatmodel, then what? Prioritization is one of the hardest problems
  • 84.
    #RSAC Simple Threat ModelSteps (Won’t likely be linear) Enumerate CAV Define and score impacts Enumerate existing mitigations Develop requirements to bring system to desired posture Prioritize Share and review with entire team + product management
  • 85.
    #RSAC How Do WePrioritize? o Risk rate each CAV+impact that is not sufficiently protected o Decide where the risk “line” is (low, medium, only high) o Engage stakeholders in constructive dialog o Write exceptions for items that should get implemented but must wait
  • 86.
    #RSAC Getting requirements implementedis an entirely different story… (feel free to ask)
  • 87.
    #RSAC Getting requirements implementedis an entirely different story… (feel free to ask) Composing requirements that can and will be built is a distinct discipline Effective Requirements
  • 88.
    #RSAC Hints For ClearerRequirements • Separate the functional need from any solution • Tell designers what function is required, not how to build that function • Give implementers room for creativity and innovation • Don’t lock in obsolescence • The amount of detail required is inverse to the amount of skill and knowledge of the implementers • Skilled teams need only understand what functionality is required • Unskilled implementers will need lots of detail
  • 89.
  • 90.
    #RSAC What kind ofdocs must you have? • The most important document is the requirements output from threat modeling • A threat model may be inferred from a thorough security requirements document • You must produce a requirements document • If visual, one or more visual depictions of the architecture • Different domains often require different views onto the same system • Views might include: • attack surfaces • Assets • Mitigations and controls
  • 91.
    #RSAC Next Steps Find anexperienced mentor and 2 peer reviewers Independence helps Just do it! Threat models need to be revisited when architecture, threat landscape, and security features change Experienced threat modelers, please make yourself available! Start with your own projects Gather the team and wrestle with the threat model To gain experience, you can help with other threat models — Modeling diverse architecture deepens abilities
  • 92.
  • 93.
    #RSAC A Threat ModelingLibrary https://www.facebook.com/securingsystems
  • 94.
  • 95.
    #RSAC Where To FindMe Brook.e.schoenfield@intel.com http://www.brookschoenfield.com brook@brookschoenfield.com @BrkSchoenfield 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
  • 96.
    #RSAC Brook’s Social Networking https://www.linkedin.com/in/brookschoenfield1 http://www.amazon.com/Brook-S.-E.-Schoenfield/e/B00XQFZLSW 1. I apologize in advance. I only Linkedin with people with whom I’ve had meaningful interaction. Thanks.
  • 97.
  • 98.
    A Threat AgentMatrix Threat Agent Goals Technical Ability Risk Tolerance Work Factor Activity Level Cybercrime Monetary Low (known proven) Low to medium low Very high, continual Industrial Espionage Information Medium to medium- high low medium Low. For enterprises, medium Nation-states Information Disruption Very high Very low Very high Medium but constant Law Enforcement/Gov Compliance Compliance Information Medium None – they are the law medium intermittent Insider monetary Varies Low none Occasional Insider Revenge Varies Very high none Occasional Usage abuse Unauthorized use Low Low Low constant Hacktivists Media attention for cause Low to medium Used to be high, now much lower medium intermittent Hackers Status Often very low Low low low Security Researcher Career enhancement High None high medium