Threat Modeling for Dummies

@adam_englander
Building Secure Applications:
Threat Modeling for Dummies
Adam Englander
Manager of Engineering, TransUnion

@adam_englander
What Are We Going to Cover
• An overview of threat modeling
• The process of threat modeling
• Some common tools to assist you
• An example from start to ﬁnish
• Action items for now, near future, and beyond

@adam_englander
What is threat modeling?

@adam_englander
–Wikipedia
“Threat modeling is a process by which
potential threats … can be identiﬁed,
enumerated, and prioritized – all from a
hypothetical attacker’s point of view.”

@adam_englander
What’s the process?

@adam_englander
Document All the Things!

@adam_englander
Map Out Your Application

@adam_englander
Internet
Internal
DMZ
System: Big Picture
Firewall
Load Balancer
MySQL MySQL
App Server
Firewall
DNS
SMTPCDN
Alerting
Stats
Bastion
Logs
Consumer
Payment
CA

@adam_englander
Process: Microscope
User Logs In
Views Product
Catalog
Adds Item to
Cart
Initiates
Checkout
Confirms
Billing Info
Selects
Payment
Method
Confirms
Shipping Info/
Method
Confirmation
Email Sent
Payment
Authorized

@adam_englander
Identify Assets
Commerce
Site
DB Credentials
SMTP Credentials
Payment GW Creds
Encryption Keys
SSL Certs
SSL Private Keys
Access to SMTP
Database
Cust Emails
Cust Billing Data
Cust PII
Payment Data
Order History
User Credentials
User Emails
Shopping Carts
Sessions
Inventory/Pricing
Transaction Logs
SMTP
DKIM Creds
Mail Logs
Payment
Gateway
Purchase History
Charge/Refund
Authority
Log Server
Raw Logs
Host Names
Stack Traces
Client IPs
User Behavior
Internal
Network
DB Admin Creds
Hosting Creds
DNS Admin Creds
Payment GW
Admin Creds
Encryption Keys
SSL Certs
SSL Private Keys

@adam_englander
Identify Entry Points
Firewall
App Server
Database HTTPS Unrestricted
Internal
Network
Internet
Firewall

@adam_englander
Identify Dependencies

@adam_englander
Out-of-Band Dependencies
CI/CD Server
Library RepositoryCode Repository
Conﬁguration
Management
Build Tools
3rd Party Code
3rd Party
Libraries

@adam_englander
Internet
Internal
DMZ
Critical Dependencies
Firewall
Load Balancer
MySQL MySQL
App Server
Firewall
DNS
SMTPCDN
Alerting
Stats
Bastion
Logs
Consumer
Payment
CA

@adam_englander
Internet
Internal
DMZ
Secondary Dependencies
Firewall
Load Balancer
MySQL MySQL
App Server
Firewall
DNS
SMTPCDN
Alerting
Stats
Bastion
Logs
Consumer
Payment
CA

@adam_englander
Identify Anything Else
Signiﬁcant

@adam_englander
Identify Threats

@adam_englander
What about fully mitigated
threats?

@adam_englander
Identifying Threats with STRIDE
• Spooﬁng - The attacker presents themselves as another user
• Tampering - Altering code, data, processes
• Repudiation - Providing ability to deny who performed an action
• Information disclosure - Attacker discloses secret information
• Denial of Service - Your system is partially or fully unavailable
• Elevation of Privilege - Accessing items for higher level user

@adam_englander
Mapping Attacks with Attack Trees
Enter
House
Through
Window
Through
Door
Break
Window
Force
Open
Stolen
Credentials
Authorized
User

@adam_englander
Quantifying Risk with DREAD
• Damage – how bad would an attack be?
• Reproducibility – how easy is it to reproduce the attack?
• Exploitability – how much work is it to launch the
attack?
• Affected users – how many people will be impacted?
• Discoverability – how easy is it to discover the threat?

@adam_englander
Resolve the Threat

@adam_englander
Mitigate Large Threats in Stages
Terrible Bad Okay Complete

@adam_englander
There Is No Absolute

@adam_englander
Quick Reduction of Threat

@adam_englander
Acceptable Reduction

@adam_englander
Complete Mitigation

@adam_englander
Example:
Insider Attack

@adam_englander
Actor
Lone Gunman
Competitor
Organized Crime
Nation State
Hactivist
Internal Attacker

@adam_englander
Asset
Commerce
Site
DB Credentials
SMTP Credentials
Payment GW Creds
Encryption Keys
SSL Certs
SSL Private Keys
Access to SMTP
Database
Cust Emails
Cust Billing Data
Cust PII
Payment Data
Order History
User Credentials
User Emails
Shopping Carts
Sessions
Inventory/Pricing
Transaction Logs
SMTP
DKIM Creds
Mail Logs
Payment
Gateway
Purchase History
Charge/Refund
Authority
Log Server
Raw Logs
Host Names
Stack Traces
Client IPs
User Behavior
Internal
Network
DB Admin Creds
Hosting Creds
DNS Admin Creds
Payment GW
Admin Creds
Encryption Keys
SSL Certs
SSL Private Keys

@adam_englander
Entry Point
Firewall
App Server
Database HTTPS UnrestrictedMySQL/TLS
Internal
Network
Internet
Firewall

@adam_englander
Attack Tree
Access
Database
From Web
Server
Internal
Network
Remote
Execution
SQL
Injection
Stolen
Credentials
Authorized
User

@adam_englander
Attack Tree
Stolen
Credentials
From App
Server
Code
Repository
From CI
Server

@adam_englander
Inside attackers can access all
customer PII and PC data from
databases using credentials from
code repositories on any
computer on the internal network
and not be discovered via logging

@adam_englander
DREAD
• Damage: Liability for stolen credit card
transactions, loss of credibility, loss of revenue
• Reproducibility: The skills necessary would be
knowing how to copy down the git repo and
execute queries via mysql
• Exploitability: There are no considerations beyond
install git and mysql-client to perform the attack

@adam_englander
DREAD
• Affected Users: All user PII and billing data
would be accessible
• Discoverability: Any user with minimal
knowledge of the framework would know how to
ﬁnd conﬁgs containing DB credentials and
connection information.

@adam_englander
Quick Reduction
• Database access and query logging for non-
repudiation
• Restrict read access to the git repo

@adam_englander
Mitigation Phase 1
• Have credentials setup on servers by admins
• Remove database credentials from git repo
• Change credentials to prevent leaked
credentials from being utilized going forward

@adam_englander
Phase 2
• Restrict access for users to appropriate data
• Restrict access to appropriate IP addresses

@adam_englander
Phase 3
• Encrypt PII and PC data in the database
• Develop and implement key rotation strategy for
application secrets

@adam_englander
Completely Mitigate
• Anonymize link between PC data and PII
• Create honey pots for credentials still in git repos
that will allow users to see what appears to be
real data. These logins will be recorded and
alerts will be sent to security personnel to
apprehend the culprit

@adam_englander
How do I get started?

@adam_englander
Right Now:
Knock out the OWASP Top 10!

@adam_englander
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project

@adam_englander
Near Term:
Incorporate threat modeling into your
Software Development Lifecycle

@adam_englander
Threat Modeling in SDLC
Design
Threat
Model
Build
Threat
Model
Release Test

@adam_englander
Long Term:
Map out and model your applications.

@adam_englander
Long Term:
Improve your skills!

@adam_englander
Elevation of Privilege
Card Game
https://www.microsoft.com/en-us/SDL/
adopt/eop.aspx
https://www.microsoft.com/en-us/SDL/adopt/eop.aspx

@adam_englander
Threat Modeling: Designing for Security
By Adam Shostack
ISBN-13: 978-1118809990

@adam_englander
Red/Blue Team Field Manual

@adam_englander
Questions and Comments

Threat Modeling for Dummies

More Related Content

What's hot

Similar to Threat Modeling for Dummies

More from Adam Englander

Recently uploaded

In this document

Threat Modeling for Dummies