SlideShare a Scribd company logo

Threat Modeling Using STRIDE

G
Girindro Pringgo Digdo

The document discusses threat modeling using STRIDE. It provides an overview of threat modeling and the STRIDE methodology. The document then shows an example of applying STRIDE to identify threats in a DNS system. Threats are identified for each element and interaction in diagrams of the DNS system. This includes threats to the hosting environment, DNS software, DNS data, DNS transactions, and dynamic updates.

Technology
1 of 68
Download to read offline
Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, M.T., CSX-F, OSCP http://www.girindropringgodigdo.net/ girindigdo@gmail.com Girindro Pringgo Digdo2017 1
About • Dealing with Information Security Fields: ▪ VAPT ▪ Threat Modeling ▪ Information Security Management System ▪ Information Security Risk Management ▪ Education • Book Author 2017 Girindro Pringgo Digdo 2
Big Picture RiskManagementBusiness Financial Information Security Disaster IT ? 2017 Girindro Pringgo Digdo Information Security Awareness Risk ISMS Governance Compliance Risk Threat Modeling Diagram Identify Threats Mitigate Validate Identify Threats STRIDE Trike VAST PASTA Risk Assessment ISO 31000:2009 NIST SP 800 COBIT 5 COSO 3
Information Security Risk Management 2017 Girindro Pringgo Digdo Source: ISO 31000:2009 High Level of Risk Management Process 4
Information Security Risk Management 2017 Girindro Pringgo Digdo Source: ISO 31000:2009 High Level of Risk Management Process Threat Modeling 5
Introduction to Threat Modeling (TM) • Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats. • Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application. • Without it, your protection is a shot in the dark Girindro Pringgo Digdo2017 6
Introduction to Threat Modeling (TM) Multiple security issues, a timely approach Girindro Pringgo Digdo2017 Source: Toreon – Threat Modeling Done Right 7
Introduction to Threat Modeling (TM) • Threat Modeling is a process by which potential threats can be identified, enumerated, and prioritized. • The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. • Threat modeling answers the questions such as: ✓ Diagram • What are we building? • Where are the high-value assets? ✓ Identify Threats • What can go wrong? • Where am I most vulnerable to attack? • What are the most relevant threats? ✓ Mitigate • What are we doing to defend against threats? ✓ Validate • Validation of the previous steps and act upon them • Is there an attack vector that might go unnoticed? Girindro Pringgo Digdo2017 8
Threat Modeling Basics • Who? ▪ The bad guys will do a good job of it • What? ▪ A repeatable process to find and address all threats to your product • When? ▪ The earlier you start, the more time to plan and fix • Why? ▪ Find problems when there’s time to fix them ▪ Security Development Lifecycle (SDL) requirement ▪ Deliver more secure products • How? Girindro Pringgo Digdo2017 9
Threat Modeling Basics – Who? • Building a threat model ▪ Program manager (PM) owns overall process ▪ Testers o Identify threats in analyze phase o Use threat models to drive test plans ▪ Developers create diagrams • Customer for threat models ▪ Your team ▪ Other features, product teams ▪ Customers, via use education ▪ ‘External’ quality assurance resources, such as pentesters • You’ll need to decide what fits to your organization Girindro Pringgo Digdo2017 10
Threat Modeling Basics – What? • Consider, document, and discuss security in a structured way • Threat model and document ▪ The product as a whole ▪ The security-relevant features ▪ The attack surfaces • Assurance that threat modelling has been done well Girindro Pringgo Digdo2017 11
Threat Modeling Basics – Why? • Produce software that’s secure by design – not by incident ▪ Improve designs the same way we’ve improved code • Because attackers think differently ▪ Creator blindness / new perspective • Allow you to predictably and effectively find security problems early in the process Girindro Pringgo Digdo2017 12
The Process Diagram Identify Threats Mitigate Validate Girindro Pringgo Digdo2017 13
Threat Modeling Diagram Girindro Pringgo Digdo2017 14
How to create diagrams • Go to the whiteboard • Start with an overview which has: ▪ A few external interactors ▪ One or two processes ▪ One or two data stores (if applicable) ▪ Data flows to connect them • Check your work ▪ Can you tell a story without edits? ▪ Does it match reality? Girindro Pringgo Digdo2017 15
Diagramming • Use DFDs (Data Flow Diagrams) • Update diagrams as product changes • Enumerate assumptions, dependencies Girindro Pringgo Digdo2017 16
Diagram Elements: Examples Girindro Pringgo Digdo2017 External Entity • People • Other systems • ? Process • Services • Web Services • Components • ? Data Flow • Function • Network traffic • RPC • ? Data Store • Database • File • Registry • ? • Process boundary • File system Data Trust Boundaries 17
Diagramming: Trust Boundaries • Add trust boundaries that intersect data flows • Points where an attacker can interject ▪ Machine boundaries, privileges boundaries, integrity boundaries are example of trust boundaries • Process talking across a network always have a trust boundary ▪ They make may create a secure channel, but they’re still distinct entities Girindro Pringgo Digdo2017 18
Diagramming: Iteration • Iterate over processes, data stores, and see where they need to be broken down • How to know it ‘needs to be broken down?’ ▪ More detail is needed to explain security impact of the design ▪ Words like ‘sometimes’ and ‘also’ indicate you have a combination of things that can be broken out o ‘sometimes this data store is used for X’ – probably add a second datastore to the diagram Girindro Pringgo Digdo2017 19
Context Diagram: Example Girindro Pringgo Digdo2017 20
Level 1 Diagram: Example Girindro Pringgo Digdo2017 21
Diagram Layers Girindro Pringgo Digdo2017 22 • Context Diagram ▪ Very high-level; entire component / product / system • Level 1 Diagram ▪ High level; single feature / scenario • Level 2 Diagram ▪ Low level; detailed sub-components of features • Level 3 Diagram ▪ More detailed ▪ Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries
The Process: Identify Threats Girindro Pringgo Digdo2017 23
Identify Threats • Experts can brainstorm • Use STRIDE to step through the diagram elements • Consider related standards such as ISO 27001 series, NIST SP 800, Cobit 5 Series, OWASP, etc Girindro Pringgo Digdo2017 24
Identify Threats: STRIDE Girindro Pringgo Digdo2017 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Threats Property we want Authentication Integrity Nonrepudiation Confidentiality Availability Authorization 25
STRIDE Other Related Standards Cobit 5 Series NIST SP 800 OWASP Identify Threats: Considered Inputs 2017 Girindro Pringgo Digdo 26
Threat: Spoofing Girindro Pringgo Digdo2017 Threat Property Definition Example Spoofing Authentication Impersonating something or someone else Pretending to be any cleaner staff 27
Threat: Tampering Girindro Pringgo Digdo2017 Threat Property Definition Example Tampering Integrity Modifying data or code Modifying PHP on disk or a packet as it traverse the LAN 28
Threat: Repudiation Girindro Pringgo Digdo2017 Threat Property Definition Example Repudiation Non-repudiation Claiming to have not performed in action “I didn’t send that email,” “I didn’t modify that file” 29
Threat: Information Disclosure Girindro Pringgo Digdo2017 Threat Property Definition Example Information Disclosure Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the database, publishing a list of customers to a website 30
Threat: Denial of Service Girindro Pringgo Digdo2017 Threat Property Definition Example Denial of Service Availability Deny or degrade or interruption service to users Crashing OS or website, sending a packet and absorbing seconds of CPU time 31
Threat: Elevation of Privelege Girindro Pringgo Digdo2017 Threat Property Definition Example Elevation of Privilege Authorization Gain capabilities without proper authorization User with a privilege set of "read only" permissions somehow elevates the set to include "read and write”. 32
Application Overview: Flow System Identification Girindro Pringgo Digdo2017 33
Application Overview: Flow System Identification Browser (Input) Browser (Output) Process Request Response Girindro Pringgo Digdo2017 34
Identify Threats per Interaction # Elements Interactions S T R I D E 1 Local DNS Received data from browser x 2 Data out to obtain data to database (Root DNS) x 3 Received data from database (Root DNS) x x x x 4 Data flow to browser x x x 5 Data Flow (request / response) Crosses machine boundary x x x 6 Database (Root DNS) Data flow to database x x x x 7 Data out from database x x x 8 Browser Data flow to Local DNS x x x 9 Received data from Local DNS x Girindro Pringgo Digdo2017 35
Identify Threats per Interaction Element: Local DNS Interaction: Received data from browser Tampering • Local DNS changed • Data flow source changed Element: Local DNS Interaction: Data out to obtain data to database (Root DNS) Spoofing Database (Root DNS) spoofed and local DNS request to wrong resource. Girindro Pringgo Digdo2017 36
Identify Threats per Interaction Element: Local DNS Interaction: Received data from database (Root DNS) Spoofing Database (Root DNS) spoofed and local DNS read from wrong resource Tampering Data corrupted when data read from database Denial of Service (DoS) Process corrupted by data that received from database Elevation of Privilege Process corrupted due wrong data read and caused code execution Girindro Pringgo Digdo2017 37
Identify Threats per Interaction Element: Local DNS Interaction: Data flow to browser Spoofing Process is confuse toward browser identity Repudiation Browser deny toward the given output Information Disclosure Browser obtain information disclosure Girindro Pringgo Digdo2017 38
Identify Threats per Interaction Element: Data Flow Interaction: Crosses machine boundary Tampering Data Flow modified by MITM attack Information Disclosure Data flow sniffed Denial of Service Data flow interrupted by external entity (i.e.: mixed by TCP sequence numbers) Girindro Pringgo Digdo2017 39
Identify Threats per Interaction Element: Database (Root DNS) Interaction: Data flow to database(Root DNS) Tampering Database corrupted Repudiation Local DNS claim not doing the request to Database (Root DNS) Information Disclosure Database information disclosure Denial of Service Database can’t accessed Girindro Pringgo Digdo2017 40
Identify Threats per Interaction Element: Database (Root DNS) Interaction: Data out from database Repudiation Local DNS claim can’t read data from Database (Root DNS) Information Disclosure Database information disclosure Denial of Service Database can’t read Girindro Pringgo Digdo2017 41
Identify Threats per Interaction Element: Browser Interaction: Data flow to Local DNS Spoofing Process is confuse toward browser identity Repudiation Browser deny toward the given output Element: Browser Interaction: Received data from Local DNS Spoofing Process is confuse toward browser identity Repudiation Browser deny toward the given output Girindro Pringgo Digdo2017 42
Identify Threats per Element Element Sub Element Sub Element Code Threats S T R I D E 1 DNS Hosting Environment 1.1 Host platform (OS, file system) 1.1.1 Threat 1: The OS, any system software,or any other applicationsoftware on the DNS host could be vulnerable to attacks such as integrity attack,resulting lost of trust. X X X 1.1.2 Threat 2: A malicious insider who has access to local area network (LAN) segments where DNS hosts reside could launch an Address ResolutionProtocol (ARP) spoofing attack that disrupts DNS message flows X X X 1.1.3 Threat 3: The platform-level configurationfile that enables communication (e.g., resolv.confand host.confin Unix platforms) can be corrupted by viruses and worms or subject to unauthorizedmodificationsdue to inadequate file-level protections,resulting in breakdown of communication among DNS hosts (e.g.,between a stub resolver and a resolving name server, between a resolving name server and an authoritative name server). X X 1.1.4 Threat 4: The DNS-specificconfiguration files (named.conf,root.hints,etc.),data files (zone file), and files containing cryptographic keys could be corrupted by viruses and worms or subjected to unauthorizedmodificationsdue to inadequatefile-level protections,resulting in improper functioningof name resolution service X X 1.1.5 Threat 5: A malicious host on the same LAN as a DNS client may be able to intercept and/or alter DNS responses.This would allow an attacker to redirect a client to a differentsite. This could be the first action in an attack on a client host. X X X X 1.2 DNS Software (name server, resolver) 1.2.1 Threat 6: DNS software (name server or resolver) could have vulnerabilitiessuch as buffer overflows that result in denial of service. X 1.2.2 Threat 7: DNS software does not provide adequate access control capabilities for its configurationfiles (e.g., named.conf),its data files (e.g., zone file) and files containing signing keys (e.g., TSIG, DNSKEY)to prevent unauthorized read/updateof these files X X X 1.3 DNS Data (zone file, configuration file) 1.3.1 Threat 8: Lame Delegation:This error occurs when FQDN and/or IP addresses of name servers have been changed in the child zone but the parent zone has not updated the delegation information (NS RRs and glue records). In this situation,the child zone becomes unreachable (denial of service). X 1.3.2 Threat 9: RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as Web servers and mail servers) that will enable the well-equippedattacker to exploit the known vulnerabilities in those softwareversions and launch attacks against those resources. X Girindro Pringgo Digdo2017 43
Identify Threats per Element Element Sub Element Sub Element Code Threats S T R I D E 2 DNS Transactions 2.1 DNS query/respon se 2.1.1 Threat 10: Forged or bogus response X 2.1.2 Threat 11: Removal of some RRs from the response X X 2.2 Zone transfers 2.2.1 Threat 12: Denial of Service: Because zone transfers involve the transfer of entire zones, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in denial of service to legitimate users. X 2.2.2 Threat 13: The zone transfer response message could be tampered X 2.3 Dynamic updates 2.3.1 Threat 14: Unauthorized Updates: Unauthorized updates could have several harmful consequences for the content of zone data. Some harmful data operations include: (a) adding illegitimate resources (new FQDN and new RRs to a valid zone file), (b) deleting legitimate resources (entire FQDN or specific RRs), and (c) altering delegation information (NS RRs pointing to child zones) X X X X X 2.3.2 Threat 15: The data in a dynamic update request could be tampered. X X 2.3.3 Threat 16: Replay Attacks: Update request messages could be captured and resubmitted later, thus causing inappropriate updates. X X Girindro Pringgo Digdo2017 44
STRIDE Mapping Girindro Pringgo Digdo2017 45
Assessment Area Details AREA DETAIL AREA ELEMENT SUB ELEMENT SPOOFING TAMPERING REPUDIATION INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION OF PRIVILEGE Element Sub Element Assessment Area Details mapped from STRIDE Girindro Pringgo Digdo2017 46
Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE SPOOFING 1.1.1 1.1.2 1.1.5 2.1.1 3.1.1 Girindro Pringgo Digdo2017 47
Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE TAMPERING 1.1.1 1.1.3 1.1.4 1.1.5 2.1.2 2.2.2 2.3.1 2.3.2 2.3.3 3.1.6 Girindro Pringgo Digdo2017 48
Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE REPUDIATION 2.3.1 Girindro Pringgo Digdo2017 49
Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE INFORMATION DISCLOSURE 1.1.1 1.1.2 1.1.5 1.2.2 1.3.2 2.3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 Girindro Pringgo Digdo2017 50
Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE DENIAL OF SERVICE 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.2.1 1.2.2 1.3.1 2.1.2 2.2.1 2.3.1 2.3.2 2.3.3 Girindro Pringgo Digdo2017 51
Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE ELEVATION OF PRIVILEGE 1.2.2 2.3.1 3.1.6 Girindro Pringgo Digdo2017 52
The Process: Mitigation Girindro Pringgo Digdo2017 53
Mitigation is the point of Threat Modeling • Mitigation ▪ To address or alleviate a problem • Protect customers • Design secure software • Why bother if you: ▪ Create a great model ▪ Identify lots of threats • So, find problems and fix them Girindro Pringgo Digdo2017 54
Mitigate • Address each threat • Ways to address threats: ▪ Redesign to eliminate ▪ Apply standard mitigations ▪ Invent new mitigations (riskier) ▪ Accept vulnerability in design ▪ SDL rules about what you can accept Girindro Pringgo Digdo2017 55
Standard Mitigations Girindro Pringgo Digdo2017 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Authentication Integrity Nonrepudiation Confidentiality Availability Authorization To authenticate principals: • Cookie Authentication • PKI systems such as SSL/TLS and certificates To authenticate code or data: • Digital Signatures • Integrity Controls • ACLs • Digital Signatures • Secure logging and auditing • Digital Signatures • Encryption • ACLs • ACLs • Filtering • Quotas • ACLs • Group or role membership • Privilege ownership • Input Validation 56
The Process: Validation Girindro Pringgo Digdo2017 57
Validating Threats Models • Validate the whole threat model ▪ Does diagram match final code? ▪ Are threats enumerated? ▪ Has Test / QA reviewed the model? ▪ Is each threat mitigated? ▪ Are mitigations done right? • Did you check these before Final Security Review? Girindro Pringgo Digdo2017 58
Validate Quality of Threats and Mitigations • Threats: Do They: ▪ Describe the attack ▪ Describe the context ▪ Describe the impact • Mitigations ▪ Associate with threat ▪ Describe mitigations Girindro Pringgo Digdo2017 59
Overview: Risk Assessment Girindro Pringgo Digdo2017 60
Risk Assessment • “An approach to identifying and managing systemic risk for an organization and system” • Enterprise Security Risk Assessments are performed to allow organizations to: ▪ assess, identify and modify their overall security posture ▪ and to enable security, operations, organizational management and other personnel to collaborate and view the entire organization from an attacker’s perspective. Girindro Pringgo Digdo2017 61
Risk Assessment Girindro Pringgo Digdo2017 Source: Cobit 5 for Risk 62
Risk Assessment: Risk Rating • Low / Very Low, the possibility of attacks and the impact if a successful attack is relatively low. Ratings for this category: ▪ Very Low: < 1.5, Low: >= 1.5 &< 2.5 • Medium, the possibility of attacks and the impact if successful attacks are relatively moderate / medium. Ratings for this category: ▪ Medium >=2.5 &< 3.5. • High / Very High, the possibility of attacks and the impact if a successful attack is relatively high. Ratings for this category: ▪ High: >= 3.5 &< 4.5, Very High : >= 4.5 Girindro Pringgo Digdo2017 63
Risk Assessment: Risk Level • Possibility (P), the possibility of an attack is determined from a combination of factors such as: ▪ the attacker motivation, opportunity and resources; ▪ information security policies and procedures and the consistency of existing implementations; ▪ network or system architecture and configuration details. ▪ The highest value of the possibility (P) = 5 and the lowest value = 1 • Impact (I), impact is determined based on the risk to the organization, either directly or indirectly. ▪ The highest value of the impact (D) = 5 and the lowest score = 1 Girindro Pringgo Digdo2017 Risk Levels = (Impact + Possibility) / 2 64
Risk Assessment: Sample Risk Summary Girindro Pringgo Digdo2017 65
Sample of Threat Modeling Tools Girindro Pringgo Digdo2017 66
References • Adam Shostack “Threat Modeling Designing for Security” • Cobit 5 for Risk • ISACA Journal 2010 Volume 1 • ISO 31000:2009 • NIST SP 800-81 rev.2 • Microsoft “Introduction to Microsoft Security Development Lifecycle (SDL) Threat Modeling” • Toreon “Threat Modeling Done Right” Girindro Pringgo Digdo2017 67
Thank You 2017 Girindro Pringgo Digdo 68

Recommended

Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 

Recommended

Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Aujas Cyber Security
Aujas Cyber SecurityAujas Cyber Security
Aujas Cyber Security
VivianMarcello3
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
Okta-Inc
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
Tara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
Mediacurrent
 

More Related Content

What's hot

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 

What's hot (20)

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Aujas Cyber Security
Aujas Cyber SecurityAujas Cyber Security
Aujas Cyber Security
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 

Similar to Threat Modeling Using STRIDE

Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
Mark Niebergall
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
Brussels Legal Hackers
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 

Similar to Threat Modeling Using STRIDE (20)

Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
 
Webinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPRWebinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPR
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...
 
Are You Underestimating the Value Within Your Data? A conversation about grap...
Are You Underestimating the Value Within Your Data? A conversation about grap...Are You Underestimating the Value Within Your Data? A conversation about grap...
Are You Underestimating the Value Within Your Data? A conversation about grap...
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection Techniques
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 

Threat Modeling Using STRIDE

  • 1. Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, M.T., CSX-F, OSCP http://www.girindropringgodigdo.net/ girindigdo@gmail.com Girindro Pringgo Digdo2017 1
  • 2. About • Dealing with Information Security Fields: ▪ VAPT ▪ Threat Modeling ▪ Information Security Management System ▪ Information Security Risk Management ▪ Education • Book Author 2017 Girindro Pringgo Digdo 2
  • 3. Big Picture RiskManagementBusiness Financial Information Security Disaster IT ? 2017 Girindro Pringgo Digdo Information Security Awareness Risk ISMS Governance Compliance Risk Threat Modeling Diagram Identify Threats Mitigate Validate Identify Threats STRIDE Trike VAST PASTA Risk Assessment ISO 31000:2009 NIST SP 800 COBIT 5 COSO 3
  • 4. Information Security Risk Management 2017 Girindro Pringgo Digdo Source: ISO 31000:2009 High Level of Risk Management Process 4
  • 5. Information Security Risk Management 2017 Girindro Pringgo Digdo Source: ISO 31000:2009 High Level of Risk Management Process Threat Modeling 5
  • 6. Introduction to Threat Modeling (TM) • Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats. • Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application. • Without it, your protection is a shot in the dark Girindro Pringgo Digdo2017 6
  • 7. Introduction to Threat Modeling (TM) Multiple security issues, a timely approach Girindro Pringgo Digdo2017 Source: Toreon – Threat Modeling Done Right 7
  • 8. Introduction to Threat Modeling (TM) • Threat Modeling is a process by which potential threats can be identified, enumerated, and prioritized. • The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. • Threat modeling answers the questions such as: ✓ Diagram • What are we building? • Where are the high-value assets? ✓ Identify Threats • What can go wrong? • Where am I most vulnerable to attack? • What are the most relevant threats? ✓ Mitigate • What are we doing to defend against threats? ✓ Validate • Validation of the previous steps and act upon them • Is there an attack vector that might go unnoticed? Girindro Pringgo Digdo2017 8
  • 9. Threat Modeling Basics • Who? ▪ The bad guys will do a good job of it • What? ▪ A repeatable process to find and address all threats to your product • When? ▪ The earlier you start, the more time to plan and fix • Why? ▪ Find problems when there’s time to fix them ▪ Security Development Lifecycle (SDL) requirement ▪ Deliver more secure products • How? Girindro Pringgo Digdo2017 9
  • 10. Threat Modeling Basics – Who? • Building a threat model ▪ Program manager (PM) owns overall process ▪ Testers o Identify threats in analyze phase o Use threat models to drive test plans ▪ Developers create diagrams • Customer for threat models ▪ Your team ▪ Other features, product teams ▪ Customers, via use education ▪ ‘External’ quality assurance resources, such as pentesters • You’ll need to decide what fits to your organization Girindro Pringgo Digdo2017 10
  • 11. Threat Modeling Basics – What? • Consider, document, and discuss security in a structured way • Threat model and document ▪ The product as a whole ▪ The security-relevant features ▪ The attack surfaces • Assurance that threat modelling has been done well Girindro Pringgo Digdo2017 11
  • 12. Threat Modeling Basics – Why? • Produce software that’s secure by design – not by incident ▪ Improve designs the same way we’ve improved code • Because attackers think differently ▪ Creator blindness / new perspective • Allow you to predictably and effectively find security problems early in the process Girindro Pringgo Digdo2017 12
  • 14. Threat Modeling Diagram Girindro Pringgo Digdo2017 14
  • 15. How to create diagrams • Go to the whiteboard • Start with an overview which has: ▪ A few external interactors ▪ One or two processes ▪ One or two data stores (if applicable) ▪ Data flows to connect them • Check your work ▪ Can you tell a story without edits? ▪ Does it match reality? Girindro Pringgo Digdo2017 15
  • 16. Diagramming • Use DFDs (Data Flow Diagrams) • Update diagrams as product changes • Enumerate assumptions, dependencies Girindro Pringgo Digdo2017 16
  • 17. Diagram Elements: Examples Girindro Pringgo Digdo2017 External Entity • People • Other systems • ? Process • Services • Web Services • Components • ? Data Flow • Function • Network traffic • RPC • ? Data Store • Database • File • Registry • ? • Process boundary • File system Data Trust Boundaries 17
  • 18. Diagramming: Trust Boundaries • Add trust boundaries that intersect data flows • Points where an attacker can interject ▪ Machine boundaries, privileges boundaries, integrity boundaries are example of trust boundaries • Process talking across a network always have a trust boundary ▪ They make may create a secure channel, but they’re still distinct entities Girindro Pringgo Digdo2017 18
  • 19. Diagramming: Iteration • Iterate over processes, data stores, and see where they need to be broken down • How to know it ‘needs to be broken down?’ ▪ More detail is needed to explain security impact of the design ▪ Words like ‘sometimes’ and ‘also’ indicate you have a combination of things that can be broken out o ‘sometimes this data store is used for X’ – probably add a second datastore to the diagram Girindro Pringgo Digdo2017 19
  • 20. Context Diagram: Example Girindro Pringgo Digdo2017 20
  • 21. Level 1 Diagram: Example Girindro Pringgo Digdo2017 21
  • 22. Diagram Layers Girindro Pringgo Digdo2017 22 • Context Diagram ▪ Very high-level; entire component / product / system • Level 1 Diagram ▪ High level; single feature / scenario • Level 2 Diagram ▪ Low level; detailed sub-components of features • Level 3 Diagram ▪ More detailed ▪ Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries
  • 23. The Process: Identify Threats Girindro Pringgo Digdo2017 23
  • 24. Identify Threats • Experts can brainstorm • Use STRIDE to step through the diagram elements • Consider related standards such as ISO 27001 series, NIST SP 800, Cobit 5 Series, OWASP, etc Girindro Pringgo Digdo2017 24
  • 25. Identify Threats: STRIDE Girindro Pringgo Digdo2017 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Threats Property we want Authentication Integrity Nonrepudiation Confidentiality Availability Authorization 25
  • 26. STRIDE Other Related Standards Cobit 5 Series NIST SP 800 OWASP Identify Threats: Considered Inputs 2017 Girindro Pringgo Digdo 26
  • 27. Threat: Spoofing Girindro Pringgo Digdo2017 Threat Property Definition Example Spoofing Authentication Impersonating something or someone else Pretending to be any cleaner staff 27
  • 28. Threat: Tampering Girindro Pringgo Digdo2017 Threat Property Definition Example Tampering Integrity Modifying data or code Modifying PHP on disk or a packet as it traverse the LAN 28
  • 29. Threat: Repudiation Girindro Pringgo Digdo2017 Threat Property Definition Example Repudiation Non-repudiation Claiming to have not performed in action “I didn’t send that email,” “I didn’t modify that file” 29
  • 30. Threat: Information Disclosure Girindro Pringgo Digdo2017 Threat Property Definition Example Information Disclosure Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the database, publishing a list of customers to a website 30
  • 31. Threat: Denial of Service Girindro Pringgo Digdo2017 Threat Property Definition Example Denial of Service Availability Deny or degrade or interruption service to users Crashing OS or website, sending a packet and absorbing seconds of CPU time 31
  • 32. Threat: Elevation of Privelege Girindro Pringgo Digdo2017 Threat Property Definition Example Elevation of Privilege Authorization Gain capabilities without proper authorization User with a privilege set of "read only" permissions somehow elevates the set to include "read and write”. 32
  • 33. Application Overview: Flow System Identification Girindro Pringgo Digdo2017 33
  • 34. Application Overview: Flow System Identification Browser (Input) Browser (Output) Process Request Response Girindro Pringgo Digdo2017 34
  • 35. Identify Threats per Interaction # Elements Interactions S T R I D E 1 Local DNS Received data from browser x 2 Data out to obtain data to database (Root DNS) x 3 Received data from database (Root DNS) x x x x 4 Data flow to browser x x x 5 Data Flow (request / response) Crosses machine boundary x x x 6 Database (Root DNS) Data flow to database x x x x 7 Data out from database x x x 8 Browser Data flow to Local DNS x x x 9 Received data from Local DNS x Girindro Pringgo Digdo2017 35
  • 36. Identify Threats per Interaction Element: Local DNS Interaction: Received data from browser Tampering • Local DNS changed • Data flow source changed Element: Local DNS Interaction: Data out to obtain data to database (Root DNS) Spoofing Database (Root DNS) spoofed and local DNS request to wrong resource. Girindro Pringgo Digdo2017 36
  • 37. Identify Threats per Interaction Element: Local DNS Interaction: Received data from database (Root DNS) Spoofing Database (Root DNS) spoofed and local DNS read from wrong resource Tampering Data corrupted when data read from database Denial of Service (DoS) Process corrupted by data that received from database Elevation of Privilege Process corrupted due wrong data read and caused code execution Girindro Pringgo Digdo2017 37
  • 38. Identify Threats per Interaction Element: Local DNS Interaction: Data flow to browser Spoofing Process is confuse toward browser identity Repudiation Browser deny toward the given output Information Disclosure Browser obtain information disclosure Girindro Pringgo Digdo2017 38
  • 39. Identify Threats per Interaction Element: Data Flow Interaction: Crosses machine boundary Tampering Data Flow modified by MITM attack Information Disclosure Data flow sniffed Denial of Service Data flow interrupted by external entity (i.e.: mixed by TCP sequence numbers) Girindro Pringgo Digdo2017 39
  • 40. Identify Threats per Interaction Element: Database (Root DNS) Interaction: Data flow to database(Root DNS) Tampering Database corrupted Repudiation Local DNS claim not doing the request to Database (Root DNS) Information Disclosure Database information disclosure Denial of Service Database can’t accessed Girindro Pringgo Digdo2017 40
  • 41. Identify Threats per Interaction Element: Database (Root DNS) Interaction: Data out from database Repudiation Local DNS claim can’t read data from Database (Root DNS) Information Disclosure Database information disclosure Denial of Service Database can’t read Girindro Pringgo Digdo2017 41
  • 42. Identify Threats per Interaction Element: Browser Interaction: Data flow to Local DNS Spoofing Process is confuse toward browser identity Repudiation Browser deny toward the given output Element: Browser Interaction: Received data from Local DNS Spoofing Process is confuse toward browser identity Repudiation Browser deny toward the given output Girindro Pringgo Digdo2017 42
  • 43. Identify Threats per Element Element Sub Element Sub Element Code Threats S T R I D E 1 DNS Hosting Environment 1.1 Host platform (OS, file system) 1.1.1 Threat 1: The OS, any system software,or any other applicationsoftware on the DNS host could be vulnerable to attacks such as integrity attack,resulting lost of trust. X X X 1.1.2 Threat 2: A malicious insider who has access to local area network (LAN) segments where DNS hosts reside could launch an Address ResolutionProtocol (ARP) spoofing attack that disrupts DNS message flows X X X 1.1.3 Threat 3: The platform-level configurationfile that enables communication (e.g., resolv.confand host.confin Unix platforms) can be corrupted by viruses and worms or subject to unauthorizedmodificationsdue to inadequate file-level protections,resulting in breakdown of communication among DNS hosts (e.g.,between a stub resolver and a resolving name server, between a resolving name server and an authoritative name server). X X 1.1.4 Threat 4: The DNS-specificconfiguration files (named.conf,root.hints,etc.),data files (zone file), and files containing cryptographic keys could be corrupted by viruses and worms or subjected to unauthorizedmodificationsdue to inadequatefile-level protections,resulting in improper functioningof name resolution service X X 1.1.5 Threat 5: A malicious host on the same LAN as a DNS client may be able to intercept and/or alter DNS responses.This would allow an attacker to redirect a client to a differentsite. This could be the first action in an attack on a client host. X X X X 1.2 DNS Software (name server, resolver) 1.2.1 Threat 6: DNS software (name server or resolver) could have vulnerabilitiessuch as buffer overflows that result in denial of service. X 1.2.2 Threat 7: DNS software does not provide adequate access control capabilities for its configurationfiles (e.g., named.conf),its data files (e.g., zone file) and files containing signing keys (e.g., TSIG, DNSKEY)to prevent unauthorized read/updateof these files X X X 1.3 DNS Data (zone file, configuration file) 1.3.1 Threat 8: Lame Delegation:This error occurs when FQDN and/or IP addresses of name servers have been changed in the child zone but the parent zone has not updated the delegation information (NS RRs and glue records). In this situation,the child zone becomes unreachable (denial of service). X 1.3.2 Threat 9: RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as Web servers and mail servers) that will enable the well-equippedattacker to exploit the known vulnerabilities in those softwareversions and launch attacks against those resources. X Girindro Pringgo Digdo2017 43
  • 44. Identify Threats per Element Element Sub Element Sub Element Code Threats S T R I D E 2 DNS Transactions 2.1 DNS query/respon se 2.1.1 Threat 10: Forged or bogus response X 2.1.2 Threat 11: Removal of some RRs from the response X X 2.2 Zone transfers 2.2.1 Threat 12: Denial of Service: Because zone transfers involve the transfer of entire zones, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in denial of service to legitimate users. X 2.2.2 Threat 13: The zone transfer response message could be tampered X 2.3 Dynamic updates 2.3.1 Threat 14: Unauthorized Updates: Unauthorized updates could have several harmful consequences for the content of zone data. Some harmful data operations include: (a) adding illegitimate resources (new FQDN and new RRs to a valid zone file), (b) deleting legitimate resources (entire FQDN or specific RRs), and (c) altering delegation information (NS RRs pointing to child zones) X X X X X 2.3.2 Threat 15: The data in a dynamic update request could be tampered. X X 2.3.3 Threat 16: Replay Attacks: Update request messages could be captured and resubmitted later, thus causing inappropriate updates. X X Girindro Pringgo Digdo2017 44
  • 46. Assessment Area Details AREA DETAIL AREA ELEMENT SUB ELEMENT SPOOFING TAMPERING REPUDIATION INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION OF PRIVILEGE Element Sub Element Assessment Area Details mapped from STRIDE Girindro Pringgo Digdo2017 46
  • 47. Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE SPOOFING 1.1.1 1.1.2 1.1.5 2.1.1 3.1.1 Girindro Pringgo Digdo2017 47
  • 48. Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE TAMPERING 1.1.1 1.1.3 1.1.4 1.1.5 2.1.2 2.2.2 2.3.1 2.3.2 2.3.3 3.1.6 Girindro Pringgo Digdo2017 48
  • 49. Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE REPUDIATION 2.3.1 Girindro Pringgo Digdo2017 49
  • 50. Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE INFORMATION DISCLOSURE 1.1.1 1.1.2 1.1.5 1.2.2 1.3.2 2.3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 Girindro Pringgo Digdo2017 50
  • 51. Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE DENIAL OF SERVICE 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.2.1 1.2.2 1.3.1 2.1.2 2.2.1 2.3.1 2.3.2 2.3.3 Girindro Pringgo Digdo2017 51
  • 52. Mapped Threats in Assessment Area Details ASSESSMENT AREA ASSESSMENT SUB ELEMENT CODE ELEVATION OF PRIVILEGE 1.2.2 2.3.1 3.1.6 Girindro Pringgo Digdo2017 52
  • 53. The Process: Mitigation Girindro Pringgo Digdo2017 53
  • 54. Mitigation is the point of Threat Modeling • Mitigation ▪ To address or alleviate a problem • Protect customers • Design secure software • Why bother if you: ▪ Create a great model ▪ Identify lots of threats • So, find problems and fix them Girindro Pringgo Digdo2017 54
  • 55. Mitigate • Address each threat • Ways to address threats: ▪ Redesign to eliminate ▪ Apply standard mitigations ▪ Invent new mitigations (riskier) ▪ Accept vulnerability in design ▪ SDL rules about what you can accept Girindro Pringgo Digdo2017 55
  • 56. Standard Mitigations Girindro Pringgo Digdo2017 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Authentication Integrity Nonrepudiation Confidentiality Availability Authorization To authenticate principals: • Cookie Authentication • PKI systems such as SSL/TLS and certificates To authenticate code or data: • Digital Signatures • Integrity Controls • ACLs • Digital Signatures • Secure logging and auditing • Digital Signatures • Encryption • ACLs • ACLs • Filtering • Quotas • ACLs • Group or role membership • Privilege ownership • Input Validation 56
  • 57. The Process: Validation Girindro Pringgo Digdo2017 57
  • 58. Validating Threats Models • Validate the whole threat model ▪ Does diagram match final code? ▪ Are threats enumerated? ▪ Has Test / QA reviewed the model? ▪ Is each threat mitigated? ▪ Are mitigations done right? • Did you check these before Final Security Review? Girindro Pringgo Digdo2017 58
  • 59. Validate Quality of Threats and Mitigations • Threats: Do They: ▪ Describe the attack ▪ Describe the context ▪ Describe the impact • Mitigations ▪ Associate with threat ▪ Describe mitigations Girindro Pringgo Digdo2017 59
  • 60. Overview: Risk Assessment Girindro Pringgo Digdo2017 60
  • 61. Risk Assessment • “An approach to identifying and managing systemic risk for an organization and system” • Enterprise Security Risk Assessments are performed to allow organizations to: ▪ assess, identify and modify their overall security posture ▪ and to enable security, operations, organizational management and other personnel to collaborate and view the entire organization from an attacker’s perspective. Girindro Pringgo Digdo2017 61
  • 62. Risk Assessment Girindro Pringgo Digdo2017 Source: Cobit 5 for Risk 62
  • 63. Risk Assessment: Risk Rating • Low / Very Low, the possibility of attacks and the impact if a successful attack is relatively low. Ratings for this category: ▪ Very Low: < 1.5, Low: >= 1.5 &< 2.5 • Medium, the possibility of attacks and the impact if successful attacks are relatively moderate / medium. Ratings for this category: ▪ Medium >=2.5 &< 3.5. • High / Very High, the possibility of attacks and the impact if a successful attack is relatively high. Ratings for this category: ▪ High: >= 3.5 &< 4.5, Very High : >= 4.5 Girindro Pringgo Digdo2017 63
  • 64. Risk Assessment: Risk Level • Possibility (P), the possibility of an attack is determined from a combination of factors such as: ▪ the attacker motivation, opportunity and resources; ▪ information security policies and procedures and the consistency of existing implementations; ▪ network or system architecture and configuration details. ▪ The highest value of the possibility (P) = 5 and the lowest value = 1 • Impact (I), impact is determined based on the risk to the organization, either directly or indirectly. ▪ The highest value of the impact (D) = 5 and the lowest score = 1 Girindro Pringgo Digdo2017 Risk Levels = (Impact + Possibility) / 2 64
  • 65. Risk Assessment: Sample Risk Summary Girindro Pringgo Digdo2017 65
  • 66. Sample of Threat Modeling Tools Girindro Pringgo Digdo2017 66
  • 67. References • Adam Shostack “Threat Modeling Designing for Security” • Cobit 5 for Risk • ISACA Journal 2010 Volume 1 • ISO 31000:2009 • NIST SP 800-81 rev.2 • Microsoft “Introduction to Microsoft Security Development Lifecycle (SDL) Threat Modeling” • Toreon “Threat Modeling Done Right” Girindro Pringgo Digdo2017 67
  • 68. Thank You 2017 Girindro Pringgo Digdo 68