I. Threat Modeling ------------------------------------------ THREAT MODELING Based on www.threatmodelingmanifesto.org def: *Threat modeling* is Goal: find security concerns and mitigate them, before attackers can use them Questions to ask: 1. What are we working on? 2. What can go wrong? 3. What are we going to do about it? 4. Did we do a good enough job? ------------------------------------------ Why do threat modeling? A. the Threat Modeling Manifesto 1. values ------------------------------------------ THREAT MODELING VALUES Values: - A culture of finding and fixing design issues (over checkbox compliance) - People and collaboration (over processes, methodologies, tools) - A journey of understanding (over a security or privacy snapshot) - Doing threat modeling (over talking about it) - Continuous refinement (over a single delivery) ------------------------------------------ 2. principles ------------------------------------------ THREAT MODELING PRINCIPLES Principles: - Best use of threat modeling is to improve the security and privacy through early and frequent analysis. - Align with development practices, follow design changes in iterations - Outcomes are meaningful when stakeholders value them - Dialog is key to understanding, documents record understandings and enable measurement ------------------------------------------ 3. patterns ------------------------------------------ PATTERNS THAT HELP THREAT MODELING Systematic Approach: Achieve thoroughness and reproducibility Informed Creativity: Allow for creativity, include both craft and science Varied Viewpoints: Assemble a diverse team with appropriate SMEs across multiple functions Useful Toolkit: Use tools to increase productivity, enhance workflows, enable repeatability and provide measurability Theory into Practice: Use successfully field-tested techniques aligned to local needs ------------------------------------------ What kind of functions are we talking about in "Varied Viewpoints"? 4. anti-patterns ------------------------------------------ ANTI-PATTERNS THAT INHIBIT THREAT MODELING Hero Threat Modeler: Don't rely on one person's talents, everyone can and should do it Admiration for the Problem: Don't just analyze the problem, Reach for practical & relevant solutions Tendency to Overfocus: Don't lose sight of the big picture; parts of a model may be interdependent. Avoid undue attention on: adversaries, assets, or techniques. Perfect Representation: Don't use just one representation; create multiple representations, there is no single ideal view. ------------------------------------------ What is an anti-pattern? B. Process for Attack Simulation and Threat Analysis (PASTA) ------------------------------------------ PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS (PASTA) Stages: 1. Define objectives What is app's purpose? What is the business impact? What requirements/compliance? 2. Define technical scope/attack surface What is the high level arch./design? What tech. is involved? - protocols? - types of data? - s/w and tech. dependencies? - servers? services? - network devices? 3. Decompose the app. What assets? What dataflows? What actors? Roles? Permissions? What trust levels? trust boundaries? Any implicit trust relationships? 4. Analyze threats What are the probable scenarios? What do logs or reports tell us? 5. Vulnerability analysis How do existing vulnerabilities map to threats? How likely are these to be exploited? 6. Attack analysis What is the app's attack surface? What attack vectors are likely? 7. Risk and impact analysis What is the remaining risk? What is the business impact? ------------------------------------------ II. Threat Modeling A. Microsoft's STRIDE approach 1. STRIDE ------------------------------------------ STRIDE Basic threat categories: - Spoofing user identity - Tampering - Repudiation - Information disclosure - Denial of service - Elevation of privilege ------------------------------------------ What's an example of Spoofing? How could we define Tampering? What's an example of Repudiation? What's an example of Information disclosure? What is an example of Denial of service? What is an example of Elevation of privilege? B. Threat modeling tool ------------------------------------------ DOWNLOADING THE TOOL Download it from: https://www.microsoft.com/en-us/ securityengineering/sdl/threatmodeling "The SDL Threat Modeling Tool plugs into any issue-tracking system..." Goal: Identify: threats, attacks, vulnerabilities, and countermeasures Steps: - Defining security requirements - Creating an application diagram - Identifying threats - Mitigating threats - Validating mitigations ------------------------------------------ Why does Microsoft care about our applications? C. Demo of Threat Modeling Consider an online banking app. Q: What data and services would it offer? What data and services would it offer? ------------------------------------------ ONLINE BANKING APP What data stored? What services offered? What user roles? Draw the DFD and turst boundaries (demo) ------------------------------------------ D. alternatives ------------------------------------------ ALTERNATIVE TOOL OWASP Threat Dragon Download from: owasp.org/www-project-threat-dragon/ Vs. Microsoft: - works from browser - more for thinking - less automation ------------------------------------------ III. Process for Attack Simulation and Threat Analysis (PASTA) ------------------------------------------ PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS (PASTA) Stages: 1. Define objectives What is app's purpose? What is the business impact? What requirements/compliance? 2. Define technical scope/attack surface What is the high level arch./design? What tech. is involved? - protocols? - types of data? - s/w and tech. dependencies? - servers? services? - network devices? 3. Decompose the app. What assets? What dataflows? What actors? Roles? Permissions? What trust levels? trust boundaries? Any implicit trust relationships? 4. Analyze threats What are the probable scenarios? What do logs or reports tell us? 5. Vulnerability analysis How do existing vulnerabilities map to threats? How likely are these to be exploited? 6. Attack analysis What is the app's attack surface? What attack vectors are likely? 7. Risk and impact analysis What is the remaining risk? What is the business impact? ------------------------------------------