{"id":322,"date":"2009-11-12T17:55:55","date_gmt":"2009-11-12T22:55:55","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=322"},"modified":"2009-11-12T18:03:42","modified_gmt":"2009-11-12T23:03:42","slug":"threat-modeling","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/threat-modeling\/","title":{"rendered":"Threat Modeling"},"content":{"rendered":"<p>This presentation was by John Steven, the NoVA Chapter Lead and Senior Director of Advanced Technology Consulting at Cigital, Inc.\u00a0\u00a0 He notes that this is not that MS thing, it is not going to help you find XSS, and is not going to help you with Risk Management.\u00a0 My notes are below:<\/p>\n<p>Don&#8217;t use threat modeling to help you with the things you already have checklists for.<\/p>\n<p>Do this because you want to understand the intersection of your stakeholder&#8217;s goals and the architecture.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>What is a Threat?<\/strong><\/span><\/p>\n<ul>\n<li>An agent who attacks you?<\/li>\n<li>An attack?<\/li>\n<li>An attack&#8217;s consequence?<\/li>\n<li>A risk?<\/li>\n<\/ul>\n<p>What is a Threat Model<\/p>\n<ul>\n<li>Depiction of\n<ul>\n<li>The system&#8217;s attack surface<\/li>\n<li>Threats who can attack the system<\/li>\n<li>Assets threats may compromise<\/li>\n<\/ul>\n<\/li>\n<li>Some leverage risk management practices\n<ul>\n<li>Estimate probability of attack<\/li>\n<li>Weight impact of successful attack<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Threat<\/p>\n<ul>\n<li>Capability\n<ul>\n<li>Access ot the system<\/li>\n<li>Able to reverse engineer binaries<\/li>\n<li>Able to sniff the network<\/li>\n<\/ul>\n<\/li>\n<li>Skill Level\n<ul>\n<li>Experienced hacker<\/li>\n<li>Script kiddie<\/li>\n<li>Insiders<\/li>\n<\/ul>\n<\/li>\n<li>Resources and Tools\n<ul>\n<li>Simple manual execution<\/li>\n<li>Distributed bot army<\/li>\n<li>Well-funded organization<\/li>\n<li>Access to private information<\/li>\n<\/ul>\n<\/li>\n<li>Threats help\n<ul>\n<li>Encourage thorough throught about how intentions for misuse<\/li>\n<li>Determine &#8220;out of bounds&#8221; scenarios<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Threat Modeling as a Process<\/strong><\/span><\/p>\n<ul>\n<li>Know thy enemy and how they attack you (who, what, how, why, impact, mitigation)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Threat Modeling &#8211; High-level Process<\/strong><\/span><\/p>\n<ol>\n<li>Diagram Structure<\/li>\n<li>Identify Assets<\/li>\n<li>Identify Threats<\/li>\n<li>Stitch Threats onto Structure<\/li>\n<li>Enumerate Doomsday Scenarios<\/li>\n<li>Document Misuse\/Abuse<\/li>\n<li>Enumerate Attack Vectors<\/li>\n<li>Iterate<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>1. Diagram the Software<\/strong><\/span><\/p>\n<ul>\n<li>Different methods of diagraming (likes the whiteboard the best)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>1.1\u00a0 &#8211; Anchor in Software Architecture<\/strong><\/span><\/p>\n<p>Consider where attacks occur<\/p>\n<p>Top-down<\/p>\n<ul>\n<li>Enumerate business objects\n<ul>\n<li>Sensitive data<\/li>\n<li>Privileged functionality<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Bottom-up<\/p>\n<ul>\n<li>Enumerate application entities\n<ul>\n<li>Sensitive data<\/li>\n<li>Privileged functionality<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Look for<\/p>\n<ul>\n<li>Middleware<\/li>\n<li>Open source<\/li>\n<li>Frameworks<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>1.2 &#8211; Identify Application Attack Surface<\/strong><\/span><\/p>\n<ul>\n<li>Are there different privilege levels?<\/li>\n<li>Connectivity between services and processes<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>1.3 &#8211; Annotate with Design Patterns<\/strong><\/span><\/p>\n<ul>\n<li>Are there pieces that whitebox testings is unable to analyze?<\/li>\n<li>What types of frameworks is the application using?<\/li>\n<li>Where are there command patterns?<\/li>\n<li>Where is there an inversion of control?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>1.4 &#8211; Consider Patterns&#8217; Responsibilities<\/strong><\/span><\/p>\n<ul>\n<li>Document specific standards for implementing each responsibility<\/li>\n<li>List out each pattern, piece of app, and associated standards<\/li>\n<\/ul>\n<p><strong>1.5 &#8211; Enumerate Potential Failures in Design Elements<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>1.6 &#8211; Find Key Structural Componenets<\/strong><\/span><\/p>\n<p>Component diagrams show critical choke points for security controls<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>1.7 &#8211; Identify Frameworks<\/strong><\/span><\/p>\n<p>Showing frameworks indicates where important service contracts exist &#8216;up&#8217; and &#8216;down&#8217;<\/p>\n<p><strong>1.8 &#8211; Explicitly Identify Controls<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>2 &#8211; Identify Assets<\/strong><\/span><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>2.1 &#8211; Identify Critical Data Assets<\/strong><\/span><\/p>\n<ul>\n<li>Do I have PII?<\/li>\n<li>Things that proxy for PII like sessions?<\/li>\n<\/ul>\n<p><strong>2.2 &#8211; Identify Interfaces as Proxies for Data<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>2.3 &#8211; Identify Assets flow through the System<\/strong><\/span><\/p>\n<ul>\n<li>Assets exist not only in rest, but also flow through the system<\/li>\n<li>Think about where there are points you could stop the data from going<\/li>\n<\/ul>\n<p><strong>2.4 &#8211; Identify Critical Application Entities<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>2.5 &#8211; Identify &#8216;Intermediate&#8217; Asset Objectives<\/strong><\/span><\/p>\n<p>Identify:<\/p>\n<ul>\n<li>Sensitive data<\/li>\n<li>Privileged function<\/li>\n<\/ul>\n<p>Look out for:<\/p>\n<ul>\n<li>Proxies, facades, etc<\/li>\n<li>Services<\/li>\n<li>UI vs implementation<\/li>\n<li>Aggressive caching scheme<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>2.6 &#8211; Identify Equivalence-classes<\/strong><\/span><\/p>\n<ul>\n<li>In essence an escalation of privilege connector<\/li>\n<li>Ex: Putting username and password and password reset questions on the same page puts them on the same equivalence-class without reauthentication and defeats the security control<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>3 &#8211; Identify Threat Agents<\/strong><\/span><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>3.1 &#8211; Anchor Threats in Use Cases<\/strong><\/span><\/p>\n<ul>\n<li>What is the dumbest things that a user can do?<\/li>\n<li>What is the most malicious thing a user can do?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>4.1 &#8211; Identity Principal Resolution<\/strong><\/span><\/p>\n<ul>\n<li>Arrows indicate resolution of principal\/assertion propagation<\/li>\n<\/ul>\n<p><strong>4.2 &#8211; Place Threats on Diagram<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>4.3 &#8211; Show Authorization in Structure<\/strong><\/span><\/p>\n<ul>\n<li>Coloration shows authorization by role<\/li>\n<li>Color modules by who you would need to be to access them and look where the colors change<\/li>\n<li>Has never NOT found a vulnerability for John<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>5 &#8211; Enumerate Doomsday Impacts<\/strong><\/span><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>5.1 &#8211; Assign Threats Malicious Intent<\/strong><\/span><\/p>\n<ul>\n<li>What is each Threat&#8217;s motivation?<\/li>\n<li>What would drive escalation?<\/li>\n<li>Why would each try beyond the first hurdle?<\/li>\n<\/ul>\n<p><strong>5.2 &#8211; Instanstiate Doomsday Attack<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>6.1 &#8211; Add in Misuse Cases<\/strong><\/span><\/p>\n<p>Convert Actors to Threats<\/p>\n<ul>\n<li>Abuse &#8211; Make actors behave stupidly<\/li>\n<li>Misuse &#8211; Make actors deviant\/evil<\/li>\n<\/ul>\n<p><strong>6.2 &#8211; &#8216;Cache&#8217; Misuse in a &#8216;Cookbook&#8217;<\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>7 &#8211; Enumerate Attack Vectors<\/strong><\/span><\/p>\n<p><strong>7.1 &#8211; Pilfer technology-specific security standards<\/strong><\/p>\n<p><strong>7.2 &#8211; Pilfer community resources<\/strong><\/p>\n<p><strong>7.3 &#8211; Pass technology-specific resources as your own<\/strong><\/p>\n<ul>\n<li>When testing finds an attack:\n<ul>\n<li>First, decide if its impact warrants further exploration<\/li>\n<li>Are additional impacts possible?<\/li>\n<li>Consider what conceptual goals the attack supports<\/li>\n<li>Then consider who could launch the attack against the application<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>After analysis converges, iterate secure design<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by John Steven, the NoVA Chapter Lead and Senior Director of Advanced Technology Consulting at Cigital, Inc.\u00a0\u00a0 He notes that this is not that MS thing, it is not going to help you find XSS, and is not going to help you with Risk Management.\u00a0 My notes are below: Don&#8217;t use threat [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[185,184],"class_list":["post-322","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-modeling","tag-threat"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-5c","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=322"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/322\/revisions"}],"predecessor-version":[{"id":325,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/322\/revisions\/325"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}