Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.

1. Threat Modeling in 2021
Adam Shostack • adam@shostack.org

2. About Adam Shostack

3. What’s changing in the world?
What’s Changing in Threat Modeling?
4

4. What’s changing in the world?
What’s Changing in Threat Modeling?
5

5. Development in a COVID
World

6. Key Drivers of Change
• Everyone is scared, stressed and sick
Including your customers, prospects and employees
Many are grieving for losses, caring for children or elderly
• Not “working from home”
Sheltering in place during a global catastrophe
Getting a work done as we can
• Teams are distributed
Implicit and informal communication is, at best, changed

7. Responding to Changes
• Development teams need
More communication tools
Specific frameworks
Assurance and reassurance
• Security features becoming more important
This trend overlaps with COVID

8. Four Question Framework – still works!
11

9. Agenda
• What are we working on? How are we working on it?
The fast moving world of cyber
• What can go wrong? Threats evolve!
STRIDE
Machine Learning
[Conflict Modeling]
12

10. The fast moving world of cyber
13

11. Everything’s Changing So Fast!…?
• Models help us see similarities & understand change
• Example: Morris worm (1988)
Stack smashing (~1970-now*)
Common passwords (epoch – end of days)
Mis-configured daemons (1988-200?)
14

12. Fast Changing World: IoT
• More sensors and actuators
Look like cars and door-opening dogs
• Run Linux like it’s 1999
• Cost: lightbulbs to jet engines
• Impact: water sensors to medical devices
• New attackers
15

13. The Ways To Threat Model Are …
Evolving and Responding
• Many building blocks
Tools: MS TM (IDE), Tutamantic (discrete), IriusRisk (enterprise)*
Approaches: STRIDE, Kill Chain
Deliverables: bugs, backlogs, documents…
• Building block frame helps contextualize change
16
* Disclosure: I’m on the advisory board of IriusRisk

14. Agile
17

15. Fast Moving World of Development
• Threat modeling is no more inherently waterfall than Ruby
• Threat modeling in agile, CI/CD
• Waterfall vs agile
Skills, tasks, frameworks are similar
Deliverables and scoping are very different
• Benefits of fast cycles
Controls, quality to address threats in the backlog
18

16. Waterfall:
“Threat Model Documents”
Agile:
“Bugs and conversations”
System
Model
• Big complex scope
• System diagrams & essays
• Gates, dependencies
• Scope tiny: this sprint’s
change
• Big picture as security debt
Finding
Threats
• Brainstorm
• STRIDE
• Kill Chain
• Same, aim at in-sprint code
Fixes
• Controls
• Mitigations
• Test cases
• Spikes to understand
• Sec-focused stories in sprint,
backlog, or epic
• Sec. acceptance criteria
Quality • Test plans • Test automation
19

17. Starting Threat Modeling When Agile
• Start agile: work the features being built
Develop skills
Demonstrate value
Get buy-in: security properties and assurance
• Then worry about the security debt
“What can go wrong” analysis exposes debt
All up dataflows (borrow from GDPR)
20

18. Dialogue before Discussion
Dialogue
•Explore ideas and
consequences
“What if?”
“How about”
•Prototypes &
experiments
•Fluid not fixed
Discussion
•Commit to one idea
•Production code
•Fixed not fluid
Borrowing from John Allspaw (Etsy, kitchensoap.com)

19. Review Use
Discussion
Dialog
System Models Serve Different Goals
27
Pictures
Words
Whiteboard
Spec Plan of record
“Visio”
Slack / email
Time
Photoshop

20. Different Goals
• Different goals, different deliverables
Dialogue: whiteboard
Inform: fancy documents
• Implicit goals generate conflict
If you want dialogue, don’t ask team to bring a diagram
“Oh, you want a review and sign off, not new choices!”
• Implicit goals generate work
Who needs a fancy document and why?
28

21. 29

22. Cloud and Serverless
• Cloud provider takes over
platform issues
Platform-level threats are theirs
• Business level threats remain
Spoofing an employee of your
company to your cloud admin
• Threat model your build,
deploy pipelines
30

23. What Can Go Wrong?
31

24. “What Can Go Wrong” Agenda Details
• Supply Chain
• STRIDE
• Adversarial Machine Learning
• Operations: Kill Chain/Threat Genomics/Att&CK
• Conflict
32

25. Supply Chain
• You don’t need threat modeling to pay attention to
Vulnerabilities
Compilation, delivery and installation of updates
Trade policy
34

26. STRIDE
• Turned 21 last year!
• Still helpful mnemonic
Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege
Wide range of system types
New details for various threats
35

27. Spoofing
• Spoofing package names, content
• GPS Spoofing
• Phone authentication
• Markets for selfies
• Audio/video spoofing
36

28. Spoofing Package Names, content
• Create a package in a public repository
Name matches a private repo
Build calls pip install package_name
Alex Birsan made $130k in bug bounties, Feb 2021
• Use Unicode RLO & other tricks
https://trojansource.codes
November 2021, Ross Anderson & team
https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/

29. Spoofing GPS
• Now a commercial reality
38
https://www.technologyreview.com/s/614689/ghost-ships-crop-circles-and-soft-gold-a-gps-mystery-in-shanghai/

30. Spoofing and Phone Authentication
• SMS or calls
SMS specifically deprecated by US Gov regulators
• Phone porting & SIM porting attacks
• Scamicry: Callers demand authentication from callee
39

31. Spoofing Facial Recognition
• Markets for Selfies
April 2016: MasterCard announces
Identity Check (“Pay with a selfie!”)
March 2018: Sixgill reports selfies in darkweb fullz
• Impersonation tools
LED Baseball cap allows impersonation
40

32. Spoofing Audio
• Voice cloning as a service!
Startups, open source: CandyVoice, Festvox, Vivotext, Lyrebird…
• Formal or background authentication
• Google Duplex voice interaction as a service lets you scale
BEC 2.0: “This is the CEO, need you to pay …”
https://thenextweb.com/security/2019/09/02/fraudsters-deepfake-ceos-voice-to-trick-manager-
into-transferring-243000/*
Phishing 3.0: “Hi honey, just real quick, what’s the Netflix pw?”
41

33. Spoofing Video
• “Deepfake” video democratizes, improves video fakery
• Machine learning to imitate a victim
• Create new video
• Overlay new faces onto existing
• Warning: lots of disturbing examples
• https://geminiadvisory.io/deepfakes-id-verification/
42

34. Deepfake Example (SFW)
43

35. Tampering
• Physical access
“AirBNB attacker” can tamper
with each device (Thanks to
Roy D’Souza for the evocative
term)
Cars are accessed by the
owner*, their spouses and
children, their mechanic
*The “owner” is probably a
bank
Odometers, “black boxes”,
OBD
• Tapplock vs screwdriver
45

36. Repudiation
46

37. Repudiation 2

38. Information Disclosure
• Location
DOD Ban
• Contact tracing
• Other sensors
48
https://www.bellingcat.com/resources/articles/2018/07/08/strava-polar-revealing-homes-soldiers-spies/

39. Information Disclosure & Location
49
https://electrek.co/2020/08/27/tesla-hack-control-over-entire-fleet/ https://www.bloomberg.com/news/articles/2020-09-01/amazon-drivers-
are-hanging-smartphones-in-trees-to-get-more-work

40. Info Disclose & Fast Moving World of Sensors
• Phones drive sensor tech: quality, cost
• Sensors in everything that exceed our intuition
Barometers measure altitude
Accelerometers measure typing
Microphones + ultrasound disclose location
• Examples:
Bus stop signs reflected in pupil
Fingerprints in photos
Offscreen typing in zoom
50

41. Denial of service
• Classically absorb compute, storage or bandwidth
Compute transforms into crypto currency
• Battery
• Money
51

42. Denial of service (2)

43. Elevation of Privilege
• Many isolation breaks
Spectre/Meltdown EoP from cloud, browser
Rowhammer and RAMPage EoP from app
We’ll see more, and responses are mostly at the platform
• Disentangling device control can be impossible
“Depression of Privilege”
53

44. Threats Evolve:
STRIDE Is One Of Many
Machine Learning
Kill Chains
Conflict modeling
55

45. Kill Chain as Alternative to STRIDE
• Kill Chain & variants for operational threat models
Especially attack.mitre.org
• Unifiedkillchain.com for analysis & comparison
Doesn’t yet include threat genomics
Date: December 7, 2017
Supervisor: Dr. ir. Pieter Burghouwt
Second Reader: Prof. dr. ir. Jan van den Berg
Institution: Cyber Security Academy (CSA)
Initial Foothold:
Compromised System
• Reconnaissance
• Weaponization
• Delivery
• Social Engineering
• Exploitation
• Persistence
• Defense Evasion
• Command&Control
Pivoting Network Propagation:
Internal Network
• Discovery
• Privilege Escalation
• Execution
• Credential Access
• Lateral Movement
Access Action on Objectives:
Critical Asset Access
• Collection
• Exfiltration
• Target Manipulation
• Objectives
56

46. Adversarial Machine Learning
• To violate goals of your ML
• To bend your ML to attacker’s goals
• (Also, training data)
• Machine learning is code
Code has bugs
More complex code has more bugs
57

47. Adversarial Machine Learning Resources
• Microsoft has released several processes
https://docs.microsoft.com/en-us/security/threat-modeling-aiml
https://docs.microsoft.com/en-us/security/securing-artificial-
intelligence-machine-learning
My analysis https://shostack.org/blog/tmt-machine-learning/
• Berryville Institute of Machine Learning
https://berryvilleiml.com/results/
My analysis https://shostack.org/blog/tmt-biml-machine-learning-
risk-framework/
58

48. Conflict & Threat Modeling
What goes wrong isn’t just sploits
59

49. Threat Impacts Beyond Tech
• Threat modeling will help you find threats to systems
• Can also look for threats through systems
• Examples touch on politics
Let’s focus on the evocative examples, not the politics

52. Red Hen
on
Yelp
63

53. Attackers Adjust
64

54. Four Question Frame Works for Conflict
What are we working on?
A system with social aspects or
UGC (user generated content)
What can go wrong?
Conflict as well as exploit
What are we going to do?
Intuitive measures often fail,
we should catalog & study
defenses
Did we do a good job? 65

55. What Goes Wrong: Inter-personal Conflict
• Explicitly adapting threat modeling to conflict
• Shireen Mitchell & Jon Pincus diversity approach
• Amanda Levendowski’s SCULPT (in progress)
Safety, comfort, usability, legal, privacy, and transparency
Focus on mitigation techniques
• Used by nation states!
67

56. What to do? Obvious Fixes Fail or
Exacerbate
69

57. What to Do?
Learn from Success
• Nextdoor “private social network for your neighborhood”
• Had a problem with racial profiling in posts
• A/B tested 6 ways to add detail when post mentions race
• Says new forms have “reduced posts containing racial
profiling by 75%...”
70

58. What to do about conflict?
• Fixes for conflict are less obvious
• Need expertise in human behavior to design
• Need a catalog of effective design patterns
• Github.com/adamshostack/conflictmodeling
71

59. Summary: Threats
• STRIDE instances evolve
• Kill chains have emerged as a useful technique
• Conflict looms
73

60. Key Takeaways
• Fundamental skills of threat modeling remain important
• Details of what we’re working on, how we work and
threats are all changing
• Importance of conflict modeling
74

61. Threat Modeling Resources
• Threat Modeling: Designing for Security
Wherever fine books are sold
• Shostack.org/resources/
• shostack.org/blog
75

62. Questions?
adam@shostack.org • shostack.org

63. Thank you!

64. Backup

65. TM Resources (Automotive)
• Safety First for Automated Driving paper (2019)
• “UN Regulations on Cybersecurity and Software Updates
to pave the way for mass roll out of connected vehicles”
(2020)
• UL 4600 (2020)
• SAE J3061(2016)
• Evita Project (2011)
79

66. What’s changing in the world?
What’s Changing in Threat Modeling?
80

67. What’s changing in the world?
What’s Changing in Threat Modeling?
81

68. What’s changing in the world?
What’s Changing in Threat Modeling?
82

69. What’s changing in the world?
What’s Changing in Threat Modeling?
83

70. What’s changing in the world?
What’s Changing in Threat Modeling?
84

71. What’s changing in the world?
What’s Changing in Threat Modeling?
85

72. What’s changing in the world?
What’s Changing in Threat Modeling?
86

73. What’s changing in the world?
What’s Changing in Threat Modeling?
87

74. 88