Threat modeling is about thinking what bad can happen and what can you do about it. It can also find logical flaws and reveal problems in the architecture or software development practices. These vulnerabilities cannot usually be found by technical testing.
Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your penetration testing to the most risky parts of the system. The beauty of threat modeling is that you can assess security already in the design phase. In addition, it is something every team member can participate in because it doesn't require any source code, special skills, or tools. Threat modeling is for everyone: developers, testers, product owners, and project managers.
The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn to analyze use cases for finding business level threats. The presentation also includes practical tips for arranging threat workshops and representing your results.
This presentation was held in the Diana Initiative 2018 and Nixucon 2018 conferences.
3. Benefits of threat modeling
Finding
weaknesses in
the design
phase
Targeting
pentesting
based on risk
Testing does not
find all
weaknesses
4. What threats are relevant to our business?
Scriptkiddie
• DDoS for the
lulz
• Mitigation:
Load
balancer
CyberCriminal
• Ransomware
target search
from Shodan
• Mitigation:
Updates
RPAmisconfig
• Configuration
errors and
mistakes
• Mitigation:
Automatic
testing
5. Attack tree visualizes threat scenarios
Vulnerability in server
components
Web site delivers
malware
Web server
compromised
Drop in
share price
Loss of
reputation
Password
guessed
User information
gets stolen
6. Threat workshop
• Threat modeling
• Attack surfaceSprint 1
Sprint 2
• Check threat model
• Residual riskSprint n
Who, when, and what?
Bugs
Test cases
Backlog
Documents
Testers
Developers
Product Owner
Infosec Specialist
7. How to find technical
and architecture related
threats?
8. ”How can you protect something
if you don’t know
it exists or its value?”
9. Looking for technical threats
Use cases and user stories
• Features
• Different user roles
Architecture descriptions
• Where your data is stored?
• Where is it transferred and how?
Evil use cases
• Who would want to abuse your system and how?
10. Analyzing use cases and user stories
4.9.201810
Dangerous or
permissive
features
• Viewing all users
• Uploading files
• Viewing health
records
Admin interfaces
• Modifying users
• Deleting all files
• Starting and
stopping services
Dangerous
combinations of
user roles
• Can both request
and approve
Who can
access?
Access control
bypass?
Need for multi-
factor
authentication?
Traceability?
11. ”People are not, as is often
claimed, the weakest link
or beyond help.
The weakest link is almost
always a vulnerability in
Internet-facing code.”
Adam Shostack
Threat Modeling – Designing for Security
12. STRIDE model for architecture and data flow
analysis
(S)
Spoofing
(T)
Tampering
(R)
Repudiation
(I) Information
Disclosure
(D) Denial
of Service
(E) Elevation
of Privilege
Database
Web
server
Browser
Mobile
app
DB
management
Log
management
18. Company C
An imaginary document handling cloud
Company A wants to ensure their documents are secure
Acme.io
cloud
service
Acme.io
corporate
network
Remote storage of
documents
• Separate database for
each customer company
• Documents stored on
disk
• Redundancy
configuration for
availability
Company A
network
Databases
Application
servers
Company B
network
Also use the service
Handles insurance
related documents
of multiple clients
(both businesses
and private
persons)
19. Let’s practice threat modeling together!
Go to www.menti.com
Insert the PIN
Tell your opinion by answering the questions
20. Company C
An imaginary document handling cloud
Company A wants to ensure their documents are secure
Acme.io
cloud
service
Acme.io
corporate
network
Remote storage of
documents
• Separate database for
each customer company
• Documents stored on
disk
• Redundancy
configuration for
availability
Company A
network
Databases
Application
servers
Company B
network
Also use the service
Handles insurance
related documents
of multiple clients
(both businesses
and private
persons)
21. What threats can you find from customer access?
• Alice has administrator role and
manages user accounts within
Company A
• Beverly has handler role with access
to business insurance contracts
(visible to all). Beverly regularly works
remotely using a VPN.
• Charlotte has handler role with access
to handles insurance documents and
also health related data (visible only
to a limited group)
• Authentication with username and
password
Company
A network
Beverly
Charlotte
Alice
Handles
insurance related
documents of
multiple clients
(both businesses
and private
persons)
22. What threats can you find from development and
operations?
• Drew is a new
developer and is not
familiar with all
procedures yet
• Olive has been in the
operations for ages
and does not like
the job
• SSH remote access
to Acme.io cloud
Acme.io
cloud
service
Acme.io
corporate
network
Test
environment
Production
environment
DevOps
department
Drew
Olive
23. Company C
An imaginary document handling cloud
Company A wants to make sure their documents are secure
Acme.io
cloud
service
Acme.io
corporate
network
Remote storage of
documents
• Separate
database for
each customer
company
• Documents
stored on disk
• Redundancy
configuration for
availability
Company A
network
Databases
Application
servers
Company B
network
Also use the cloud service
Handles insurance
related documents
of multiple clients
(both businesses
and private
persons)
25. LINDDUN model for privacy threats
(L)
Linkability
(I)
Identifiability
(N)
Non-
repudiation
(D)
Detectability
(D)
Disclosure of
information
(U)
Content
Unawareness
(N)
Policy and consent
Noncompliance
Note!
STRIDE has
Repudiation!
Same with
STRIDE!
GDPR,
anyone?
https://linddun.org/
26. Linkability and Identifiability
How To Break Anonymity of the Netflix Prize Dataset
(Arvind Narayanan, Vitaly Shmatikov, 2006-2007, https://arxiv.org/abs/cs/0610105)
CustID, Date, Rating, Movie
12345, 5/13, 5,
The Return of the Jedi
12345, 5/22, 4,
The Empire Strikes Back
12345, 6/01, 1,
The Phantom Menace
Name, Date, Rating, Movie, Comments
Anne O., 5/13, 5,
The Return of the Jedi, “Excellent!”
Anne O., 5/22, 4,
The Empire Strikes Back, “Wow”
Anne O., 6/01, 1,
The Phantom Menace, “I want to cry”
27. Non-repudiation
Usually a security
requirement
• Cannot deny doing something
Traceability
• Tracking changes
• Who has accessed information
Repudiation
Non-repudiation vs. Repudiation
Privacy perspective
• Off-the-record conversations
• Anonymous online voting
29. Unawareness &
Consent and policy non-compliance
Ask for
consent
Tell how and
why you
process data
Explain
consequences
Help making
privacy-aware
decisions
30.
31. How to know if you’ve found all threats?
Spoofing Tampering Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
Have you found
all types of
threats?
Why not?
32. How to know if you’ve found all threats?
9.11.2017
Database
Web
server
Browser
Mobile
app
DB
management
Log
management
Have you found
threats for each
element?
Why not?
33. Are you done threat modeling?
Is there a
missing
attack
scenario?
Have you
found a
mitigation
for all
threats?