Know your enemy

and know yourself and you can fight a hundred battles without disaster.
Sun Tzu

2012 Security Compass inc.

Class Objectives

Threat Model Express

Create quick, informal threat models

2012 Security Compass inc.

Introductions
Rohit Sethi: 8 years in application security Source code reviews, pen testing, threat modeling Former SANS instructor, media appearances, article contributions Heading SD Elements operations Security Compass

2012 Security Compass inc.

Threat Model Express (TME)

Time-boxed, informal review relies on subject matter expertise for determining threats.

TME Philosophy

Some threat modeling is better than no threat modeling.

Threat Model Express Steps

The five steps:

Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures

During facilitated meeting

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

Goals

Incorporate security into design

Guide pen-test / code review

Whats in Scope?

Custom code & libraries Network devices & protocols

Interconnected applications Server software & operating systems

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

10

Information to Gather
What risks matter to the organization

Applications purpose
Use cases Architecture & design

2012 Security Compass inc.

11

Section Name
11

Existing security features

Setup a Meeting
4 hours if possible, 1 hour at least Attendees:
Mandatory Architect / Developer Mandatory Security Important Business Optional Compliance

Bring:

Risk chart

Diagrams, if available

12

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

13

Determine Attacker Motivations

Risks you care about

Motivated attackers

Threats to focus on

14

Example Attacker Motivations

Cause harm to human safety

Financial gain

Steal personal records

Gain a competitive advantage

(Sample prioritization, yours will be different)

Attack organizational stakeholders

Diminish ability to make decisions

Disrupt operations

15

Case Study Attacker Motivations

Financial gain

Send political statement

Steal personal records

Disrupt operations

16

Enumerate Threats
For each use case (prioritize use cases if you have too many):
What could attackers with different motivations do in each use case? Focus on the higher level risk, not technology (e.g. steal credit card numbers rather than use SQL injection) This is brain-storming, dont shoot ideas down but do set explicit time limits (e.g. 10 minutes per use case) Prioritize by importance should be driven by business if possible

Remember: new techniques will emerge tomorrow, its valuable to maintain and update the list of use case-specific threats
17

Enumerate Threats
Next, determine what technical attacks could enable these threats
Application security SME is critical here Now is time to talk about SQL injection, XSS, parameter manipulation, etc.

18

Case Study: Process Threats

Use Case: User signs up for new credit card Sample of threats:
User gains access to all credit card applications

User fraudulently signs up for credit card on behalf of other users

User can view application process of other users

Users can modify application data of other users

19

Case Study: Technical Enablers

Sample of technical enablers:
User gains access to all credit card applications

Privilege escalation

Parameter manipulation

User fraudulently signs up for credit card on behalf of other users

SQL injection
User can view application process of other users

XSS

CSRF
Users can modify application data of other users

20

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

21

Rank Risk as a Group

T1

T1: SQL Injection

T2: Http Response Splitting

T2

22

Sample Case Study Risk Ranking

T1: SQL injection T2: Privilege escalation T3: XSS T4: Parameter Manipulation T5: CSRF

T3 T2 T5

T1

T4

23

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

24

Sample Countermeasures
T1: SQL injection T2: Privilege escalation T3: XSS T4: Parameter Manipulation T5: CSRF Parameterized queries Server-side authzn HTML encoding AND input validation Server-side state Anti-CSRF tokens

25

Next Steps
Threat model goal

Secure design

Guide assessment

Recall the first step was to determine a goal. Secure design improve design to add security features Guide assessment hone in on attacks for code review or a penetration test.

26

Tradeoffs
Sacrificing both breadth & depth for the sake of speed
This is dangerous for applications with complex security requirements particular written in unmanaged languages

Dependence on having an application security SME available

If app security is important to you, get one!

Reliance on imperfect information means imperfect results

27