Know your enemy

and know yourself and you can fight a hundred battles without disaster.
Sun Tzu

© 2012 Security Compass inc.

1

Class Objectives

Threat Model Express

Create quick, informal threat models

© 2012 Security Compass inc.

2

Introductions
Rohit Sethi: • 8 years in application security • Source code reviews, pen testing, threat modeling • Former SANS instructor, media appearances, article contributions • Heading SD Elements operations • Security Compass

© 2012 Security Compass inc.

3

Threat Model Express (TME)

Time-boxed, informal review – relies on subject matter expertise for determining threats.

4

TME Philosophy

Some threat modeling is better than no threat modeling.

5

Threat Model Express Steps

The five steps:
Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures

During facilitated meeting

6

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

7

Goals

Incorporate security into design

Guide pen-test / code review

8

What’s in Scope?

Custom code & libraries Network devices & protocols

Interconnected applications Server software & operating systems

9

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

10

Information to Gather
What risks matter to the organization

Application’s purpose
Use cases Architecture & design

© 2012 Security Compass inc.

11

Section Name
11

Existing security features

Setup a Meeting
• 4 hours if possible, 1 hour at least • Attendees:
Mandatory Architect / Developer Mandatory Security Important Business Optional Compliance

• Bring:

Risk chart

Diagrams, if available

12

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

13

Determine Attacker Motivations

Risks you care about

Motivated attackers

Threats to focus on

14

Example Attacker Motivations
Cause harm to human safety

Financial gain

Steal personal records
Gain a competitive advantage

(Sample prioritization, yours will be different)

Attack organizational stakeholders
Diminish ability to make decisions

Disrupt operations

15

Case Study – Attacker Motivations
Financial gain

Send political statement

Steal personal records

Disrupt operations

16

Enumerate Threats
• For each use case (prioritize use cases if you have too many):
– What could attackers with different motivations do in each use case? – Focus on the higher level risk, not technology (e.g. “steal credit card numbers” rather than “use SQL injection”) – This is brain-storming, don’t shoot ideas down but do set explicit time limits (e.g. 10 minutes per use case) – Prioritize by importance – should be driven by business if possible

• Remember: new techniques will emerge tomorrow, it’s valuable to maintain and update the list of use case-specific threats
17

Enumerate Threats
• Next, determine what technical attacks could enable these threats
– Application security SME is critical here – Now is time to talk about SQL injection, XSS, parameter manipulation, etc.

18

Case Study: Process Threats
• Use Case: User signs up for new credit card • Sample of threats:
User gains access to all credit card applications

User fraudulently signs up for credit card on behalf of other users

User can view application process of other users

Users can modify application data of other users

19

Case Study: Technical Enablers
• Sample of technical enablers:
User gains access to all credit card applications

Privilege escalation

Parameter manipulation

User fraudulently signs up for credit card on behalf of other users

SQL injection
User can view application process of other users

XSS

CSRF
Users can modify application data of other users

20

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

21

Rank Risk as a Group
T1

T1: SQL Injection
T2: Http Response Splitting

T2

22

Sample Case Study Risk Ranking
T1: SQL injection T2: Privilege escalation T3: XSS T4: Parameter Manipulation T5: CSRF

T3 T2 T5

T1

T4

23

Threat Model Express Steps

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

24

Sample Countermeasures
T1: SQL injection T2: Privilege escalation T3: XSS T4: Parameter Manipulation T5: CSRF • Parameterized queries • Server-side authz’n • HTML encoding AND input validation • Server-side state • Anti-CSRF tokens

25

Next Steps
Threat model goal

Secure design

Guide assessment

Recall the first step was to determine a goal. Secure design – improve design to add security features Guide assessment – hone in on attacks for code review or a penetration test.

26

Tradeoffs
• Sacrificing both breadth & depth for the sake of speed
– This is dangerous for applications with complex security requirements – particular written in unmanaged languages

• Dependence on having an application security SME available
– If app security is important to you, get one!

• Reliance on imperfect information means imperfect results

27