CST8804 Lab 1

Attack surface analysis, and threat modeling

Aleksandra Vidojevic, M.Sc.

Cisco Certified CCNA Enterprise, CCNP Enterprise, Cisco Certified Security Specialist –
Core
Check Point certified CCSE, CCSA and CCSM
Winter-2023

1
 CST8804 Lab 1: Intro
Task:
Analyse attack surface, model threats and propose threat mitigation action plan for the given scenario

Purpose:
• Auditing systems and assets to understand the given attack surface
• Modeling threats for the given scope
• Having an action plan for the recognized threats

Data Visualisation:
Use simple diagrams (Visio), tables/matrix( Excel/Word) to document the system architecture, including
subsystems, trust boundaries and data flows.

Reporting:
Compile models and gathered information into comprehensive security report.

2
 Terms used in the Lab : Asset, Threats, and Vulnerabilities
An asset is any item of economic value owned by an individual or corporation:
• Physical assets - e.g. routers, servers, hard drives, and workstations or,
• Virtual assets – e.g. data, formulas, databases, spreadsheets, trade secrets, and processing time.

If the asset is lost, damaged, or compromised, there can be an economic cost to the
organization.
A threat is any potential danger to an asset:
• Latent threat: has not yet been exploited, publicly known or realized;
• Realized threat: the asset’s security is compromised;
A vulnerability is a weakness in the system design, implementation, software, or
code or the lack of a mechanism.
The correct implementation of safeguards and security countermeasures could
3 mitigate a vulnerability and reduce the risk of exploitation.
 Attack Surface - Definition

The set of points on the boundary of a

system, a system component, or an
environment where an attacker can try
to enter, cause an effect on, or extract
data from, that system, component, or
environment.

Source(s):
NIST SP 800-53 Rev. 5

4
 Attack surface vs. Trust Boundaries
Attack surface (Fortinet, CompTIA) and Trust Boundaries (Microsoft) are closely
related concepts.
In this course terms are used interchangeably.
An attack surface is a set of trust boundary and a direction from which attackers
could launch an attack.
• A system that exposes lots of interconnections/interfaces presents a larger
attack surface than one that presents few APIs or other interfaces.
• Setting security appliances and devices at trust boundary is useful as they
reduce the attack surface.

5
 CST8804 Lab 1 Scope
CST8804 Lab 1 is focused on enterprise architecture and security appliances.
Therefore, it is important to understand what information we need to improve
understanding of attack surface and potential threats.
Device Decision making proces OSI level Context-aware Example

Packet-filter firewall Routing based No security consideration Standarde/Extended ACL Network (L3/L4) Statless Router/MLS

same-security-traffic permit inter-interface

Traditional firewall Routing based No security consideration* 5-Tuple Network (L3/L4) Statefull same-security-traffic permit intra-interface

Network L2-L7 Cisco ASA* and Firepower, Palo Alto NGFW,

NGFW/Zone-based firewall Security policy/Routing Security zones included in decision Widening 5-Tuple* Statefull Checkpoint, Fortinet

L7 for for certain

application layer
ALG Aplication-level gateway (application "control/data" protocols
layer gateway/ application gateway/application such as FTP, BitTorrent, The Application Layer Gateway service in Microsoft
proxy/Application-level proxy) Routing based and Security zones included in decision TFTP/FTP/SIP/H323/IRC/PPTP/L2TP SIP, RTSP, Statefull Windows, The Linux kernel's Netfilter framework

L7 only for web Checkpoint, Azure WAF, AWS AWF, Imperva,

Web Application Firewall Routing based Security zones included in decision HTTP/HTTPS applications Statefull FortiWeb, NGINX

IDS/IPS Routing based Signature or Anomaly based L3* Cisco Firewall, Security Onion, Bro, SNORT

SIEM solution Splunk, SolarWinds, Security Onion

6
 Attack Surface Analysis: Step
by Step
Roadmap: Values:
To reduce your attack ✓ Identify • Do it once, do it correctly
surface and hacking risk, threats/vulnerabilities.
it is important to • Follow the best industry
understand network's ✓ Pinpoint user types. standards and practices
security environment. An • Perform a risk • Think security
attack surface analysis assessment – too
• Asses risks
helps identify immediate math intensive
risks and potential future • Be prepared
• Secure your reporting
risks. • Be resilient in the face
– security based on BS
of adversity

7
 Addressing the Attack Surface
Attack surfaces are massive — and significantly different than they were in the past as
they are growing more complex and more decentralized.
The less awareness an organization has of their attack surface, the slower their response
may be to attacks when they happen.

Best Practices
✓ Auditing systems and assets to understand what is the attack surface
✓ Shrinking your attack surface and reducing complexity – not applicable for
the given scenario
• Compiling the right security-minded team – out of scope
✓ Modeling threats
✓ Having a response plan
8
 Threat modeling: The four-step framework
(Shostack)
To get started threat modeling, and does so by focusing on four
questions:
• What are you building?
• What can go wrong?
• What should you do about those things that can go wrong?
• Did you do a decent job of analysis?

9
Threat modeling: What are you building?
For example, you might choose to model:
• Operational technology
• Mobile apps
• Internet of Things (IoT)
• Software or applications
✓ Enterprise architecture
Lab 1 is focused on enterprise architecture. The diagram of the existing Entreprise
Architecture is provided in lab. However it is important to create diagrams, data- and
process-flow diagrams that help you share gathered information with inserted parties (
stakeholders, security team members, internal and external auditors etc.)

10
Traffic filtering matrix
Source Server
Internet DMZ Data VLAN WS VLAN
Destin. VLAN

Internet NA Yes Yes Yes Yes

DMZ Yes NA No No No

Data VLAN Yes No NA No No

Server VLAN Yes No No NA No

WS VLAN Yes No No No NA

11
 1. Import provided diagram to Visio:
Copy picture -> Open new document -> Paste as bitmap
2. Add boundaries to show who is able to control/access what. Those boundaries are attack surface/trust
boundaries and are based on device configuration.
Change pointer to “Pen” -> Draw rectangles to separate trust boundaries -> Go to “Line” select red colour.
Numerate boundaries. Save updated diagram.
3. Create data-flow diagrams flows passing trust boundaries for given model using Source/Destination/Application
scheme. If there is no a security mechanism in place to limit access use “any”. The flows can be noted in form of a
matrix or as statements.

Depending on your decision, paste the flows in Visio as a Microsoft Excel Binary Worksheet or text box.
Per provided information in lab anyone can access servers in DMZ on ports 80, 443, 8443 the flow can be noted:
Any -> DMZ 80, 443, 8443 or

Sorce Destination Application

Any DMZ HTTP/HTTPS/Apache SSL text service

12
 Threat modeling: Information Gathering
To create a threat model an IT analyst must have unrestricted access to data from multiple sources:
• Alert data
• Detection system logs,
• Reported exploitations,
• Logs,
• Internal policies and procedures,
• The best cases and practices,
• System version as well as configuration information, and more
However, sometimes all the required information is not available.
The lack of those information or the mechanism to collect it should be noted. Adding
subsystems/solutions to address the above is part of proposed action plan.

13
 Threat modeling: What can go wrong?
Threats that can cross trust boundaries are likely important ones. Some considerations
include:
• Who’s the intended user?
• What’s the intended use?
• Can an unintended user get access to it?
• Can someone use it in an unintended way?
• Is avaibility of the system in line with advertised SLA?
• Are logs secure?
• Do we have compliance obligations?
The question “what can go wrong” helps you figure out the threats.
14
 Threat modeling: Security Data
Lab 1 requires applying 1:1 mapping between assets and threats. Two virtual assets,
'security data' and 'user data' are part of the asset/threat table requiring further
explanation.
Five types of security data:
• Alert Data
• Statistical data
• Session Data
• Statistical Data
• Full Packet Capture
You are free to select any one of them.

15
 Threat modeling: User data
The scenario is threat modeling for an accounting firm (think Turbo Tax). It is
expected that user data will include one or more Personally identifiable information
(PII) such as :
1. Name: An individual’s full name, maiden name, alias, or mother’s maiden name

2. ID number: Social Security, passport, driver’s license, tax ID or credit card number

3. Address: Email or physical mailing address

4. Characteristics: Photographs, fingerprints, signature or handwriting, and other biometric data such as voice signature or facial
geometry

5. Linkable data: Other indirect data that links a person to one of the above categories, like employment information, medical
history, date of birth or financial information.

In Canada, The Personal Information Protection and Electronic Documents Act

regulates the use of personal information for commercial use. This is defined as
information that on its own or combined with other data, can identify you as an
individual.

16
 Threat modeling: What are we going to do?
Some types of actions include:
✓ Mitigating threats: Make it harder for someone to take advantage of a threat.
• Eliminating threats: Remove the feature or interface that creates the threat.
• Transferring threats: Have someone else be responsible, like having a customer
change default settings.
• Accepting threats: Recognize that the time and effort to mitigate or eliminate the
threat undermines the purpose of the project.
Threat mitigation strategies are aligned to risk management strategies, but they are
subtly different.
Risk management focuses on the likelihood and impact of threats.

17
 Threat modeling: Checking your work to make
sure it’s as complete as possible.
Completeness criteria

• Check the model: make sure it matches what you built, starting with the
diagram.

• Check each threat: review that you found all the possible threats and did the
right thing with them.

• Develop tests: ensure you have a good test to detect the problem, one that is
in line with other software tests and the risks that failures expose.

18
 CST8804 Lab 1: Grade Calculation
Maximum number of points: 100
Weight: 2,5%

Task 1: Max 25 points

Task 1.1: 0 - 15 points
Task 1.2: 0 - 5 points
Task 1.3: 0 - 15 points
Task 2: 0 - 25 points
Task 3: 0 - 25 points
Task 4: 0 - 15 points
19
 Questions?

20