You are on page 1of 85

Practical Risk Analysis and Threat Modeling

Step 1: Make A List of What You Are Trying To Protect For This Project Step 2: Draw A Diagram and Add Notes Step 3: Make A List of Your Adversaries and What They Want Step 4: Brainstorm Threats From These Adversaries Step 5: Estimate Probability and Potential Damage Step 6: Brainstorm Countermeasures and Their Issues Step 7: Plan, Test, Pilot, Monitor, Troubleshoot, and Repeat Types of Threats Denial of Service: Authentication: Elevation of Privilege: Disclosure: Tampering: Malware Installation: Stealth and Repudiation: Social Engineering:

How can I crash the server? Run the CPUs near 100%? Consume all the free hard dr How can I log on as a legitimate user? Sniff credentials off the wire? Highjack a user If I can authenticate as a regular user, how do I execute commands with elevated pri How do I trick the server into revealing the information I want in plaintext form? Ho How do I make and save changes to my target database, file, encryption key, registry How do I get malware of my choice running on the server? How do I upload files or t How do I edit or delete log data after my attack? How can I hide my packets/comma And for all categories of attack, how do I use Social Engineering (SE) tricks to make th

Potential Damage Legal Damage: How bad would the legal liability be if the attack succeeds? Reputation Damage: How bad would the damage be to image and trust? Productivity Damage: How bad would the damage be for user productivity? Probability of Threat Discoverability: Exploitability: Stealthiness: Repeatability:

How easy would it be to find the vulnerability or targets? How easy is the attack in terms of skills and resources needed? How difficult would it be for IT to detect the attack? How easy would it be to successfully repeat the attack after security personnel have

This spreadsheet is intended to help consolidate your notes when performing an informal risk analysis and remediation project. It goes with an explanatory article found here: http://blogs.sans.org/windows-security/

Consume all the free hard drive space? Consume free memory? Prevent legitimate users from connecting, authenticating or using the a off the wire? Highjack a user's existing session? Trick the server into using a less secure authentication protocol? Trick the server into n e commands with elevated privileges? Even if I cannot authenticate, how do I run commands with standard and/or elevated privileges? H n I want in plaintext form? How do I get the server to reveal the location of the data I want? How do I crack the encryption? Where are t e, file, encryption key, registry value, session, or other data structure? How do I make the change so that it will be accepted as a normal t ver? How do I upload files or trick the server into downloading files of my choice? How do I construct a script or binary on the target serv can I hide my packets/commands/data from inspection by firewalls, IDS/IPS sensors, or security staff who are sniffing the wire? How can gineering (SE) tricks to make the attacks work or be even more effective? SE is often both forgotten and the most effective attack method

after security personnel have learned to detect it?

ting, authenticating or using the applications successfully? Prevent administrators from connecting? Prevent backups from running? Con protocol? Trick the server into not requiring credentials at all? Change my apparent source IP or MAC address? Use malware on users' ard and/or elevated privileges? How do I trick the server into executing commands with no authentication or authorization checks at all, rack the encryption? Where are the keys stored or how are they generated? How do I make the server store data insecurely? How do I m at it will be accepted as a normal transaction? How can I repeat or replay a transaction or transmission and have it accepted as legitimate script or binary on the target server? How do I subvert a script or binary which is already on the target? ho are sniffing the wire? How can I thwart auditing or forensics of the server afterwards? How do I frame other users for the crime? Wha the most effective attack method.

ackups from running? Confuse the protocol stack? Overwhelm the routers, firewalls, switches or bandwidth? Distract or waste the time ? Use malware on users' computers to steal credentials? uthorization checks at all, such as with a buffer overflow exploit? ata insecurely? How do I make the server transmit data insecurely, such as disabling SSL or killing the IPSec driver? e it accepted as legitimate?

users for the crime? What do I need to change in order to deny anyone the use of data which could get me prosecuted or fired if I am id

Distract or waste the time of the network administrators? Perform "data diddling" against databases to render their information worthle

osecuted or fired if I am identified?

their information worthless? Capture, modify and retransmit packets to corrupt data or disrupt network sessions?

What Assets, Data and Services Do We Want To Protect?


Briefly describe the assets to protect for the sake of this project (don't list all assets whatsoever).

SAMPLE DATA

Type/Name/Notes 4 IIS servers in DMZ. 2 SQL Servers in DMZ, credit card data! 2 SQL Servers inside the LAN that the 2 in the DMZ replicate with. 1 Exchange front-end/edge/smart host in DMZ, keep spam/AV filters updated. 1 SharePoint IIS in LAN but exposed to Internet, very confidential docs! 1 VMware ESX server in DMZ, hosting the 2 domain controllers for the DMZ forest and the other test VMs for the 2 domain controllers (VMs) for the DMZ forest, one-way cross-forest trust to internal forest, running RADIUS for th (How many test VMs do we have on the ESX server? Does anyone know????? Why is it in the DMZ?????) 2 RRAS VPN gateways in DMZ. 2 ISA firewalls facing the Internet, stand-alones. 2 ISA firewalls on the LAN, members of DMZ forest. 1Cisco router between ISP and external ISA boxes (does that router have a UPS?). All the switches for the DMZ boxes, especially the 2 which have VLANs for the SQL Servers. 17 wireless APs throughout the building, they all go to a switch which goes to the internal LAN-connected ISA firew (What else do we have in/around the DMZ? Isn't there a load-balancer with a web interface behind the Cisco rout

he other test VMs for the web developers. rest, running RADIUS for the wireless APs. in the DMZ?????)

al LAN-connected ISA firewalls. face behind the Cisco router???)

Our Adversaries and Their Objectives, Skills, Resources, and Risk Tolerances.
Brainstorm actual or likely adversaries, what they want, and other relevant notes. Type/Name Random worms. Random hackers looking for anything to break into using new exploits. Hackers trying to get the CC numbers from our e-commerce databases. Hackers trying to get into the LAN through the VPN just because they can. Hackers doing DoS attacks for extortion or fun. X-employees trying to get remote VPN access, get old mail, or cause problems. Current employees trying to get around security, which they find annoying. Hackers hired to steal a copy of the engineering specs for the new engine. Random viruses on the workstations of the webmasters and admins. Floods, tornados, power issues, earthquakes and other natural disasters.

SAMPLE DATA

and Risk Tolerances.

Notes Not out to get us specifically, but might be using new exploits and carrying destructive payloads. Not out to get us specifically, mostly script kiddies. Bad for us, active profiling and probing, highly skilled, motivated by money, many attempts in the past. Our site specifically targeted, active profiling and probing, low-to-high skills. Out site specifically targeted, probably script kiddies, but possibly business adversaries too. Most probably just want their old e-mail, but some might be out for revenge. Very low skilled, stupid users doing stupid things, almost never truly malicious. Very bad for us, highly skilled, paid, motivated, specific target worth $$$$, long-term and stealthy effort from them, suspect i Not targeted for us specifically, just "normal" viruses. Not targeted for us specifically (probably not).

ffort from them, suspect it's going on right now

Sort On Potential Damage of Threat This Total Legal Reputation Description of Threat Risk Score Damage Damage DoS: SYN flooding, Smurf, other low-level attacks. 39 0 3 DoS: complex search queries, CPU exhaustion. 26 0 3 SAMPLE DoS/Tamper: somehow diddle the data in the SQL Servers. 37 7 5 DATA DoS: upload GBs of data to take up all free space. 35 0 2 DoS: fail to auth to VPN to lock out user accounts. 43 0 0 DoS: fail to auth to wireless to lock out user accounts. 41 0 0 Auth: guess username and password to VPN. 35 5 5 Auth: guess username and password to wireless. 35 5 5 Auth: guess username and password to IIS/OWA. 35 5 5 Auth: highjack live web sessions. 35 5 5 Auth: trick VPN/AP into using a less secure auth protocol. 35 5 5 Auth: spoof hacker's source IP/MAC address to bypass firewall. 35 5 5 Auth: sniff credentials in transit over network. 35 5 5 Auth: crack sniffed credential data, like password hashes. 35 5 5 Auth: bypass requirement to authenticate at all on IIS app. 35 5 5 Auth: use malware on users' computers to steal passwords. 35 5 5 Elevation: trick web apps into executing commands. 35 5 5 Elevation: buffer overflow exploits to IIS apps. 35 5 5 Elevation: buffer overflow exploits to RRAS/Exchange. 35 5 5 Disclosure: cross site scripting (XSS) attacks to IIS apps. 35 5 5 Disclosure: SQL injection attacks to IIS apps. 35 5 5 Disclosure: directory browsing and travesal on IIS. 35 5 5 Disclosure: crack SSL encryption on sniffed HTTPS packets. 35 5 5 Disclosure: crack IPSec on sniffed VPN packets. 35 5 5 Disclosure: extract keys from IIS/VPN servers. 35 5 5 Disclosure: extract credit card data from SQL Servers in DMZ. 35 5 5 Disclosure: extract password hashes from DCs in DMZ. 35 5 5 Disclosure: extract password hashes from local SAMs. 35 5 5 Tamper: corrupt transaction data in SQL Servers. 35 5 5 Tamper: capture and replay packets for a transaction. 35 5 5 Malware: upload and execute binaries or scripts. 35 5 5 Malware: trick servers into downloading and running EXEs. 35 5 5 Malware: disable anti-virus scanner without detection. 35 5 5 Malware: open listening backdoor port without detection. 35 5 5 Malware: execute existing binaries with arbitrary arguments. 35 5 5 Stealth: edit log data. 35 5 5 Stealth: evade IDS signatures. 35 5 5 Stealth: modify files without detection. 35 5 5 SE: trick help desk into changing a password. 35 5 5 SE: trick admins into installing fake patches/updates. 35 5 5 SE: trick admins to changing the firewall rules. 35 5 5

Potential Damage of Threat Productivity Other Damage Damage 3 0 5 0 9 0 5 0 8 0 8 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0 5 0

Probability of Threat Discoverability 10 5 3 5 10 8 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 Exploitability 10 5 3 10 10 10 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 Stealthiness 3 3 5 3 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 Repeatability 10 5 5 10 10 10 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5

Countermeasures

Issues