Developing a Threat Modeling Mindset

Developing a
Threat Modeling Mindset
Robert Hurlbut
RobertHurlbut.com • @RobertHurlbut

Robert Hurlbut
Software Security Consultant, Architect, and
Trainer
Owner / President of Robert Hurlbut Consulting Services
Microsoft MVP – Developer Security 2005-2010, 2015-2018
(ISC)2 CSSLP 2014-2017
Co-host Application Security Podcast (@appsecpodcast)
Contacts
Web Site: https://roberthurlbut.com
Twitter: @RobertHurlbut
LinkedIn: RobertHurlbut
© 2017 Robert Hurlbut Consulting Services

Security mindset
Bruce Schneier - what it is (2008):
“Security requires a particular
mindset. Security professionals –
at least the good ones – see the
world differently.”*
(* See:
https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html)

Security mindset
Schneier - on teaching others (2012):
“Teach yourself and your students
to cheat. We’ve always been
taught to color inside the lines,
stick to the rules, and never, ever,
cheat. In seeking cyber security, we
must drop that mindset.”*
(* Quoted from a paper by Gregory Conti and James Caroland. See:
https://www.schneier.com/blog/archives/2012/06/teaching_the_se.html and
http://www.rumint.org/gregconti/publications/KobayashiMaru_PrePub.pdf)

OK, got it – we need a security
mindset …
And, we need to teach others “to
think outside of the box” … but how?
To me, this is where threat modeling
comes in …

What is threat modeling?
Something we all do in our personal
lives …
... when we lock our doors to our
house
... when we lock the windows
... when we lock the doors to our car

When we think ahead of what could
go wrong, weigh the risks, and act
accordingly we are “threat
modeling”

Historically, threat modeling came
from military usage:
Who is the enemy?
What are their motives?
What are their methods?
Let’s plan our strategy / defense

A threat modeling mindset?
“By understanding the historical
usage of threat modeling, security
professionals at large can evolve a
mindset built around strategy
rather than segregated and
disorganized knee-jerk
responses.”*
(* Risk Centric Threat Modeling: Process for Attack Simulation and Threat
Analysis by Tony UcedaValez and Marco M. Morana)

A threat modeling mindset is …
Strategy/Proactive vs Reactive
“thinking outside of the box”

Where does threat modeling fit?
One of the security tools – but
different
We know about penetration testing,
fuzzing, analysis / code reviews,
detection (lots of automated tools)
Threat modeling is a process – a
“way of thinking“ (not automated)

Threat modeling is:
Process of understanding your
system and potential threats
against your system

Threat model includes:
understanding of system,
identified threat(s),
proposed mitigation(s),
priorities by risk

Definitions
Asset
Something of value to valid
users and adversaries alike

Definitions
Threat Agent
Someone (or a process) who
could do harm to a system (also
adversary or attacker)

Definitions
Threat
Anything that will exploit a
vulnerability, intentionally or
accidentally, and obtain,
damage, or destroy an asset

Definitions
Vulnerability
A flaw in the system that could
help a threat agent realize a
threat

Definitions
Threat <> Vulnerability
If a vulnerability is not present,
neither is the threat
but …
when the vulnerability is present,
threat can be realized.

Definitions
Risk
The potential for loss, damage,
or destruction of an asset as a
result of a threat exploiting a
vulnerability

Definitions
Attack
When a motivated and
sufficiently skilled threat agent
takes advantage of a
vulnerability

Threat Modeling Vocabulary*
* https://www.cigital.com/blog/threat-modeling-vocabulary/ (John Steven,
Cigital)

When?
Make threat modeling first priority:
In SDLC – Requirements and
Design phase
Threat modeling uncovers new
requirements
Agile Sprint Planning
Teach your developers to threat model

When?
What if we didn’t?
It’s not too late to start threat
modeling (generally)
It will be more difficult to
change major design decisions
Do it anyway!

Typical Threat Modeling Session
Gather documentation
Gather your team:
Developers, QA, Architects, Project Managers, Business
Stakeholders (not one person’s job!)
Understand business goals and technical goals
(threat modeling must support goals, not other way around)
Agree on meeting date(s) and time(s)
Plan on 1-2 hour focused sessions at a time
Important: Be honest, leave ego at the door, no
blaming!

Simple Tools
Whiteboard
Visio (or equivalent) for diagraming
Word (or equivalent) or Excel (or
equivalent) for documenting

Threat Model Sample Worksheet

Other Tools
Microsoft Threat Modeling Tool 2016
(also, 2017 preview available)
ThreatModeler – Web Based (in-house)
Tool
ThreadFix
IriusRisk Software Risk Manager
OWASP Threat Dragon (new in 2017)

Review Security Principles*
1. Secure the weakest link
2. Defend in depth
3. Fail securely
4. Grant least privilege
5. Separate privileges
6. Economize mechanisms
(* Securing Software Design is Hard, blog post by Gary McGraw, January, 2013)

Review Security Principles*
7. Do not share mechanisms
8. Be reluctant to trust
9. Assume your secrets are not safe
10. Mediate completely
11. Make security usable
12. Promote privacy
13. Use your resources
(* Securing Software Design is Hard, blog post by Gary McGraw, January, 2013)

IEEE Computer Society’s Center
for Secure Design
Take a look at:
http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf

Threat Modeling Process
1. Draw your picture – understand
the system and the data flows
2. Identify threats through answers
to questions
3. Determine mitigations and risks
4. Follow through

Draw your picture

Understand the system
DFD – Data Flow Diagrams (MS SDL)
External
Entity
Process Multi-Process
Data Store Dataflow Trust
Boundary

Understand the System
Server
Users Admin
Request
Response
Admin
Settings
Logging
Data
(Trust boundary)
Understand logical and component
architecture of system
Understand every communication flow and
valuable data moved and stored

User
Admin
Authn
Service
Audit
Service
Web
App
Mnmgt
ToolCredentials
Data Files
Audit DataRequest
Set/Get
Creds
Requested
File(s)
Audit
Requests
Audit
Info
Audit
Read
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
(TrustBoundary)

User
Admin
Authn
Service
Audit
Service
Web
App
Mnmgt
ToolCredentials
Data Files
Audit DataRequest
Set/Get
Creds
Requested
File(s)
Audit
Requests
Audit
Info
Audit
Read
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
External Entities:
Users, Admin
Processes:
Web App, Authn Svc,
Audit Svc, Mnmgt Tool
Data Store(s):
Data Files, Credentials
Data Flows:
Users <-> Web App
Admin <-> Audit Svc
(TrustBoundary)

Your threat model now consists of
…
1. Diagram / understanding of your
system and the data flows

Identify threats
Most important part of threat
modeling (and most difficult)
Many ways – determine what
works best for your team
© 2017 Robert Hurlbut Consulting Services 39

Identify threats
Attack Trees
Bruce Schneier - Slide deck
Threat Libraries
CAPEC, OWASP Top 10, SANS Top 25
Checklists
OWASP ASVS, OWASP Proactive Controls
Use Cases / Misuse Cases

Identity threats - Games
OWASP Cornucopia
Suits:
Data validation and encoding
Authentication
Session Management
Authorization
Cryptography
Cornucopia
13 cards per suit, 2 Jokers
Play a round, highest value wins
41

STRIDE Framework – Data Flow
Threat Property we want
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information
Disclosure
Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization

Identity threats - Games
Elevation of Privilege (EoP)
The EoP game focuses on the
following threats (STRIDE):
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
43

Identify threats
P.A.S.T.A. – Process for Attack
Simulation and Threat Analysis
(combining STRIDE + Attacks + Risk
Analysis)

Identify Threats – Functional
Input and data validation
Authentication
Authorization
Configuration management
Sensitive data

Identify Threats – Functional
Session management
Cryptography
Parameter manipulation
Exception management
Auditing and logging

Identity Threats - Ask Questions
Who would be interested in the
application and its data (threat agents)?
What are the goals (assets)?
What are attack methods for the
system we are building?
Are there any attack surfaces exposed -
data flows (input/output) we are
missing?

Identity Threats – Ask Questions
How is authentication handled
between callers and services?
What about authorization?
Are we sending data in the open?
Are we using cryptography properly?
Is there logging? What is stored?
Etc.

One of the best questions …
Is there anything
keeping you up at
night worrying
about this system?

Identify Threats – Example
Confused Deputy Problem
Implied trust transferred to
other services (usually seen
with RBAC, CSRF, Clickjacking,
etc.)
Action + Permission
Solve by capabilities (or claims)

Scenario – Configuration Management
User
Admin
Authn
Service
Audit
Service
Web
App
Mnmgt
ToolCredentials
Data Files
Audit DataRequest
Set/Get
Creds
Requested
File(s)
Audit
Requests
Audit
Info
Audit
Read
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
(TrustBoundary)

Web
App
Data Files
Requested
File(s)
(Trust boundary)
Data Files such as
configuration files

System: Web application uses configuration files
Security principles:
Be reluctant to trust, Assume secrets not safe
Questions:
How does the app use the configuration files?
What validation is applied? Implied trust?
Possible controls/mitigation:
Set permissions on configuration files.
Validate all data input from files. Use fuzz testing
to insure input validation.

…
2. Identify threats through answers to
questions

Determine mitigations and risks
Mitigation Options:
Leave as-is
Remove from product
Remedy with technology countermeasure
Warn user
What is the risk associated with the
vulnerability and threat identified?

Determine mitigations and risks
Risk Management
FAIR (Factor Analysis of Information
Risk) – Jack Freund, Jack Jones
CVSS v3 (Common Vulnerability
Scoring System)
Risk Rating (High, Medium, Low)

Risk Rating
Overall risk of the threat expressed
in High, Medium, or Low.
Risk is product of two factors:
Ease of exploitation
Business impact

Risk Rating – Ease of Exploitation
Risk Rating Description
High • Tools and exploits are readily available on the Internet or other
locations
• Exploitation requires no specialized knowledge of the system and little
or no programming skills
• Anonymous users can exploit the issue
Medium • Tools and exploits are available but need to be modified to work
successfully
• Exploitation requires basic knowledge of the system and may require
some programming skills
• User-level access may be a pre-condition
Low • Working tools or exploits are not readily available
• Exploitation requires in-depth knowledge of the system and/or may
require strong programming skills
• User-level (or perhaps higher privilege) access may be one of a number
of pre-conditions

Risk Rating – Business Impact
Risk Rating Description
High • Administrator-level access (for arbitrary code execution through
privilege escalation for instance) or disclosure of sensitive
information
• Depending on the criticality of the system, some denial-of-service
issues are considered high impact
• All or significant number of users affected
• Impact to brand or reputation
Medium • User-level access with no disclosure of sensitive information
• Depending on the criticality of the system, some denial-of-service
issues are considered medium impact
Low • Disclosure of non-sensitive information, such as configuration
details that may assist an attacker
• Failure to adhere to recommended best practices (which does not
result in an immediately visible exploit) also falls into this bracket
• Low number of user affected

Example – Medium Risk Threat
ID - Risk RT-3
Threat Lack of CSRF protection allows attackers to
submit commands on behalf of users
Description/Impact Client applications could be subject to a CSRF
attack where the attacker embeds commands
in the client applications and uses it to submit
commands to the server on behalf of the users
Countermeasures Per transaction codes (nonce), thresholds,
event visibility
Components
Affected
CO-3

System: Web application uses configuration files
Security principles:
Be reluctant to trust, Assume secrets not safe
Questions:
How does the app use the configuration files?
What validation is applied? Implied trust?
Possible controls/mitigation:
Set permissions on configuration files.
Validate all data input from files. Use fuzz testing
to insure input validation.
Risk Rating:
We own the box (Medium/Low), Hosted on cloud (High)

…
questions
3. Mitigations and risks identified to
deal with the threats

Follow through
Document what you found and decisions
you make
File bugs or new requirements
Verify bugs fixed and new requirements
implemented
Did we miss anything? Review again
Anything new? Review again

…
questions
3. Mitigations and risks identified to
deal with the threats
4. Follow through
A living threat model!

Your challenge
Pursue a threat modeling mindset –
secure design before new
features,
let threat modeling drive your
testing and other review
activities
understand bigger picture

Resources - Books
Threat Modeling: Designing for Security
Adam Shostack
Securing Systems: Applied Architecture and Threat
Models
Brook S.E. Schoenfield
Risk Centric Threat Modeling: Process for Attack
Simulation and Threat Analysis
Marco Morana and Tony UcedaVelez
Measuring and Managing Information Risk: A FAIR
Approach
Jack Jones and Jack Freund

Resources - Tools
Microsoft Threat Modeling Tool 2016
http://www.microsoft.com/en-us/download/details.aspx?id=49168
https://blogs.msdn.microsoft.com/secdevblog/2017/04/21/whats-new-with-microsoft-
threat-modeling-tool-preview/ (2017 Preview)
ThreatModeler – Web Based (in-house) Tool
http://myappsecurity.com
ThreadFix
http://www.denimgroup.com/blog/denim_group/2016/03/threadfix-in-action-tracking-
threats-and-threat-models.html
IriusRisk Software Risk Manager
https://iriusrisk.continuumsecurity.net
OWASP Threat Dragon
https://www.owasp.org/index.php/OWASP_Threat_Dragon

Resources - Tools
Attack Trees – Bruce Schneier on Security
https://www.schneier.com/attacktrees.pdf
Elevation of Privilege (EoP) Game
http://www.microsoft.com/en-us/download/details.aspx?id=20303
OWASP Cornucopia
https://www.owasp.org/index.php/OWASP_Cornucopia
OWASP Application Security Verification
Standard (ASVS)
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Pr
oject
OWASP Proactive Controls 2016
https://www.owasp.org/index.php/OWASP_Proactive_Controls

Questions?
Slides available here:
https://roberthurlbut.com/r/BSC2017TM
Contacts
Web Site:
https://roberthurlbut.com
Twitter: @RobertHurlbut
LinkedIn: RobertHurlbut

Developing a Threat Modeling Mindset

More Related Content

What's hot

Similar to Developing a Threat Modeling Mindset

Recently uploaded

Developing a Threat Modeling Mindset