![Page 1: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/1.jpg)
Using Threat Model for Scoping of Penetration Testing
Daniel Kefer
1&1 Internet AG
![Page 2: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/2.jpg)
Whoami
VUT Brno – FEKT
AEC, spol. s.r.o. (2005 - 2011)
1&1 Internet AG (2011 -)
Penetration tester since 2007
Security in SDLC since 2008
20. února 2013
![Page 3: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/3.jpg)
Agenda
Challenges
Threat model and common techniques
Integration of the threat modelling approach into a pentest project
20. února 2013
![Page 4: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/4.jpg)
Challenges
Security audit = penetration test?
How much to invest?
Scoping/coverage of a test?
Pentester vs pentester.sh?
20. února 2013
![Page 5: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/5.jpg)
Challenges
20. února 2013
![Page 6: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/6.jpg)
Threat Model
20. února 2013
Assets Defenses Attackers
![Page 7: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/7.jpg)
Who Is the Attacker?
20. února 2013
![Page 8: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/8.jpg)
Who Is the Attacker?
Sandia National Laboratories: Cyber Threat Metrics
Motivation
Resources
Take it as a starting point
20. února 2013
![Page 9: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/9.jpg)
Who Is the Attacker?
Group Intensity Stealth Time Personnel Cyber-knowledge
System-knowledge
Access Total
Admin 2 3 2 1 3 2 3 16
RoleA 1 2 1 2 2 3 2 13
RoleB 1 3 1 2 1 2 2 12
Employee 1 2 1 3 1 1 1 10
Former E. 1 1 3 1 1 2 0 9
20. února 2013
![Page 10: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/10.jpg)
Attack Trees
Bruce Schneier: Modelling security threats (1999)
20. února 2013
![Page 11: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/11.jpg)
Attack Trees
Definition of targets:
Worst-case scenarios for particular assets
Examine functional requirements for underlying risks
Negation of use cases
20. února 2013
![Page 12: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/12.jpg)
STRIDE
One of the crucial activities in the Microsoft SDL Process:
Application of the threats to „Data Flow Diagrams“
20. února 2013
Threat Mitigation
Spoofing Authentication
Tampering Integrity
Repudiation Non Repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
![Page 13: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/13.jpg)
STRIDE
S T R I D E
Data Flows X X X
Data Stores X X X
Processes X X X X X X
Interactors X X
20. února 2013
Login process
![Page 14: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/14.jpg)
Project
1. Documentation review, identification of the workshop team
2. Workshop 1. HLA Diagram
2. Asset definition (data & functional assets)
3. Understanding of user roles & attacker groups definition
4. Attack trees
5. Apply STRIDE on HLA Diagram (+ attack trees)
3. Prepare the assignment (+ testing scenarios)
20. února 2013
![Page 15: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/15.jpg)
Toolset
MS Word, Excel, Visio
Microsoft SDL Threat Modelling Tool
Seamonster
20. února 2013
![Page 16: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/16.jpg)
Wrap-up
Security audit doesn‘t have to be a pentest only
Attacker doesn‘t have to be an anonymous person only
Threat model doesn‘t have to serve to the pentest project definition only
20. února 2013
![Page 17: Using Threat Model for Scoping of Penetration Testing](https://reader031.vdocuments.us/reader031/viewer/2022020707/61febce92e062007b20fb02b/html5/thumbnails/17.jpg)
16. února 2011
Daniel Kefer
1&1 Internet AG
Děkujeme za pozornost.
? PROSTOR PRO OTÁZKY