threat modelling
DESCRIPTION
null Hyderabad Chapter - April 2014 MeetTRANSCRIPT
Threat Modeling -Sunil
Agenda
Introduction
Threat Modeling Overview
Different Stages of Threat Modeling
STRIDE
DREAD
Mobile Threat Modeling
Conclusion
What is the use of threat modeling?
The main aim of the threat modeling is to identify the
import assets/functionalities of the application and
to protect them.
What is a threat?
What is a Vulnerability?
• Vulnerability is nothing but weakness in the system which will aid the
attacker in successful execution/exploitation of the threat.
Example: Suppose you have a web server with low bandwidth connection. Where the
threat is that your server could be taken offline, a pothential vulnerability is that you
have low bandwidth and could be a prey for a DoS attack. A paper is vulnerable to
fire.
• Risk: Risk is nothing but threat times vulnerability. That means the
potential loss/damage of an assest as result of a threat exploitation
using vulnerability.
Threat Modeling
● Analyzing the security application
● Allows to understand the entry points to the application and their
associated threats
● Not an approach to review code
● Threat Modeling will be done in design phase of SDLC.
● Threat modeling in SDLC will ensure the security builtin from the
very beginning of the application development.
Approaches to threat modeling
Attacker-centric
Software-centric STRIDE is a Software-centric approach
Asset-centric
Threat Modeling High Level Overview
Kick-off
•Have the overview of the project
•Get the TLDS and PRDS
•Identify the assets
Identify Use cases
•Draw level-0 diagram analyze (STRIDE)
•Document the findings
•Have a meeting with architect to review
•Identify uses cases for level-1
Level-1
•Draw level-1 diagram analyze (STRIDE)
•Document the findings
•Have a meeting with architect to review
•Repeat the above procedure depending upon the project complexity
Threat Modeling High Level Overview
ASF
• Prepare the checklist and send to the product team
• Analyze the document
• Document the findings
Report
• Prepare the final report
• Submit it to the product team
• Explain the findings to the product team
Three Stages of Threat Modeling
The threat modeling process can be decomposed into 3
high level steps:
➔ Decompose the Application
➔ Determine and rank threats
➔ Determine countermeasures and mitigation
Decompose the Application
Threat Model Information
Data Flow Diagrams
Assets
External Dependencies
Entry Points
Trust Levels
Data Flow Diagrams
Determine and Rank Threats (STRIDE)
Spoofing
• Property Authentication
• Impersonating something or someone else
Tampering
• Integrity
• Modifying data or code
Repudiation
• Non-Repudiation
• Claiming to have not performed an action
Information Disclosure
• Confidentiality
• Exposing info to unauthorized
Denial of Service
• Availability
• Deny or degrade service to users
Elevation of Privilege
• Authorization
• Gain capabilities without proper authorization
Sample Problem
Student Results Portal
You need to perform threat analysis on the web application which
manages the students marks.
You have three users Administrator, Teacher and Student.
The users should login to the application and perform their
respective tasks as follows: Administrator is the user who will maintain the application and does not perform
any other actions.
Teacher can view, enter and modify the students marks
Student can give his register number and view the marks
Perform Threat modeling on the application by making an initial
assumption that non of the security features exist in the
application.
Microsoft SDL Threat Modeling Tool
Use Cases
Entire Architecture
Administrator Use Case
Teacher Use Case
Authentication Use Case
Registering Use Case
Entering Marks Use Case
Displaying Marks Use Case etc.
Sample Use case (Displaying Marks)
Trust Levels
STRIDE Matrix
Spoofing Tampering Repudiation Info Disclosure Denial of
Service
Elevation of
Privilege
2.teacher ✓ ✓
3.student ✓ ✓
4.firewall ✓ ✓ ✓ ✓ ✓ ✓
5.App Server ✓ ✓ ✓ ✓ ✓ ✓
6.Http req ✓ ✓ ✓
7. Http req ✓ ✓ ✓
8.response ✓ ✓
9.JDBC req ✓ ✓ ✓
10. respon ✓ ✓ ✓
11.http req ✓ ✓ ✓
12.res ✓ ✓ ✓
13.res ✓ ✓ ✓
14.Database ✓ ✓ ✓
Threat Analysis
Scoring: DREAD
DREAD is a risk ranking model
D Damage Potential
R Reproducibility
E Exploitability
A Affected users
D Discoverability
Example
Threat: Malicious users can view and modify marks.
Damage potential: Threat to reputation :8
Reproducibility: Fully reproducible:10
Exploitability: Require to be on the same subnet or have compromised a router:7
Affected users: Affects all users:10
Discoverability: Can be found out easily:10
Overall DREAD score: (8+10+7+10+10) / 5 = 9
Mitigation STRIDE Threat & Mitigation Techniques List
Threat Type Mitigation Techniques
Spoofing Identity 1.Appropriate authentication
2.Protect secret data
Tampering with data
1.Appropriate authorization
2.Hashes
3.MACs
4.Digital signatures
5.Tamper resistant protocols
Repudiation
1.Digital signatures
2.Timestamps
3.Audit trails
Information Disclosure
1.Authorization
2.Privacy-enhanced protocols
3.Encryption
4.Protect secrets
5.Don't store secrets
Denial of Service
1.Appropriate authentication
2.Appropriate authorization
3.Filtering
4.Throttling
5.Quality of service
Elevation of privilege 1.Run with least privilege
Security Controls (ASF)
➢ Authentication
➢ Authorization
➢ Cookie Management
➢ Data/Input Validation
➢ Error Handling/Information Leakage
➢ Logging/Auditing
➢ Cryptography
➢ Session Management
Mobile Threat Modeling
Mobile Threat Model
• Improper session handling
•Social Engineering
•Malicious QR Codes
•Untrusted NFC Tag or peers
•Malicious application
•Weak Authorization
Spoofing
• Modifying local data
• Carrier Network Breach
• Insecure Wi-Fi Network
Tampering
• Missing Device
• Toll Fraud
• Malware
• Client Side Injection
Repudiation
• Malware
• Lost Device
• Reverse Engineering
• Backend Breach
Information Disclosure
•Crashing Apps
•Push Notification Flooding
•Excessive API usage
•DDoS
Denial of Service
• Sandbox escape
• Flawed Authentication
• Weak Authorization
• Compromised credentials
• Make Unauthorized purchases
• Push Apps Remotely
• Compromised Device
• Rooted/JailBroken
• RootKits Elevation of Privilege
Conclusion
Implement Threat Modeling in SDLC
Threat Modeling cuts down the cost of application
development as it identifies the issues during the
design phase.
Makes the analysis simple because you can reuse the
DFD’s for future analysis.
Credits
https://www.owasp.org/index.php/Application_Threat_Modeling
https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
http://www.thebadchemicals.com/?p=17
http://en.wikipedia.org/wiki/Threat_model
http://www.someecards.com/
http://www.eugenemdavis.com/whats-difference-between-threat-and-
vulnerability
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_
Project_-_Mobile_Threat_Model
THANK YOU