1 of 21

Threat Model:�Why? What? How?

Brook S.E. Schoenfield

Principal Software Security Strategist, True Positives, LLC

Advisor, Resilient Software LLC

Author, consultant

Passionate security architect

Curiouser and curiouser

1

2 of 21

Would you indulge me in some context?

Many thanks!

2

3 of 21

We are all collateral damage

Attack and the subsequent “compromise,” …is utterly pervasive: constant and continual. Many attackers are intelligent and adaptive”

3

More than half the world’s population is dependent, some of use highly dependent upon software running correctly

There exists enormous potential for reward from digital piracy in various forms and digital manipulations for political purposes

The cyberwar has been ongoing for at least 15 years.

We are all collateral damage

One of the biggest problems for security practitioners remains that the cyber "arms race" isn't just between a couple of nation-states. Foremost, the nation-state cyber war has to cross the same digital ocean that we use for our daily lives and digital entertainment. The shared web makes every digital citizen, potential "collateral damage". But, there are more players than governments.

As can occur in a ground war, virtual "warlords" have private cyber armies marauding for loot, my loot, your loot. Those phishing spam don't come from your friends, right? Just trying to categorize the various entities engaged in cyber attacks could generate a couple of fine PhD theses and perhaps even provide years of follow-on papers? The number and varying loyalties of the many players who carry out cyber attacks increases the "size" of the problem, adds to the "composition", and generates a great deal of "complexity". It's enough to make a well-meaning box-store retailer bury its collective head in the virtual sand.

Home Depot, and Target before them, (and who knows who's next?) failed to understand that in order to sell a hammer in the Internet world, you're participating in this huge web of digital interconnection. Even more so, if you're large enough, your business network will have become an eco-system of digital entities, many of whose security practices will affect your security posture in fairly profound ways. When 2 (or more) systems connect, each may affect the security posture of the other, sometimes in profound ways.

(the foregoing extracted from post to brookschoenfield.com

4 of 21

Context

4

5 of 21

Buried deep

5

6 of 21

The State Of Software Security Art

Secure Design

Incident Management

Static Analysis

Web App scan

Fuzzing

Penetration Test

Risk Rating

Threat intelligence

Secure coding

Code review

Threat Model

IAST

API Vulnerability Scan

OpsSec

3^rd Party Code

Assurance, Dependency & Patching

Build/Deploy/Update

Security

6

7 of 21

leading cybersecurity company protecting customers from all cyber threats

It’s about securing the code as fast as you write it

strategic security solution that covers all your security gaps

Vendor Marketing

Emphases, mine

7

8 of 21

This is our world

Ad hoc secure design

Dependent upon knowledge of designers

Late threat model

After design is completed

Threat model exactly once

Quickly obsolete

Image: depositphotos

8

9 of 21

Drivers’Threat Model

9

10 of 21

Is This Useful?

Spoof

Tamper

Repudiation

Information disclosure

Denial of service

Elevation of privilege

Spoof

Tamper

Repudiation

Information disclosure

Denial of service

Elevation of privilege

Spoof

Tamper

Repudiation

Information disclosure

Denial of service

Elevation of privilege

Spoof

Tamper

Repudiation

Information disclosure

Denial of service

Elevation of privilege

10

11 of 21

11

12 of 21

Any

controls

missing?

New dev

12

13 of 21

13

14 of 21

Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics.��

What can go wrong in a system?
Pinpoint design and implementation issues that require mitigation
Output…informs decisions [about] design, development, testing, and post-deployment phases

14

15 of 21

The best use of threat modeling is to improve the security and privacy of a system through early and frequent analysis.

A culture of finding and fixing design issues over checkbox compliance.
People and collaboration over processes, methodologies, and tools.
A journey of understanding over a security or privacy snapshot.
Doing threat modeling over talking about it.
Continuous refinement over a single delivery.

The outcomes of threat modeling are meaningful when they are of value to stakeholders.

https://www.threatmodelingmanifesto.org/

Threat modeling must align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system.

Dialog is key to establishing the common understandings that lead to value, while documents record those understandings, and enable measurement.

15

16 of 21

Recurring Problems

Constrain to functionality
Focus on technical trickery
Only today’s issues
Poor risk rating
Limited knowledge of:

Relevant attacks
Appropriate defenses

Attacks:Defenses == M:N

16

17 of 21

Threat Model Types�Superset top to bottom

Attack surface and initial threats

Guide for penetration or other testing

Risk enumeration

Mitigations not considered

Foundation for secure architecture and design

Of any “system” (digital, process, organization, etc.)

17

18 of 21

Threat Model Must Provide

Credible attack scenarios

Steps from initial contact to compromise

Likely impact from successful exploitation
Describe the weaknesses that allow exploitation
Today’s weaknesses and tomorrow’s expected
A risk rating for each scenario

Probability * Impact == Risk

Mitigations to adequately address each weakness

Today’s & tomorrow’s

18

19 of 21

Threat Model Analysis In a Nutshell

Apply known, successful attacks

Today’s & likely to succeed tomorrow

To points on a system that attackers might reach
Assess the potential (negative) impacts
Rate the risk for each attack scenario
To identify appropriate defenses

(Sometimes, support the implementation of the defenses)

19

This presupposes that we have sufficient knowledge of the correct collection of attacks for systems of the type under analysis.

Further, threat modeling presupposes that the analyst has a broader enough understanding of security defenses to apply the right ones to prevent, slow down, or at least, alert about an attack

I like science fiction occasionally, especially when it’s written around some bits of science – a great way to explore tricky physics without attending a lecture that I probably won’t understand. But when it comes to threat modeling, the moment attack scenarios range into science fiction, start including techniques or technologies that have yet to be invented, the analysis can stop. That might be a fun mental exercise, perhaps interesting conversation? But it makes for lousy, ivory tower threat models that aren’t going to build real world defenses.

20 of 21

Threat model led by Jakub Kaluzny, Open Security Summit, 2020

20

21 of 21

Original threat model led by Jakub Kaluzny, Open Security Summit, 2020

21