Threat Risk Modeling

How do I know what threats I should protect from?

Threat risk modeling focuses you on what is really important

Which method you choose isn’t important. Just make sure you plan before you start hardening

How we protect ourselves

1: Identify security objectives

What do we want to protect?

o  Identity o  Repudiation o  Financial o  Privacy o  Regulatory o  Availability

o  Laws o  Regulations o  Standards o  Legal

agreements o  Information

security policy

How do we decide what to protect?

2: Application overview

Next, get a deep understanding of the architecture of the app

•  Components •  Data flows •  Trust boundaries

3: Decompose the application

o  Every part that involves security must be broken down even further

o  Example: Authentication mode •  How does data enter? •  How does each module validate that data? •  How does each module process that data? •  Between which modules does the data flow? •  Where is the data stored? •  How does it get into and out of the data store? •  What decisions are made by each module based on

the authentication?

5: Identify vulnerabilities

After finding and prioritizing threats, we identify our security holes and fix them

We'll choose these methods for the sake of discussion

Methodology Purpose

STRIDE Threat identification

Threat trees Vulnerability identification

DREAD Prioritization of each threat

STRIDE is for identifying threats

o Spoofing identity

o Tampering with data

o Repudiation

o Information disclosure

o Denial of service

o Elevation of privilege

STRIDE: Spoofing identity

o  Must not be able to impersonate another user

o  Pretending to be a user •  flotfw@aol.com, sn00ki

o  Pretending to be a server •  facebook.com

o  Pretending to be a binary •  SomeProg.exe, SomeLibrary.dll

STRIDE: Tampering with data

o  Changing form fields on the client-side •  Cookies •  HTTP Headers

o  Changing a file on the disk •  Programs •  DLLs

o  Changing data in mid-stream •  TCP/IP packets

o  Don’t use sensitive data that is persisted in this way.

STRIDE: Repudiation

o  Proof that a transaction occurred •  "I've never logged on to that server" •  "I've never modified that file" •  "What?!? I didn't order that iPad" •  "But honey, I'd never visit a website like that!"

o  Access logs o  Audit trails

STRIDE: Information disclosure

o  Browsers may expose personal data o  Error messages can leak data

STRIDE: Denial of service

o  Crashing a website by flooding it with requests •  Minimize or eliminate •  File downloads •  Database transactions •  Time-consuming actions •  Provide unique links per user that can be ignored

by the server.

STRIDE: Elevation of

privilege

o  Breaking into a server's OS

o  Attackers can’t become admin users

Threat trees are for deeper analysis

o  You can only document known threats.

DREAD is for prioritization

o Damage potential

o Reproducibility

o Exploitability

o Affected users

o Discoverability Each aspect gets a score. The scores are

added for each threat and allows us to decide which one(s) to tackle first.

DREAD: Damage potential

o  If the threat is realized, how much damage is caused? •  None à 0 •  One user’s data is compromised à 5 •  Entire database is compromised à 10

DREAD: Reproducibility

o  How easy is it reproduce? •  Very hard for elevated users à 0 •  Couple of steps for a logged-in user à 5 •  Needs just an anonymous user and an address

bar à 10

DREAD: Exploitability

o  What do you need to have to exploit the threat? •  Super-developer skills and special tools à 0 •  Tools can be found easily à 5 •  Just a browser à 10

DREAD: Affected users

o  How many users will be affected? •  Zero à 0 •  Some users, but

not all à 5 •  All users à 10

DREAD: Discoverability

o  How easy is the vulnerability found? •  Very hard or impossible à 0 •  Could guess by watching network traffic à 5 •  Can be found by Googling à 9 •  It’s in the address bar à 10

Summary

o  Don’t just start protecting code •  Expensive •  Incomplete

o  Threat risk modeling brings focus o  STRIDE helps to identify threats o  Threat trees help to identify vulnerabilities o  DREAD helps to prioritize threats

Further study

o  OWASP page from which this was taken: •  https://www.owasp.org/index.php/

Threat_Risk_Modeling o  MSDN STRIDE article:

o  http://bit.ly/MSDNSTRIDE