Threat Modeling 101

Intro to Operational Security

What is Security

"Security is a property (or more accurately a collection of properties)that hold in a given system under a given set of constraints"

  • System - anything from hardware, software, firmware, and information being processed, stored, and communicated

  • Constraints - define an adversary and their capabilities

What is Operational Security (OpSec)

"Operational security (OPSEC) is a security and risk management process that prevents sensitive information from getting into the wrong hands."[1]

Why is OpSec Important

  • Protection of Sensitive Information
  • Preservation of Privacy
  • Mitigation of Threats
  • Maintaining Operational Continuity

Core Principles of OpSec

center

What is Threat Modeling?

"Threat modeling is the process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data." [1]

Purposes of Threat Modeling

  • Identifies Potential Risks
  • Helps us understand common Attack Vectors
  • Prioritizes Security Concerns

Benefits of Threat Modeling

  • Proactive Risk Management
  • Promotes Continuously Improvement
  • Prioritizing risks saves time and $$$

Overview of Threat Modeling Process

There are many different well-defined processes for Threat Modeling

center

Key Concepts in Threat Modeling

  • Assets

  • Threats

  • Vulnerabilities

  • Risks

Threat Modeling: Assets

  • Types of assets
    • data
    • hardware
    • software
    • personnel

Threat Modeling: Threats

  • External threats
    • hackers
    • malware
    • phishing attacks
  • Internal threats
    • improper access
    • sabotage

Threat Modeling: Vulnerabilities

“A property of a system or its environment which, in conjunction with an internal or external threat, can lead to a security failure, which is a breach of the system’s security policy.”

  • Classifications
    • Abstraction level
    • Type of error/condition/bug
    • Age: zero-day vs. known
    • Disclosure process

Assessing Risks

  • Vulnerability assessments:

    • penetration testing
    • code reviews
    • attacker reconnaissance

  • Risk assessment methodologies

    • qualitative vs. quantitative
    • likelihood and impact

OpSec in Practice

  • Access controls to protect assets
  • Encrypting sensitive data
    • in transit and at rest
  • Conduct regular security audits
  • Not all countermeasures are technical

Tools and Techniques for Threat Modeling

  • Threat modeling frameworks: STRIDE, DREAD, PASTA
  • Threat modeling tools:
    • Microsoft Threat Modeling Tool,
    • OWASP Threat Dragon
  • Manual vs. automated threat modeling approaches vs TMaaS

Case Studies: Real-world Examples

Threat Modeling for You

center

Integrating into Your Security Strategy (Corpos)

  • Incorporating threat modeling into the software development lifecycle (SDLC)
  • Aligning threat modeling with compliance requirements (e.g., GDPR, HIPAA)
  • Building a culture of security awareness and accountability

Challenges and Limitations

  • Complexity of systems and evolving threats
  • Resource constraints: time, expertise, budget
  • Over-reliance on threat modeling as a sole security measure
  • AI and machine learning for automated threat detection and response
  • Integration of threat intel feeds into threat modeling processes
  • Emphasis on other proactive and adaptive threat modeling approaches

Thank you

[1] - https://www.fortinet.com/resources/cyberglossary/operational-security

https://www.cisco.com/c/en/us/products/security/what-is-threat-modeling.html

https://radiumhacker.medium.com/threat-modelling-frameworks-sdl-stride-dread-pasta-93f8ca49504e

Presentation made by Kevin Cordero

Icons made by Dewi Sari from www.flaticon.com'

https://www.fortinet.com/resources/cyberglossary/operational-security

Who uses Operation Security?

This is mainly aimed at companies

prevent customer sensitive customer info from being stolen

Intangible property right right to be let alone right to be anonymous right to control who, when, where, and how information about us is shared

If something bad happens, it wont be *as* bad

Stop everything from going to a complete standstill

Confidentiality - Ensures that sensitive information is only accessible to authorized individuals or systems, preventing unauthorized disclosure.

Integrity - Guarantees that data remains accurate, complete, and unaltered during storage, transmission, and processing, maintaining its reliability and trustworthiness.

Availability/Accessibility - Ensures that systems and resources are accessible and operational when needed, minimizing downtime and disruptions to critical services or functions.

Accountability - Establishes responsibility for actions taken within the system, enabling traceability and accountability for security incidents or breaches.

Definition of threat modeling

https://www.cisco.com/c/en/us/products/security/what-is-threat-modeling.html

``` [Images of common hypotheticals] ```

How does an SQL injection effect CIA?

it effects the integrity

Go over common threats you might face in your own deployments

As we discussed with hypotheticals threat modeling...

Where is it coming from

How are they doing it

What should we address first

KEY THING: Does all this before the incident happens

We address risks before they are tested in reality

Threat modeling occurs constantly so policy does not stagnate

Knowing what is most important saves time, energy, and resources

- Shared Collaboration

Not really need to talk about this

But we will use this simplified model for our usecase

https://owasp.org/www-community/Threat_Modeling_Process

https://www.praetorian.com/blog/what-is-threat-modeling-and-why-its-important/

Set of assumptions about possible attacks that a system tries to protect against Understanding potential threats is crucial for taking appropriate measures Various threat modeling approaches: attacker-centric, software-centric, asset-centric, ... Example: data flow approach View the system as an adversary: identify entry/exit points, assets, trust levels, usage patterns, ... Characterize the system: identify usage scenarios, roles, objectives, components, dependencies, security alerts, implementation assumptions, ... Identify threats: what can the attacker do? How? What is the associated risk? How can the respective vulnerabilities be resolved?

- Identifying and categorizing valuable resources

- Recognizing potential risks and actors

- Understanding weaknesses in systems or processes

- Assess likelihood and impact of threats exploiting vulnerabilities

databases, codebases, paper information

servers, computers, routers, product samples/prototypes

3rd party software that you may yes, pipelines, middlemen

people who have access to stuff, important people

government, organizational, personal

viruses worms rootkits trojan horses keyloggers RATs backdoors downloaders droppers injectors dialers flooders adware spyware ransomware

low vs high level, OSI network layers, hardware/firmware/OS/middleware/application, system vs. process, ...

memory errors, range and type errors, input validation, race conditions, synchronization/timing errors, access-control problems, environmental/ system problems (e.g. authorization or crypto failures), protocol errors, logic flaws, ...

private vs. public, “responsible” vs. full disclosure, ...

Multiple vulns. are often combined for a single purpose

White hat/ Grey Hat Hackers

Enforced on the software side, unit testing

P Passive reconnaissance: no direct interaction with the target system Information gathering from public sources Google Dorking Passive network eavesdropping Dumpster diving (e.g., recover data from discarded hard drives) Information leakage

Active reconnaissance: attacker’s activities can be directly detected and logged Network scanning Service enumeration OS and service fingerprinting/probing Social engineering

based on likelihood and impact

Threat model ➔ security policy ➔ security mechanisms Security policy: a definition of what it means for a system/ organization/entity to be secure Access control, information flow, availability, ... Computer, information, network, application, password, ... Enforced through security mechanisms Prevention Detection Recovery

What does OpSec actually look like in practice

you know some method of controlling who has access

filter list, rules based, attribute based, mandatory access top level access

Protect Confidentiality

Updates to software introduce new vulnerabilities all the time

Updates to software introduce new vulnerabilities all the time

https://radiumhacker.medium.com/threat-modelling-frameworks-sdl-stride-dread-pasta-93f8ca49504e

• No security mechanism is free • Direct costs: Design, implementation, enforcement, false positives • Indirect costs: Lost productivity, added complexity • Challenge is to rationally weigh costs vs. risk • Human psychology makes reasoning about high cost/low probability events hard