Wilson Mar bio photo

Wilson Mar

Hello!

Calendar YouTube Github

LinkedIn

Threat Modeling

This is perhaps the most impactful analysis, considering the importance and urgency of keeping your organization from being stolen

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Information Sharing

The US National Cyber Defense Foundation

has a National Cyber Awareness System (NCAS) that provides a variety of information for users, administrators, and security professionals. The NCAS is a partnership between the Department of Homeland Security and the public and private sectors. NCAS resources include:

  • Alerts that provide timely information about current security issues, vulnerabilities, and exploits.

  • Current Activity that provides up-to-date information about high-impact types of security activity affecting the community at large.

  • Tips that provide advice about common security issues for the general public.

  • Bulletins that provide weekly summaries of new vulnerabilities. Bulletins are available for vulnerabilities in products from a wide variety of vendors.

  • Analysis Reports that provide in-depth analysis of new vulnerabilities, malware, and other threats.

  • Industrial Control Systems that provides information about threats to industrial control systems.

  • TA18-106A is a report on Russian government cyber activity targeting energy and other critical infrastructure sectors.

  • TA18-149A is a report on Russian government cyber activity targeting network infrastructure devices.

  • TA18-201A is a report on Russian government cyber activity targeting critical infrastructure sectors.

  • TA18-331A is a report on APT39, a cyber espionage group that has been targeting telecommunications organizations.

  • <a target=”_blank

Threat Modeling

In 2004, Frank Swiderski and Window Snyder wrote “Threat Modeling,” by Microsoft press. In it they developed the concept of using threat models to create secure applications.

  • https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-feature-overview
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-mitigations

OWASP’s Threat Modeling

OWASP’s summary of the process:

  • Step 1: Decompose the Application (Data Flow Diagrams showing External Dependencies, Entry Points, Exit Points, Assets, Trust Levels)

  • Step 2: Determine and Rank Threats (such as Microsoft’s STRIDE (below))

  • Step 3: Determine Countermeasures and Mitigation (such as ASF)

https://www.wikiwand.com/en/Threat_model

Microsoft’s STRIDE

1999, cybersecurity professionals Loren Kohnfelder and Praerit Garg at Microsoft developed the acrostic “STRIDE” for their Threat Model Tool used to classify threats in applications: [Wikiwand]:

  • Spoofing of user identity
  • Tampering
  • Repudiation
  • Information disclosure (privacy breach or data leak)
  • Denial of service (DoS)
  • Elevation of privilege

PASTA

PASTA (Process for Attack Simulation and Threat Analysis) (created in 2015 by Tony UcedaVelez and Marco M. Morana) is a attacker-centric methodology for dynamic threat identification, enumeration, and prioritization.

It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis.

After the threat model is created, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated.

Defenders then take an asset-centric mitigation strategy around applications and infrastructure.

Synopsys Utilities

Synopsys.com sells a utility to store all your threat data for dicing and slicing (visualization).

They offer a 5-step approach:

  1. Define the scope and depth of analysis. Determine the scope with stakeholders, then break down the depth of analysis for individual development teams so they can threat model the software.

  2. Gain a visual understanding of what you’re threat modeling. Create a diagram of the major system components (e.g., application server, data warehouse, thick client, database) and the interactions among those components.

  3. Model the attack possibilities. Identify software assets, security controls, and threat agents and diagram their locations to create a security model of the system. Then identify what could go wrong (i.e., the threats) using methods like Microsoft’s STRIDE.

  4. Identify threats. Produce a list of potential attacks by asking questions such as:

    • Are there paths where a threat agent can reach an asset without going through a control?

    • Could a threat agent defeat this security control?

    • What must a threat agent do to defeat this control?

  5. Create a traceability matrix of missing or weak security controls. Consider the threat agents and follow their control paths.

    If you reach the software asset without going through a security control, that’s a potential attack.

    If you go through a control, consider whether it would halt a threat agent or whether the agent would have methods to bypass it.

Threat Maps

Listed at https://hackersonlineclub.com/live-cyber-attack-maps/

  • livethreatmap.radware.com shows top scanned TCP ports (5900, 22, 23, 80).

  • deteque.com/live-threat-map lists botnet threats by country (China, India, US, etc.) and by ISP (ril.com).

  • threatmap.checkpoint.com gets my prize for the clearest map. The top targeted countries and industries are listed.

  • threatmap.bitdefender.com features infections, attacks, and spam.

  • Talos shows top senders of spam and malware (country and organization).

  • securitycenter.sonicwall.com/m/page/worldwide-attacks shows top attack origins (US, Austria, Denmark) and targets (US, UK, India).

  • digitalattackmap.com is a part of Jigsaw (formerly Google Ideas) provides a gallery of past attacks. The map is based on Arbor’s ATLAS threat intelligence system with data sourced from over 300 ISP customers and 130 Tbps of global traffic.

  • akamai.com/internet-station/cyber-attacks is now a blog rather than Real-Time Web Monitor.

  • Subscribe to RedLegg’s monthly Security Vulnerability Bulletin

  • threatmap.fortiguard.com shows attacks from and to points (countries) on a map.

  • digitalattackmap.com shows DDoS attacks worldwide.

  • cybermap.kaspersky.com Real-Time Map shows, by country, detections observed by these subsystems showing malware detection flow:
    • OAS (On-Access Scan) - when objects are accessed during open, copy, run, or save operations.
    • ODS (On Demand Scanner) - when the user manually selects the ’Scan for viruses’ option in the context menu.
    • MAV (Mail Anti-Virus) - when new objects appear in an email application (Outlook, The Bat, Thunderbird).
    • WAV (Web Anti-Virus) - when the html page of a website opens or a file is downloaded. It checks the ports specified in the Web Anti-Virus settings.
    • IDS (Intrusion Detection System) shows network attacks detection flow.
    • VUL (Vulnerability Scan) shows vulnerability detection flow.
    • KAS (Kaspersky Anti-Spam) shows suspicious and unwanted email traffic discovered by Kaspersky’s Reputation Filtering technology.
    • BAD (Botnet Activity Detection) shows statistics on identified IP-addresses of DDoS-attacks victims and botnet C&C (Command-and-Control) servers. These statistics were acquired with the help of the DDoS Intelligence system (part of the solution Kaspersky DDoS Protection).
    • RMW (Ransomware) shows ransomware detection flow.
  • fireeye.com/cyber-map/threat-map.html returns a 404.

Code repositories

https://github.com/ParrotSec/mimikatz extracts plaintexts passwords, hash, PIN code and kerberos tickets from memory.

References

https://www.appsecengineer.com/blog-categories/threat-modeling

More on Security

This is one of a series on Security in DevSecOps:

  1. Security actions for teamwork and SLSA

  2. DevSecOps

  3. Code Signing on macOS

  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security

  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp

  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)

  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)

  16. Chaos Engineering

  17. SOC2
  18. FedRAMP

  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform

  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners

  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications

  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing

  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)

Threat Modeling was published on .