Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Threat Modeling

This is perhaps the most impactful analysis, considering the importance and urgency of keeping your organization from being stolen

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

There are MANY approaches:

OWASP’s Threat Modeling

Let’s start with OWASP’s summary of the process:

  • Step 1: Decompose the Application (Data Flow Diagrams showing External Dependencies, Entry Points, Exit Points, Assets, Trust Levels)

  • Step 2: Determine and Rank Threats (such as Microsoft’s STRIDE (below))

  • Step 3: Determine Countermeasures and Mitigation (such as ASF)

https://www.wikiwand.com/en/Threat_model

Microsoft’s STRIDE

1999, cybersecurity professionals Loren Kohnfelder and Praerit Garg at Microsoft developed the acrostic “STRIDE” for their Threat Model Tool used to classify threats in applications: [Wikiwand]:

  • Spoofing of user identity
  • Tampering
  • Repudiation
  • Information disclosure (privacy breach or data leak)
  • Denial of service (DoS)
  • Elevation of privilege

In 2004, Frank Swiderski and Window Snyder wrote “Threat Modeling,” by Microsoft press. In it they developed the concept of using threat models to create secure applications.

  • https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-feature-overview
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
  • https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-mitigations

PASTA

PASTA (Process for Attack Simulation and Threat Analysis) (created in 2015 by Tony UcedaVelez and Marco M. Morana) is a attacker-centric methodology for dynamic threat identification, enumeration, and prioritization.

It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis.

After the threat model is created, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated.

Defenders then take an asset-centric mitigation strategy around applications and infrastructure.

Synopsys Utilities needed

Synopsys.com sells a utility to store all your threat data for dicing and slicing (visualization).

They offer a 5-step approach:

  1. Define the scope and depth of analysis. Determine the scope with stakeholders, then break down the depth of analysis for individual development teams so they can threat model the software.

  2. Gain a visual understanding of what you’re threat modeling. Create a diagram of the major system components (e.g., application server, data warehouse, thick client, database) and the interactions among those components.

  3. Model the attack possibilities. Identify software assets, security controls, and threat agents and diagram their locations to create a security model of the system. Then identify what could go wrong (i.e., the threats) using methods like Microsoft’s STRIDE.

  4. Identify threats. Produce a list of potential attacks by asking questions such as:

    • Are there paths where a threat agent can reach an asset without going through a control?

    • Could a threat agent defeat this security control?

    • What must a threat agent do to defeat this control?

  5. Create a traceability matrix of missing or weak security controls. Consider the threat agents and follow their control paths.

    If you reach the software asset without going through a security control, that’s a potential attack.

    If you go through a control, consider whether it would halt a threat agent or whether the agent would have methods to bypass it.

Threat Maps

Listed at https://hackersonlineclub.com/live-cyber-attack-maps/

  • livethreatmap.radware.com shows top scanned TCP ports (5900, 22, 23, 80).

  • deteque.com/live-threat-map lists botnet threats by country (China, India, US, etc.) and by ISP (ril.com).

  • threatmap.checkpoint.com gets my prize for the clearest map. The top targeted countries and industries are listed.

  • threatmap.bitdefender.com features infections, attacks, and spam.

  • Talos shows top senders of spam and malware (country and organization).

  • securitycenter.sonicwall.com/m/page/worldwide-attacks shows top attack origins (US, Austria, Denmark) and targets (US, UK, India).

  • digitalattackmap.com is a part of Jigsaw (formerly Google Ideas) provides a gallery of past attacks. The map is based on Arbor’s ATLAS threat intelligence system with data sourced from over 300 ISP customers and 130 Tbps of global traffic.

  • akamai.com/internet-station/cyber-attacks is now a blog rather than Real-Time Web Monitor.

  • Subscribe to RedLegg’s monthly Security Vulnerability Bulletin

  • threatmap.fortiguard.com shows attacks from and to points (countries) on a map.

  • digitalattackmap.com shows DDoS attacks worldwide.

  • cybermap.kaspersky.com Real-Time Map shows, by country, detections observed by these subsystems showing malware detection flow:
    • OAS (On-Access Scan) - when objects are accessed during open, copy, run, or save operations.
    • ODS (On Demand Scanner) - when the user manually selects the ’Scan for viruses’ option in the context menu.
    • MAV (Mail Anti-Virus) - when new objects appear in an email application (Outlook, The Bat, Thunderbird).
    • WAV (Web Anti-Virus) - when the html page of a website opens or a file is downloaded. It checks the ports specified in the Web Anti-Virus settings.
    • IDS (Intrusion Detection System) shows network attacks detection flow.
    • VUL (Vulnerability Scan) shows vulnerability detection flow.
    • KAS (Kaspersky Anti-Spam) shows suspicious and unwanted email traffic discovered by Kaspersky’s Reputation Filtering technology.
    • BAD (Botnet Activity Detection) shows statistics on identified IP-addresses of DDoS-attacks victims and botnet C&C (Command-and-Control) servers. These statistics were acquired with the help of the DDoS Intelligence system (part of the solution Kaspersky DDoS Protection).
    • RMW (Ransomware) shows ransomware detection flow.
  • fireeye.com/cyber-map/threat-map.html returns a 404.

Code repositories

https://github.com/ParrotSec/mimikatz extracts plaintexts passwords, hash, PIN code and kerberos tickets from memory.

References

https://www.appsecengineer.com/blog-categories/threat-modeling

More on Security

This is one of a series on Security in DevSecOps:

  1. Azure Security-focus Cloud Onramp

  2. AWS Security (certification exam)

  3. AWS IAM (Identity and Access Management)

  4. SIEM/SOAR

  5. SOC2
  6. FedRAMP

  7. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  8. Git Signing
  9. Hashicorp Vault

  10. OPA (Open Policy Agent)

  11. SonarQube
  12. WebGoat known insecure PHP app and vulnerability scanners

  13. Test for OWASP using ZAP on the Broken Web App

  14. Encrypt all the things

  15. Cyber Security
  16. Security certifications

Threat Modeling was published on .