Hands-On Threat Modeling with Trike v1. Generating Threats.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Networking Essentials Lab 3 & 4 Review. If you have configured an event log retention setting to Do Not Overwrite Events (Clear Log Manually), what happens.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Practical Business Modeling in the Unified Process Tom Morgan Software Architect, Fidelity National Information Services
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
The State of Security Management By Jim Reavis January 2003.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
© Copyright Eliyahu Brutman Programming Techniques Course.
Lecture 11 Reliability and Security in IT infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Computer Security: Principles and Practice
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 10: Architectural Design
Process Modeling SYSTEMS ANALYSIS AND DESIGN, 6 TH EDITION DENNIS, WIXOM, AND ROTH © 2015 JOHN WILEY & SONS. ALL RIGHTS RESERVED. 1 Roberta M. Roth.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Application Threat Modeling Workshop
UML Sequence Diagrams Michael L. Collard, Ph.D. Department of Computer Science Kent State University.
System Analysis Overview Document functional requirements by creating models Two concepts help identify functional requirements in the traditional approach.
Secure Software Development Chris Herrick 01/29/2007.
Systems Analysis and Design in a Changing World, Fifth Edition
Storage Security and Management: Security Framework
Systems Analysis and Design in a Changing World, Fifth Edition
Architecting secure software systems
Chapter 7 Structuring System Process Requirements
Designing Active Directory for Security
Security Architecture
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
CSC8320. Outline Content from the book Recent Work Future Work.
Module 7 Active Directory and Account Management.
Notes of Rational Related cyt. 2 Outline 3 Capturing business requirements using use cases Practical principles  Find the right boundaries for your.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction Object oriented design is a method where developers think in terms of objects instead of procedures or functions. SA/SD approach is based.
CMPS 435 F08 These slides are designed to accompany Web Engineering: A Practitioner’s Approach (McGraw-Hill 2008) by Roger Pressman and David Lowe, copyright.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Practical Threat Modeling for Software Architects & System Developers
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Module 10: Implementing Administrative Templates and Audit Policy.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
State of Georgia Release Management Training
Module 7: Designing Security for Accounts and Services.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Modeling the Processes and Logic.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Software Design and Development Development Methodoligies Computing Science.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Threat Modeling - An Overview All Your Data is Mine
Evaluating Existing Systems
LCG/EGEE Incident Response Planning
Evaluating Existing Systems
MCSA VCE
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Engineering Secure Software
Data Flow Context Diagram
NSA Security-Enhanced Linux (SELinux)
Engineering Secure Software
Presentation transcript:

Hands-On Threat Modeling with Trike v1

Generating Threats

Copyright Brenda Larcom and Paul Saitta Actors People who interact directly with the business of the system Not actors:  Programs  Programmers  Network Administrators

Copyright Brenda Larcom and Paul Saitta Assets Concrete and attackable Inherently meaningful in the problem domain Not assets:  Company reputation  System uptime  System hardware External asset represents other systems this system might affect

Copyright Brenda Larcom and Paul Saitta Actions Actors perform Actions on Assets according to Rules Actions are create, read, update, and delete Actions can be combined: copy is create plus read No actions can be taken on external asset

Copyright Brenda Larcom and Paul Saitta Rules Boolean tree of conditional clauses Actor is really a rule “User is in Role” Repudiation and logging are handled by rules

Copyright Brenda Larcom and Paul Saitta Threats Generated programmatically from previous information Two categories:  Denial of service: an intended action can’t happen  Elevation of privilege: action occurs despite rules, or unintended action occurs

Constructing Attack Graphs

Copyright Brenda Larcom and Paul Saitta Attack Graph Attacks form a semi-hierarchical, directed, cyclic graph Graph can be viewed as a set of interlinked trees Roots are threats Leaf nodes are atomic hostile actions

Copyright Brenda Larcom and Paul Saitta Attack Stubs Predefined trees in the attack graph Rooted on elements of the model as they are defined Provide:  Organizing goals for child attack nodes  Bridge between low-level attacks and meaning to the system  Structure to minimize gaps in manual analysis

Copyright Brenda Larcom and Paul Saitta Data Flow Diagrams Show data flowing between actors, processes and data stores Decomposed until no process contains an internal trust boundary Annotations:  Trust boundaries  Specific technologies in use  Authentication, authorization, and encryption mechanisms

Copyright Brenda Larcom and Paul Saitta DFD Attack Stubs Stubs defined per element type Roots of stubs are goals for abusing an element DFD annotations allow elaboration and refinement

Copyright Brenda Larcom and Paul Saitta State Machine Describes system state Shows the implementation of some of the rules All intended actions appear as transitions Supporting actions make up remaining transitions Transitions may have rules in addition to prerequisite and postrequisite states

Copyright Brenda Larcom and Paul Saitta State Machine Attack Stubs Stubs are defined for states and transitions Roots of stubs are goals for violating the normal state progression

Copyright Brenda Larcom and Paul Saitta Use Flows Use flows are branching traces through DFD Start and end at the user Map between state machine and DFD Annotations mark:  When state transitions occur  Enforcement points for remaining rules  When intended and supporting actions finish  Specific data flowing and processes occurring

Copyright Brenda Larcom and Paul Saitta Use Flows and Attack Stub Filtering Use flows allow filtering so only attacks against relevant DFD elements appear in the attack graphs for threats Determine the window of opportunity for attacks

Gathering Data for Risk Computations

Copyright Brenda Larcom and Paul Saitta Actor and Asset Values Actors have a risk level, from 1 to 5 Assets:  Valued in currency amounts (dollars, etc)  Based on their value to the business  Value should at least be accurate in relation to other assets

Copyright Brenda Larcom and Paul Saitta Relative Risk Determine a set of relative business risks for each possible action-actor- asset For all intended actions, create a denial of service risk For all actions with rules or which should not occur, create an elevation of privilege risk for taking the action in violation of the rules

Copyright Brenda Larcom and Paul Saitta Attack Leaf Nodes Leaf nodes have two risk values:  Reproducibility; how easy it is to reproduce the circumstances under which the attack succeeds  Exploitability; how much expertise is required to succeed with the attack Can also map to actual code or configuration in the implementation

Copyright Brenda Larcom and Paul Saitta Mitigations Reduce or remove the effectiveness of attacks Each mitigation has:  Cost to implement (unless already deployed)  New reproducibility and exploitability  Scope in the attack graph over which it applies One node may need multiple mitigations with different values if it can be reached by multiple paths

Copyright Brenda Larcom and Paul Saitta Attacking Mitigations Mitigations can be attacked and have their own attack graphs New reproducibility and exploitability for a mitigated attack can be calculated by traversing the mitigation attack graph

Answering Interesting Queries

Copyright Brenda Larcom and Paul Saitta Interesting Queries Graph structure of data model allows for complex and interesting queries of the system Live, calculated nature allows the system to be used for real time analysis

Copyright Brenda Larcom and Paul Saitta Threat Exposure Can be calculated with only the requirements model and requirements- level risk data Gives a clear picture of the overall risk profile of the system with a small time investment Can be used to focus further work Calculated by multiplying the value of the asset by the risk level for the relevant actor and the asset and action specific risk level

Copyright Brenda Larcom and Paul Saitta Threat Risk Calculated using the full attack graph Shows actual risk to the system Takes into account both business level values and implementation level likelihoods Values propagate up from the leaf nodes to the threats

Copyright Brenda Larcom and Paul Saitta Vulnerabilities An unmitigated path from a sufficient set of leaf attack nodes to a threat Represents a way in which a threat can actually occur Risk calculated by attack graph traversal Intermediate result for calculating threat and weakness risks; not directly used

Copyright Brenda Larcom and Paul Saitta Weaknesses and Mitigations Weaknesses are a unmitigated leaf attack nodes Can be ordered by the reduction in overall risk from fixing them Unimplemented mitigations can be ordered by expected return value The best actions for a given budget can also be determined

Copyright Brenda Larcom and Paul Saitta The Dynamic Risk Model Effects on risk model immediately visible when exploitability and reproducibility change As new exploits come out, resources for rapid response can be allocated Allows targeting of resources to areas of the attack graph with high leverage on the overall risk posture

Copyright Brenda Larcom and Paul Saitta More information Paper: Tool: Contact: Mailing List: (subscribe at trike-announce-

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.