Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands-On Threat Modeling with Trike v1. Generating Threats.

Published byHollie Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Hands-On Threat Modeling with Trike v1. Generating Threats."— Presentation transcript:

1 Hands-On Threat Modeling with Trike v1

2 Generating Threats

3 Copyright 2003-2005 Brenda Larcom and Paul Saitta Actors People who interact directly with the business of the system Not actors:  Programs  Programmers  Network Administrators

4 Copyright 2003-2005 Brenda Larcom and Paul Saitta Assets Concrete and attackable Inherently meaningful in the problem domain Not assets:  Company reputation  System uptime  System hardware External asset represents other systems this system might affect

5 Copyright 2003-2005 Brenda Larcom and Paul Saitta Actions Actors perform Actions on Assets according to Rules Actions are create, read, update, and delete Actions can be combined: copy is create plus read No actions can be taken on external asset

6 Copyright 2003-2005 Brenda Larcom and Paul Saitta Rules Boolean tree of conditional clauses Actor is really a rule “User is in Role” Repudiation and logging are handled by rules

7 Copyright 2003-2005 Brenda Larcom and Paul Saitta Threats Generated programmatically from previous information Two categories:  Denial of service: an intended action can’t happen  Elevation of privilege: action occurs despite rules, or unintended action occurs

8 Constructing Attack Graphs

9 Copyright 2003-2005 Brenda Larcom and Paul Saitta Attack Graph Attacks form a semi-hierarchical, directed, cyclic graph Graph can be viewed as a set of interlinked trees Roots are threats Leaf nodes are atomic hostile actions

10 Copyright 2003-2005 Brenda Larcom and Paul Saitta Attack Stubs Predefined trees in the attack graph Rooted on elements of the model as they are defined Provide:  Organizing goals for child attack nodes  Bridge between low-level attacks and meaning to the system  Structure to minimize gaps in manual analysis

11 Copyright 2003-2005 Brenda Larcom and Paul Saitta Data Flow Diagrams Show data flowing between actors, processes and data stores Decomposed until no process contains an internal trust boundary Annotations:  Trust boundaries  Specific technologies in use  Authentication, authorization, and encryption mechanisms

12 Copyright 2003-2005 Brenda Larcom and Paul Saitta DFD Attack Stubs Stubs defined per element type Roots of stubs are goals for abusing an element DFD annotations allow elaboration and refinement

13 Copyright 2003-2005 Brenda Larcom and Paul Saitta State Machine Describes system state Shows the implementation of some of the rules All intended actions appear as transitions Supporting actions make up remaining transitions Transitions may have rules in addition to prerequisite and postrequisite states

14 Copyright 2003-2005 Brenda Larcom and Paul Saitta State Machine Attack Stubs Stubs are defined for states and transitions Roots of stubs are goals for violating the normal state progression

15 Copyright 2003-2005 Brenda Larcom and Paul Saitta Use Flows Use flows are branching traces through DFD Start and end at the user Map between state machine and DFD Annotations mark:  When state transitions occur  Enforcement points for remaining rules  When intended and supporting actions finish  Specific data flowing and processes occurring

16 Copyright 2003-2005 Brenda Larcom and Paul Saitta Use Flows and Attack Stub Filtering Use flows allow filtering so only attacks against relevant DFD elements appear in the attack graphs for threats Determine the window of opportunity for attacks

17 Gathering Data for Risk Computations

18 Copyright 2003-2005 Brenda Larcom and Paul Saitta Actor and Asset Values Actors have a risk level, from 1 to 5 Assets:  Valued in currency amounts (dollars, etc)  Based on their value to the business  Value should at least be accurate in relation to other assets

19 Copyright 2003-2005 Brenda Larcom and Paul Saitta Relative Risk Determine a set of relative business risks for each possible action-actor- asset For all intended actions, create a denial of service risk For all actions with rules or which should not occur, create an elevation of privilege risk for taking the action in violation of the rules

20 Copyright 2003-2005 Brenda Larcom and Paul Saitta Attack Leaf Nodes Leaf nodes have two risk values:  Reproducibility; how easy it is to reproduce the circumstances under which the attack succeeds  Exploitability; how much expertise is required to succeed with the attack Can also map to actual code or configuration in the implementation

21 Copyright 2003-2005 Brenda Larcom and Paul Saitta Mitigations Reduce or remove the effectiveness of attacks Each mitigation has:  Cost to implement (unless already deployed)  New reproducibility and exploitability  Scope in the attack graph over which it applies One node may need multiple mitigations with different values if it can be reached by multiple paths

22 Copyright 2003-2005 Brenda Larcom and Paul Saitta Attacking Mitigations Mitigations can be attacked and have their own attack graphs New reproducibility and exploitability for a mitigated attack can be calculated by traversing the mitigation attack graph

23 Answering Interesting Queries

24 Copyright 2003-2005 Brenda Larcom and Paul Saitta Interesting Queries Graph structure of data model allows for complex and interesting queries of the system Live, calculated nature allows the system to be used for real time analysis

25 Copyright 2003-2005 Brenda Larcom and Paul Saitta Threat Exposure Can be calculated with only the requirements model and requirements- level risk data Gives a clear picture of the overall risk profile of the system with a small time investment Can be used to focus further work Calculated by multiplying the value of the asset by the risk level for the relevant actor and the asset and action specific risk level

26 Copyright 2003-2005 Brenda Larcom and Paul Saitta Threat Risk Calculated using the full attack graph Shows actual risk to the system Takes into account both business level values and implementation level likelihoods Values propagate up from the leaf nodes to the threats

27 Copyright 2003-2005 Brenda Larcom and Paul Saitta Vulnerabilities An unmitigated path from a sufficient set of leaf attack nodes to a threat Represents a way in which a threat can actually occur Risk calculated by attack graph traversal Intermediate result for calculating threat and weakness risks; not directly used

28 Copyright 2003-2005 Brenda Larcom and Paul Saitta Weaknesses and Mitigations Weaknesses are a unmitigated leaf attack nodes Can be ordered by the reduction in overall risk from fixing them Unimplemented mitigations can be ordered by expected return value The best actions for a given budget can also be determined

29 Copyright 2003-2005 Brenda Larcom and Paul Saitta The Dynamic Risk Model Effects on risk model immediately visible when exploitability and reproducibility change As new exploits come out, resources for rapid response can be allocated Allows targeting of resources to areas of the attack graph with high leverage on the overall risk posture

30 Copyright 2003-2005 Brenda Larcom and Paul Saitta More information Paper: http://hhhh.org/trike/paperhttp://hhhh.org/trike/paper Tool: http://hhhh.org/trike/toolhttp://hhhh.org/trike/tool Contact: trike@hhhh.orgtrike@hhhh.org Mailing List: trike-announce@hhhh.org (subscribe at trike-announce- request@hhhh.org)trike-announce@hhhh.org

Download ppt "Hands-On Threat Modeling with Trike v1. Generating Threats."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Networking Essentials Lab 3 & 4 Review. If you have configured an event log retention setting to Do Not Overwrite Events (Clear Log Manually), what happens.

Networking Essentials Lab 3 & 4 Review. If you have configured an event log retention setting to Do Not Overwrite Events (Clear Log Manually), what happens.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Practical Business Modeling in the Unified Process Tom Morgan Software Architect, Fidelity National Information Services

Practical Business Modeling in the Unified Process Tom Morgan Software Architect, Fidelity National Information Services
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
© Copyright Eliyahu Brutman Programming Techniques Course.

© Copyright Eliyahu Brutman Programming Techniques Course.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 10: Architectural Design

Chapter 10: Architectural Design
Process Modeling SYSTEMS ANALYSIS AND DESIGN, 6 TH EDITION DENNIS, WIXOM, AND ROTH © 2015 JOHN WILEY & SONS. ALL RIGHTS RESERVED. 1 Roberta M. Roth.

Process Modeling SYSTEMS ANALYSIS AND DESIGN, 6 TH EDITION DENNIS, WIXOM, AND ROTH © 2015 JOHN WILEY & SONS. ALL RIGHTS RESERVED. 1 Roberta M. Roth.

Similar presentations

Ads by Google