Security Management: samenvatting: H3:
Threat modelling
Key to a focused defence
the main goal is to identify threats and to do something about them
1 Overview
Core of threat modelling
o STRIDE-LM for security
o LINDDUN for data protection
2 What is threat modelling
Security design
o twofold meaning
The features and properties of a system that determine its security
efforts to shape these features and properties
Risk analysis
o pairs security goals with opposing threats, refines either component as necessary,
and ranks goal-threat combinations by goal importance and expected damages
Design process of a system
o translates security goals into design choices
Security design analysis
o aims to understand how to fulfil a system’s security goals
3 Our goal
A number of controls are unnecessary and a waste of time and effort
Real goal of threat modelling become more aware of what we should be doing in terms of
defense and to correct this
4 The interplay of requirements, threats and mitigations
Goal of threat modelling we
do not derive the security
requirements based on some
vague concepts (“I want my
system to be secure”) but on
threats or threat scenarios that
are felt to be realistic
Prevent/detect/respond
common way for organizations to
think about operational security
Detect/deny/disturb/degrade/
deceive a more complete list
of how you want to fight against the attacker
People/process technology a frame for thinking about security, so it may help you to use it
as a way to find requirements
1
� 2 major categories of security requirements for people
o Trustworthiness and skills
5 System model
Data Flow Diagram (DFD)
o concepts entity, process, data store and data flow add trust boundary as a
separate concept
o Trust boundaries used as an extension of classical data flow diagrams for threat
modelling and represent the change of trust levels as the data flow through the
application
mostly appear across processes that are talking over a network
o careful not to use the boundary trust system as perimeter-based security and to
assume that the bad guys are only outside
6 What is a threat
A threat is sometimes synonymous of either a threat actor or a threat event / threat activity
7 Threat taxonomy
unintentional threat activities
o electricity or internet outage, a disaster because of wind or earthquake
unintentional human threat events
o caused by human errors
Legal also a threat
human intentional threat activities
o theft, sabotage, eavesdropping, hacking
high-level taxonomy types
o outage, disaster, failure, unintentional damage, legal, physical, eavesdropping and
nefarious activity/abuse
o = threat sources
8 How important are these threats
Verizon Data Breach Investigations Report
Error cause of breach high
number of internal threat actors fluctuates over time but has always remained between 20
and 30 %
9 What is a threat actor (or threat agent)
do not underestimate the hackers or activists with limited resources but a lot of time
2
�10 Threat agents
11 Threat agents sophistication and motivation
Main categories
o notoriety, curiosity, financial and revenge
12 Threat life cycle (cyber threat framework)
Common Cyber Threat Framework (CTF)
Targeted threat starts with a preparation activity
o who are you, what do you have, who are the people with access to these important
assets, etc…
Initial engagement phase objective to get in using a combination of human and technical
vulnerabilities
Effect/consequence end goal of an attack
o Stealing data, leaking data, changing data, sabotaging systems, removing all the data
including the backups, extorsion of the organization in order to obtain ransom
money, are typical consequences
Common Cyber Threat Framework
defines stages and objectives
o stages and the objectives fairly
close to what MITRE ATT&Ck calls
tactics and techniques
13 Lockheed martin kill chain
Most well-known other threat life cycle or
kill chain
Reconnaissance
3
� o Research, identification and selection of targets, often represented as crawling
Internet websites such as conference proceedings and mailing lists for email
addresses, social relationships, or information on specific technologies
Weaponization
o Coupling a remote access trojan with an exploit into a deliverable payload, typically
by means of an automated tool (weaponizer)
Delivery
o Transmission of the weapon to the targeted environment
Exploitation
o After the weapon is delivered to victim host, exploitation triggers intruders’ code
Installation
o Installation of a remote access trojan or backdoor on the victim system allows the
adversary to maintain persistence inside the environment
Command and Control (C2)
o Typically, compromised hosts must beacon outbound to an Internet controller server
to establish a C2 channel
Actions on objectives
o Only now, after progressing through the first six phases, can intruders take actions to
achieve their original objectives
Variants of this chain typical need for lateral movement progressing through various
stages from endpoint to target server
Intrusion kill chain becomes a model for actionable intelligence when defenders align
enterprise defensive capabilities to the specific processes an adversary undertakes to target
that enterprise
Course of action (COA) matrix
o matrix depicts in the exploitation phase, for example, that host intrusion detection
systems (HIDS) can passively detect exploits, patching denies exploitation altogether,
and data execution prevention (DEP) can disrupt the exploit once it initiates
14 Mandiant life cycle
Lockheed Martin Cyber Kill Chain too sequential
o Does not cover internal reconnaissance and lateral movement
4
� Mandiant attack life cycle takes these remarks into account
o More appropriate for APT’s (Advanced Persistent Threats) attacker’s goal ::> long
term access
Main differences are in the circle
o Lateral move
where the attacker uses his access to move from one system to the next
system within the compromised environment
o Escalate privileges
where the attacker obtains greater access to systems and data
o Maintain presence
where the attacker ensures continued access to the environment
o Internal reconnaissance
where the attacker internally explores the victim’s environment to gain a
better understanding and to determine information of interest
15 ICS kill chain
achieves a true cyber-physical attack rather than an attack characterized as espionage, ICS
disruption or intellectual property theft
o To accomplish such an attack requires adversaries to initiate a two-stage attack
against an ICS
First stage
o is best categorized as the type of activity that would traditionally be classified as
espionage or an intelligence operation
o At the end of the first stage, the adversary acts
What makes performing an ICS cyber-attack so different from a traditional IT cyber attack
o require the attacker to have extensive knowledge to impact configurations in a
meaningful and designed way
Stage 2
o attacker must use the knowledge gained in Stage 1 to specifically develop and test a
capability that can meaningfully attack the ICS
16 Security failures stride or stride-lm classification
5
� Goal of STRIDE help identifying threats
The STRIDE model considers the effect of each threat type and assumes the cause of each
threat will be uncovered during analysis activities
Variant of STRIDE DESIST
o Dispute, Elevation of privilege, Spoofing, Information disclosure, Service denial,
Tampering
There are also completely different other categories of threats based on the threat sources
instead of the threat impact
o social,
o operational
o technological
o environmental
use the OWASP top 10 in a similar way as STRIDE in order to generate a list of potential
threats of a system
Note that the STRIDE terms are negative characteristics, things we want to prevent
o Especially in the context of e.g., repudiation
17 STRIDE approach
ST (spoofing, tampering
o presents the attack surface or initial access points of the targeted system/zone of the
threat modelling which is at level (N) that are initiated by threat actors and not due
to misconfiguration or vulnerability of the system
ID (information disclosure, denial of service)
o presents the impact of the threats on the system, such as information disclosure or
denial of service, and it could be an interaction around the targeted system (N-1)
RE (repudiation, elevation of privilege)
o presents the post-exploitation activities such as lateral movement, escalation of
privileges, and evasion techniques including denying the responsibility of performing
the attack by clearing logging activities or evasion
Lateral movement
o is not shown on this picture, but it allows to move in the same level
18 Addressing each threat
Mitigation
o is about doing things to make it harder to take advantage of a threat
6
� Avoidance/elimination
o is almost always achieved by eliminating features
Transferring threats
o is about letting someone or something else handle the risk
Accepting the risk
o is the final approach to addressing threats
19 Prioritizing threats
You not only need to identify the threats. You also need to rate them so that you can
prioritize them
20 Full process
STRIDE and LINDDUN considered as methods for identifying and creating “misuse cases”
Real goal of course decide on controls to remedy the threats
21 Spoofing controls
22 Tampering controls
7
�23 Repudiation controls
24 Information disclosure controls
25 Denial of service controls
26 Elevation of privilege controls
8
�27 Lateral movement controls
Taint shared content
o Content stored on network drives or in other shared locations may be tainted by
adding malicious programs, scripts, or exploit code to otherwise valid files
28 Applying STRIDE in IOT
Device environment
o is the immediate physical space around the device where physical access and/or
“local network” peer-to-peer digital access to the device is feasible
Field gateway
o is a device/appliance or some general-purpose server computer software that acts as
communication enabler and, potentially, as a device control system and device data
processing hub
Cloud gateway
o is a system that enables remote communication from and to devices or field
gateways from several different sites across public network space, typically towards a
cloud-based control and data analysis system, a federation of such systems
Service
o is defined for this context as any software component or module that is interfacing
with devices through a field- or cloud gateway for data collection and analysis, as well
as for command and control
Device control
o can be classified as any information that is provided to a device by any party with the
goal of changing or influencing its behaviour towards its state or the state of its
environment
Device data
o can be classified as any information that a device emits to any other party about its
state and the observed state of its environment
29 Privacy failures LINDDUN classification
Hard privacy
o refers to data minimazation, based on the assumption that personal data are not
divulged to third parties
Soft privacy
o is based on the assumpCon that data subject lost control of personal data and has to
trust the honesty and competence of data controllers
9
� Threat modelling for privacy threats
o = privacy impact assessment or a data protection impact assessment
Linkability
o Being able to sufficiently distinguish whether 2 items of interest are linked or not,
even WITHOUT knowing the actual identity of the subject of the linkable item of
interest
Identifiability
o Being able to sufficiently identify the subject within a set of subjects
Non-repudiation
o Not being able to deny a claim; The attacker can thus prove a user knows, has done
or has said something
Detectability
o Being able to sufficiently distinguish whether an item of interest exists or not
Information disclosure
o Exposure of information to individuals who are not supposed to have access to it
Unawareness
o Being unaware of the consequences of sharing information
Non-compliance
o Not being compliant with legislation, regulations, and corporate policies (incl e.g. the
lack of a contract that is legally required)
30 LINDDUN corrected threats
Information disclosure (confidentiality)
Tampering (integrity)
Unavailability (availability)
Spoofing (authentication)
Unspecified, broad, incompatible or divergent purposes (purpose limitation)
Excessive, unnecessary data or storage duration (data minimization)
Excessive data (necessity / proportionality)
Illegal data transfer or illegal processing by third party
Insufficient data subject rights and transparency
Other fundamental right violations (other fundamental rights)
Insufficient contractual agreements
10
�31 Attack trees, threat trees
An attack tree converts the effect to the cause
o The cause is a vulnerability that should be dealt with
o Generic attack trees in a method such as LINDDUN are an important knowledge base
Linkability of entity
o refers to an attacker who can sufficiently distinguish whether two or more entities
are related or not within the system
32 Attack libraries
Attack libraries such as CAPEC are of course a major knowledge base as well
33 IDDIL/ATC classification
34 Tara (Mitre)
threat modelling method
11
� It combines identification of threats or vulnerabilities and the selection of countermeasures
35 CM ranking table
Calculate the ratio utility/cost
36 CJA (Crown jewels analysis)
CJA can be performed using dependency maps starting with the mission objectives and
leading to identification of the most critical cyber assets
37 NIST SP 800-154
NIST is the first to also create a guidance document (for the moment still in draft form)
covering (data-centric) threat modelling so that organizations can use it as part of their risk
management processes instead of relying solely on conventional "best practice"
recommendations
12
