2.3 Threat Modeling Part 3

00:00

hi

00:01

and welcome back to episode full off Cyber security architecture fundamentals.

00:08

Today we would complete

00:11

all section on track modeling

00:16

this episode

00:18

with cover

00:19

How to categorize treads using the strike model.

00:23

How to rank threats using the dread model

00:27

and to complete off

00:30

will just cover us little bit on other trip models, such as the Social Trap Models and Environmental Trip models.

00:37

And lastly, how do we document his threats

00:43

To be effective? Threats must be understood and communicated uniformly.

00:49

Today I will cover Strike, which is the model development Microsoft to help categorize the traits.

00:56

This is a fairly all model, but it's still a value. Today, he cares, is easily understood.

01:03

There are more advanced model, like the miter attack framework, which we would not be covering. But if you're interested, you could go look it up

01:11

and learn a little bit more.

01:15

So what is Strike

01:17

Well struck stands for spoofing, tempering, repudiation, information, disclosure, denial, service and elevation of privileges.

01:29

These are six ways we can categorize threats,

01:34

although there is 1/7 way by Lockett Martin when strike lm that talk about lateral movement. But that's out of scope for this session

01:42

Now I will go through a little bit about what each are,

01:46

but you just need to understand. These are six men areas where

01:52

threats can be categorized.

01:55

I will illustrate each of this

01:57

with examples in the following slights.

02:02

But let's take spoofing.

02:05

Spoofing can be done to a machine or a person. For example, if this phone a spoof a machine,

02:13

I can use an attack like the ns spoofing a. D. M s compromise. So I could fool you into thinking a euro well that you type in, for example, that the WW that google dot com

02:25

and I could just change the eyepiece and the two somewhere else. That is an example of spoofing

02:32

all spoofing a person could be taking over an account pretending of someone else.

02:40

Tampering could mean changing something so you could be redirecting network, which is tampering with the flow.

02:49

Or you could be modifying court or scripts or configuration,

02:53

and that could be

02:55

also an example off. Tempering

03:00

repudiation

03:02

is to deny something that was done so you could claim not to have receive it. This could be either Elektronik off physical. So when you get a message, you can actually pretend that you didn't get it and ask for it to be re sent. Now that is an example. Off a repudiation tripped

03:23

information disclosure can take many forms.

03:25

The most direct way is, for example, a sequel injection attack, where someone managed to extra trait. Information. True, your website by entering a sequel statement accessing the database.

03:38

Now that could be a deliberate attempt,

03:40

but it could also be

03:44

too much information in your era message when your error message actually states the tables, the fields or even a simple s password. Incorrect

03:55

debt

03:57

might be too much information because if you enter a password and someone say is possible incorrect, you at least can confirm that the user name is correct and tuhs help the attacker narrow his attempts.

04:14

Denial of service Most people associate deny off service with Adidas Attack where you get flooded

04:21

or a Solaris where someone just sends very slow traffic to look up your account.

04:27

But

04:29

you know, triggering a lockup attempt. For example, if you lock up a system by too many attempts, that is also a denial of service. As long as the user could not access the service that is classified as a denial of service.

04:46

The last one is elevation off privileges. This is what most Attackers tried to do. They get a foothold into your system and increase their lever access to the rest off the system. This can be done by corruption by sending invalid data, which is very common. Or it could be accidental by accidentally

05:04

making someone administrator.

05:08

Oh, by Miss Configuration.

05:11

Now, after you have categorized your threats,

05:15

we need to prioritize the treads.

05:17

You probably would have a long list of treads, and you probably will not have enough resources to put in all the controls to mitigate them.

05:27

So there needs to be a way to communicate the priorities and where to put your resources.

05:32

Now dread. It's a model created a Microsoft, but it's no longer used it. In fact, it's fairly dated like stride, and it's a very subjective approach. There are many other ways to do it, but I'll use this in the fundamentals class to give you an idea off how

05:50

one way to prioritize your tread could be

05:55

for this. Let me explain a little bit about dread. Dread stands for damage potential,

06:01

reproduce ability,

06:03

exploit ability, affected users and discover ability. These are various factors used to calculate the risks.

06:13

So how do we use this? I think it's best illustrated with an example.

06:17

So, for example, let's take a look at this.

06:21

We were asked the questions for damage potential. How big with the damage be?

06:27

Well, if you are a bank and this whatever treaded this could lead to reputation as well. It's financial and legal liability. Oh, we can give it a skull of a 2.10

06:39

and Reaper disability. How easy it is to reproduce. Well, if it's fully reproducible, we can give it a maximum score off 10

06:48

exploiters ability.

06:50

This refers to what's the effort taken to exploit this threat.

06:56

Now if

06:58

it's required to be on the same something that and have a compromised rotter well may not be as bad as a 10 but you could have malicious inside it so we can put it a seven

07:10

affected uses. We could say that this would be affecting all uses in the system or in the bank, so we will put it as 10

07:19

discover ability. Well, the Trent has ever been published

07:24

online, so anybody who could use Google. Confine it. So we put it a 10.

07:29

So with these numbers will just add them up. Every stem out and we get annoying, which means this is a very high ranking treads.

07:38

As you can see, this is not a very scientific way to do it. It's for a subjective task. A lot of it depends on the experience and the skill of the person ranking it.

07:48

There are many other ways to do Tread Rhys ranking, but this is just one example. The idea is, after you identify the tread, everybody needs to agree on a way to rank them

08:01

so that we can all agree

08:03

on where to put our resources.

08:07

No,

08:07

go look in your organization, risk management and see How do they do? Rhys Ranking.

08:13

Adopt the one that's used by the organization, And if there isn't one, you can use this model to start with

08:24

to complete this model on track modeling, I'll just briefly touch on two other models, which could be useful.

08:31

One is the environmental trip Marlowe,

08:35

which might be used for when deciding location of a new data center. For example,

08:39

environmental trip models could be of quick flooding

08:45

power out H

08:46

telco out age and so on. So it's not relevant to some systems but might be very relevant to other systems. With location plays an important part,

09:00

the next one is social tread models. This is becoming increasingly important where social engineering seems to be the main attack vector. Two very key personnel's so social tread models help you list out the various targets in your organization and

09:20

the various

09:20

attack vectors that could be used against them.

09:24

Here is an example

09:26

on hall to draw a social trap model.

09:30

You can identify the goals. What do people want to get?

09:33

The media is a female face to face

09:37

are even SMS

09:41

And what is the social engineer? Is he an individual? Is he walking as a group?

09:46

Who are the targets?

09:48

It's an individual in the department, Or is it the whole department?

09:52

And what are they trying to do to try and be a friend? Auditory Using fishing now, So

09:58

map out the targets, map out the individuals in organization, and this could result in customized awareness program for different groups of people in the organization.

10:11

Now that you have gone through the basics of Trent modeling. Let me finish off by reiterating hard to start.

10:18

First, get the architectural artifacts from the development team,

10:24

sculpt the model,

10:26

and you can do your data for diagrams or your or what straight modeling and used to free tools.

10:31

Since you managed to draw some off these diagrams out,

10:35

it's timeto organize them in a way that can be easily communicated,

10:41

regardless off the type of drawing theatrically some basic information in a trap model document.

10:48

Firstly, we need to just list the name, the owner description and the versions. Threat models do evolve over time and over it oration when more information is uncovered, the treads to change

11:03

next. It's good to list out the dependencies. What external systems are interfaces that results in the trap model? So these could be some of the assumptions you meet?

11:15

What is the entry point off the tread? Is it a page? What protocol is it? Is it an A P I or is it FTP

11:22

list out the entry points so that the mitigation controls can be better understood?

11:28

More importantly, the assets

11:31

try toe much details off the assets as possible, including the valuation and how you came up with the valuation formula.

11:41

And lastly, it's good to put out the counter measures, which are the mitigation controls that you like to put in

11:50

to end off. I would like you to try this exercise now. This is a typical diagram

11:56

off a home with fiber connections so you would have your users. You would have a switch or router, a firewall and maybe your phone to a while. It's a pee now, given if this is your environment,

12:11

try to create a trait model. Full this environment. All

12:16

think about your home environment and create a track model off your home.

12:22

This would be a good exercise to try to identify if you have sufficient controls in place to secure your home environment.

12:33

So

12:35

what Trent models that you create on your home environment?

12:39

And did you manage to identify additional controls that you need to secure it?

12:45

Do a few more of these for your friends and family,

12:48

and you'll get the hang of it to develop

12:50

good track models and mitigation controls.

12:54

The video lessons are very short, so to get further readings, these are some off the places where you can get additional reading materials

13:03

and to learn a little bit more about how some of these models were created.

13:09

So do take the time to download the materials, list that here and spend some time going through them.

13:18

So in summary,

13:20

I just want it to rate

13:22

that there is such a thing as too much security.

13:24

Doing a Trek model helps you identify your assets and apply the right level of controls.

13:33

Trap modeling also helps you articulate the threats and controls and communicate and better to the larger communities.

13:41

There are many types of tread models to choose the right one. First, your situation. It may be more than one,

13:48

and please make use of tools to help you create your trip models.

13:54

You can start with the free tools and as you progress up in your maturity, you might want to consider buying some commercial tools.

14:03

Well, this concludes the model on track modeling.

14:07

Next, we will start on the next bond. You, which is enterprise security areas in the first video on that will cover a risk. As such, a SW network security application, security and endpoint security