13 hours 9 minutes
Hello and welcome to another penetration testing execution Standard discussion. Today we're going to be looking at some general threat modeling processes and what you can do to start threat modeling within your penetration testing efforts. So a quick disclaimer
pee test videos do cover tools that could be used for system hacking as well as techniques, and the tools discussed or used during demonstrations or techniques should be researched and understood by the user.
Please research your laws and regulations regarding the use of such tools, or take Ning's within your given area to ensure that we don't violate any laws. Now let's jump into our objectives.
So just a few today that we're going to be going through. So we're going to describe what threat Mama Ling is. We've had a pretty bulky slide on that, but we're going to go through that together. Look at a high level process for threat modeling.
Gonna look at a high level example
and describe some high level modeling tools that you can use in your efforts to identify risks and threats to an organization. So what is threat modeling? What is it that we're doing when we threat model so essentially were looking at and providing clarity to an organization based on its risk appetite.
And we're prioritizing what assets are going to be more important over others. And essentially,
we're going to figure out what would pose the greatest risk to the organization. Additionally, it enables the tester to focus on and delivering
an engagement that closely emulates the tools, techniques, capabilities, accessibility in general, profile of the attacker. And so overall, we want to act like the attacker. We don't want to waste our time on small systems or things that aren't going to provide any benefit to us if we were a legit
threat actor. And so when we approach threat modeling, we want to approach it from that same aspect of that same avenue,
and so it should be constructed. The threat model should be constructed in coordination with the organization being tested whenever possible, and even in a complete black not situation where the tester doesn't have any prior information on the organization,
they should create a threat model based on the Attackers view, so pay attention to that based on the Attackers view like we were saying
in combination with open source intelligence and so we recently went through that again. Open source. Intelligence and intelligence is a timely or always accurate, but it is beneficial in that you could see what's out there on the Internet and then potentially identify some areas of risk, or that you could attack within the organization.
Now this is, ah, high level process for threat modeling. So if you've got some other tool or technique that you use, then by all means, you know, take what's relevant and discard what is not.
But if you don't have a place to start, this is definitely a good one. So the first thing that you want to do is gather relevant documentation with respect to process is with respect to assets with respect to the organization and start to evaluate that
and then identify and categorize primary and secondary assets, primary being those that are most critical secondary
those that they could potentially do without,
and then identifying categorize threats and threat communities against those particular assets and mapped those threat communities against primary secondary assets. And so
that, in a nutshell, is what you could do. So let's kind of apply an example to that.
respect to the penetration test Execution standard. Let's say that
internally hosted CR M application, maybe in scope. Okay, The customer information is stored in the back end database and is easily
identifiable primary asset and is directly linked to the scope. With respect to the particular application,
However, you start to review the technical design of the database server, and it can also be identified that HR databases are stored on the same back in
on, but it's a secondary asset. So essentially an attacker can use the C R M application as a stepping stone to obtain employee information.
So in a basic threat modeling exercise,
it may not be a parent right up front that that information would have been accessible or would have been a component of that primary application. But by looking at the secondary assets, looking at how things connect, looking at how things operate, we were able to identify that if this system were in fact
compromise, that it could be used
to engage other systems or other information sets. And so it's important to always keep that in mind when looking at a primary asset
and when looking at a network, the client in most cases in some cases, depending on their level within the organization where they're at, may not have all of the necessary information to help us map out all of the connections to the different systems or may not be able to help us to map out how these systems interact with one another. So
it is our responsibility to make sure that we tease that information out
and that we get everything that we can that would be pertinent to this this type of scenario when we're doing our threat modeling.
So let's look at some high level tools. So, depending on what you're trying to do or how you want to go about modeling threats, there are a number of things out there.
So each of these air methods that you can use that's broken down into, like common threats and common areas, denial of service or different attack vectors. Or, you know, if we're going to maybe do a diagram or some type of graph, we model assets against common threats
because, you know, if you look at something like the minor attack framework, there's literally tons and tons of ways that a system could be attacked. And so
there are some models and methods that essentially allow us to kind of break that down to some core areas.
Now, if you've done any type of vulnerability scans or any type of security scans, or if you've picked up a security base book recently, it's likely that you've run into CVS s and the scoring system that comes with that. There are calculators online that you could use where you could apply
a CVS escort to a particular threat within an organization. And so there's a way that you could use that to apply it.
You could do attack trees, persona non grata, meaning that you kind of act like the attacker and think like the attacker and come up with vectors, their security cards or kind of brainstorming tools that you can use. And so it's like a deck of cards with different attack types
got HTM em. You've got quantitative threat modeling method and then trike. So any of these methods, if you give him a quick search on Google,
you'll find that you know they each have their pros and cons with respect to how they can be applied In a given scenario,
and again if you're doing something that's not here. If you've come up with a process for threat model and as long as you're you know, following some best practices and coming up with consistent results, that's really you know, all that's applicable here.
Now, with that in mind, let's do a quick check on learning true or false. The first step. Any threat modeling process should be gathering relevant documentation.
All right, well, if you need additional time to go through that, please pause the video and do so
so to go ahead and just lay this out there if you don't know what the system looks like, if you don't know what it is that you're modeling, you really don't have a place to start. And so gathering relevant documentation, information specs, network diagrams, whatever the case may be,
is going to really be the first step in the threat modeling process. And so this statement rings true with respect to the information we have below.
let's go ahead and look at our summary for today's discussion. So we describe what threat modeling is essentially looking at the primary and secondary systems and laying out the potential threats to those systems. We looked at a high level process for
threat modeling again, a plywood it what you need to apply to that and, you know, don't apply what you don't need to. If you've already got a process in place
and it's effective for you, keep using it. We described a high level example where we look at a primary system
and through evaluation of that system and understanding how it connects to secondary systems. We discovered that it could be used as a stepping stone for an attacker, so that's going to be pertinent, important in our testing and risk assessment process. And then we looked at some high level modeling tools.
Again, the list is not comprehensive in nature,
continued to research other tools and methods and ensure that they fit your organization and your needs. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.