Threat Modeling and Risk Scenarios

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> With risk identification we said we need an asset,
00:00
a threat, and vulnerability to have a risk.
00:00
We just talked about assets.
00:00
Let's take a look at threats.
00:00
The idea is certain types
00:00
of threats exist in certain types of environments.
00:00
What we want to be able to do is to
00:00
take a look at our asset and figure out
00:00
what specific threats could potentially cause harm.
00:00
When we're doing threat modeling,
00:00
we have to think about what our security objectives are,
00:00
like always, alignment with business objectives.
00:00
We also have to make sure that
00:00
we're in legal compliance following
00:00
our contracts when threats arise.
00:00
Maybe we are concerned with
00:00
inability to meet HIPAA requirements or
00:00
Sarbanes-Oxley or maybe we're afraid that if
00:00
we implement security on
00:00
a mechanism, performance will suffer.
00:00
Whatever the objectives are,
00:00
we determine those objectives,
00:00
we think about threats in relation to CIA,
00:00
Confidentiality, Integrity, and Availability.
00:00
There are various tools for threat modeling.
00:00
There's some data flow diagrams,
00:00
there use and misuse cases.
00:00
One model specifically that's geared towards
00:00
the software development industry
00:00
or the software development teams,
00:00
is the STRIDE Threat Model.
00:00
In STRIDE, each letter stands for
00:00
a specific threat that's
00:00
specifically focused on software,
00:00
so spoofing, tampering, repudiation,
00:00
information disclosure, denial of service,
00:00
and escalation of privilege.
00:00
I have the threats over on the left and then I
00:00
do have some mitigation strategies on the right,
00:00
but I want you to remember that right now
00:00
we're in the risk assessment phase,
00:00
and we're only looking at asset,
00:00
threat, vulnerability for now.
00:00
Then we're going to do risk analysis
00:00
and risk evaluation,
00:00
and by the end of this phase,
00:00
we're going to come up with
00:00
a risk value and
00:00
measure that up against the countermeasure.
00:00
Honestly, this slide I've gotten a
00:00
little ahead of myself there,
00:00
I don't want you thinking about mitigation yet.
00:00
But ultimately at the end of the day,
00:00
what we're going to be able to come up
00:00
with are the threats for
00:00
this specific business process or
00:00
this specific application or whatever it's going to be,
00:00
and then at the end of the day,
00:00
we'll figure out how to mitigate it.
00:00
STRIDE threat model for software development.
00:00
One of these flowcharts that I had mentioned,
00:00
this is called a use and misuse case.
00:00
The idea is we look at our asset,
00:00
which in this case is our application server,
00:00
and specifically the data on that application server,
00:00
and we step through,
00:00
we go through step by step by step.
00:00
Here's my username and
00:00
password that's going to help me authenticate.
00:00
However, the misuse of that might be that an attacker
00:00
uses a brute force attack to
00:00
bypass or to compromise my password.
00:00
How are we going to mitigate that?
00:00
Mitigation down at the bottom makes sure
00:00
that we validate passwords,
00:00
passwords are complex and long
00:00
and all those good things
00:00
which you can see is the step by step,
00:00
and then potential threats against each step,
00:00
so the use over on the left, what should we do?
00:00
Get username and password,
00:00
authentication, error messages,
00:00
then other ways that we would mitigate
00:00
the misuse of these features by an attacker.
00:00
Ultimately, when we do threat modeling,
00:00
we are looking to come up with the things
00:00
that would harm our asset,
00:00
as well as the context in which that would happen.
00:00
Then the next thing that we could do
00:00
is we could look at risk scenarios.
00:00
Risk scenarios are playing the what if game.
00:00
When we're sitting around in our risk meeting
00:00
and we have our risk management team together,
00:00
we can go through some of
00:00
these experiences perhaps we've had,
00:00
or we can put ourselves in the position of an attacker,
00:00
we can focus on vulnerabilities,
00:00
or we can focus on threats,
00:00
or we can focus on assets.
00:00
But ultimately, if we have
00:00
a methodical way to brainstorm,
00:00
to work together so that we can come up with
00:00
risks and understand them a little bit better,
00:00
that's obviously going to suit our interests very well.
00:00
Now in an IT risk scenario,
00:00
you have five elements that you need.
00:00
You need to identify who your threat actors would be,
00:00
their threat type, events,
00:00
what's affected by the risk,
00:00
and any sort of elements to timing.
00:00
We'll talk about that.
00:00
Here we have the elements of a risk scenario.
00:00
Over on the left at the bottom
00:00
we start with our threat actor.
00:00
We've got either internal or external,
00:00
everybody falls in one of those categories.
00:00
Then for the threat type,
00:00
is it malicious, is it accidental?
00:00
Because how we defend and how we respond is
00:00
really going to be driven
00:00
by the answer to those questions.
00:00
If it's malicious, do we need to bring in forensics?
00:00
If it's accidental, we might be more focused on
00:00
retraining an employee or
00:00
ensuring that some weaknesses that we have.
00:00
But ultimately these are pretty broad where we
00:00
actually get to the event itself,
00:00
the malware infestation, the disclosure,
00:00
the denial of service,
00:00
whatever that may be,
00:00
the loss of availability, that's our event.
00:00
Then what assets or resources are going to be impacted?
00:00
Also, down in the bottom right,
00:00
any information on timing.
00:00
Occurrence time, recovery, detection,
00:00
lag, reaction, duration.
00:00
Anything about timing, when's it going to happen?
00:00
How long does it take me to react?
00:00
I can react within a certain time period.
00:00
How long does it take me to fully recover?
00:00
How long does it take you to
00:00
detect that this event has happened?
00:00
Any of these pieces of
00:00
information absolutely have to be documented.
00:00
Everything we do in this risk scenario is going to give
00:00
us information about the risks
00:00
that ultimately we're going to try to mitigate.
00:00
We're collecting information and we're documenting,
00:00
and we're providing these risks scenarios as a way
00:00
of helping our team brainstorm and identify risks.
00:00
There are several other factors that identify risks.
00:00
With timing, I wanted to
00:00
mention a couple of terms here,
00:00
the bottom four bullet points, volatility,
00:00
velocity, proximity, and visibility.
00:00
Volatility.
00:00
Some markets, some endeavors,
00:00
some organizations or
00:00
environments are extremely volatile.
00:00
Cryptocurrency is an area that I'm doing some work with
00:00
now and that is incredibly volatile.
00:00
The price of bitcoin was $65,000 and it dropped down,
00:00
right now it's at $41,000.
00:00
It fluctuates anywhere throughout the week,
00:00
throughout the month. Incredibly volatile.
00:00
In the stock market, doesn't have to be cryptocurrency,
00:00
but stocks fall 20 percent in a day,
00:00
in some really bad days.
00:00
It's a very volatile market.
00:00
What that tells me is,
00:00
for volatile environments, I better
00:00
monitor and I better be aware of what I'm looking for.
00:00
We'll talk about key risk indicators later,
00:00
but ultimately it's a warning,
00:00
hey, this risk is going to materialize.
00:00
If the risk is losing all my money in the stock market,
00:00
I might say, okay,
00:00
once the stock I've invested
00:00
in falls more than three percent,
00:00
I need a warning,
00:00
I need an alert.
00:00
This goes under the timing category.
00:00
Velocity. How quickly can this risk event materialize?
00:00
For instance, hurricanes take long time to materialize.
00:00
They'll be talking about a hurricane and
00:00
the goal for a hurricane out at sea and say,
00:00
maybe sometime next week we may see landfall,
00:00
but there's time before that happens.
00:00
There's a reasonable amount of time between
00:00
identification and the actual impact of the risk,
00:00
maybe that's a good way to say it.
00:00
Now, a tornado on the other hand.
00:00
We've got favorable conditions in 10 minutes later,
00:00
you get a tornado watch on the news and 10 minutes later,
00:00
there could literally be a tornado.
00:00
You don't get any warning.
00:00
As a matter of fact, what a lot of people
00:00
who've been through tornadoes
00:00
say is by the time they heard the siren,
00:00
it was too late, tornado was there.
00:00
That's a very high velocity risk.
00:00
My responses are going to have to be
00:00
things that we can implement very quickly,
00:00
and we certainly want to invest in
00:00
detection so that we can detect as early as possible.
00:00
Now, proximity of the risk.
00:00
How soon is this going to happen?
00:00
If we're talking about projects and we're looking at
00:00
risks within the project and we
00:00
want to talk about their proximity.
00:00
We're at Week 3 in the project.
00:00
We're looking at a risk of maybe failing an inspection.
00:00
How far away is that inspection?
00:00
Do we have weeks to prepare?
00:00
Do we have days to prepare?
00:00
How close is the risk to materializing?
00:00
Then visibility.
00:00
This sounds strange, but will we
00:00
even know if the risk event does happen?
00:00
Well, you'll know if there's a tornado or
00:00
if there's impact from a hurricane.
00:00
Absolutely. But what about malware?
00:00
Certain types of malware get on system and lay dormant,
00:00
and nothing looks different.
00:00
Everything looks the same.
00:00
Carry on, go back to sleep,
00:00
nothing is the matter here.
00:00
Well, it's not a visible risk.
00:00
We don't see it. Not all.
00:00
Sometimes you'll know if you get an infection,
00:00
but some malware just lays dormant.
00:00
It has a low visibility.
00:00
In that case, I better
00:00
monitor and review those audit logs.
00:00
I need to scan my systems
00:00
on a daily basis or on a frequent basis,
00:00
maybe even more frequent.
00:00
But for events with low visibility,
00:00
we need to be more vigilant and look for those.
Up Next