![Page 1: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/1.jpg)
Presented byMike Sues, Ethical Hack Specialist
Threat Modeling
![Page 2: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/2.jpg)
2Threat Modelling
Objectives To understand
The basics of threat modeling Where threat modeling fits in the SDLC Use and construction of attack trees
![Page 3: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/3.jpg)
3
Talk Outline Threat modeling SDLC Attack trees
Threat Modelling
![Page 4: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/4.jpg)
4
Motivation Threat Risk Assessment
Understand threats and risks Manage costs of mitigation Minimize the attack surface
Sales Increased security/privacy concerns C & A
Threat Modelling
![Page 5: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/5.jpg)
5
Historically Lack of understanding of threats Security was an add-on
Band-aid solutions Use of security buzzwords/technology
Threat Modelling
![Page 6: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/6.jpg)
6
Threat Modeling Threat Risk Assessment Apply appropriate controls Attack Trees
Threat Modelling
![Page 7: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/7.jpg)
7
Goals Identify,
assets protected by the application threats to the assets
Develop, Mitigation strategies
Threat Modelling
![Page 8: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/8.jpg)
8
Assets Data
Application Configuration Database records
Threat Modelling
![Page 9: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/9.jpg)
9
Assets Examples
Application Code Configuration
User authentication credentials Business data
User data records Audit trails
Threat Modelling
![Page 10: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/10.jpg)
10
Assets Value
Classification Monetary value
Replacement cost Intangible
Reputation
Threat Modelling
![Page 11: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/11.jpg)
11
Threats Model application and data flows
High-level architectural diagram of application Model threats to assets
Multiple vectors Consider,
Asset Severity Likelihood Costs
Threat Modelling
![Page 12: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/12.jpg)
12
Threats Taxonomy
S.T.R.I.D.E Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
Threat Modelling
![Page 13: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/13.jpg)
13
Threats Spoofing
Replay requests to a database server to gain unauthorized access to data
Tampering Defacement of a web site
Repudiation Deleting or modifying audit trail records
Information disclosure Gaining unauthorized access to data
Threat Modelling
![Page 14: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/14.jpg)
14
Threats Denial of service
Crashing or flooding a service Elevation of privilege
Hijacking another user’s session with the application to gain access to the user’s data
Threat Modelling
![Page 15: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/15.jpg)
15
Threats Attack trees
Graphically model attack goals & vectors Root of tree is the overall goal
e.g. Steal passwords Children are sub-goals
One step or multiple steps e.g. Collect plaintext passwords or shoulder surf e.g. Collect password hashes and crack hashes e.g. Gain privileged access and install keystroke
collector and exfiltrate password
Threat Modelling
![Page 16: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/16.jpg)
16
Attack Trees
Threat Modelling
Steal passwords
Shoulder surf Collect sessions
Parse plaintextpassword
Parsepassword hash
Crackpassword hash
Gainremote access
Installkeystroke logger
Exfiltratepasswords
![Page 17: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/17.jpg)
17
Attack Trees Node attributes
Cost Availability of tools etc
Threat evaluation Risk
Threat Modelling
![Page 18: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/18.jpg)
18
Mitigation Rank threats
Prioritize Develop a strategy,
Ignore the risk Accept the risk Delegate the risk Fix the problem
Threat Modelling
![Page 19: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/19.jpg)
19
Exercise HackMe Travel Identify assets Identify threats
STRIDE Build one attack tree
Threat Modelling
![Page 20: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/20.jpg)
20
Conclusion Threat modeling,
Understanding the threat environment Manage costs of mitigation Guide to the application secure design
principles
Minimize an application’s attack surface
Threat Modelling
![Page 21: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/21.jpg)
21
Conclusion Questions?
Threat Modelling
![Page 22: Presented by Mike Sues, Ethical Hack Specialist Threat Modeling](https://reader035.vdocument.in/reader035/viewer/2022062402/5a4d1bcd7f8b9ab0599d7604/html5/thumbnails/22.jpg)
22
w w w. r i g e l k s e c u r i t y. c o m
Presented by Mike Sues,Ethical Hack Specialistm s u e s @ r i g e l k s e c u r i t y . c o m
Marie Pilon, Director of Operations t r a i n i n g @ r i g e l k s e c u r i t y . c o m
Rigel Kent Training - 180 Preston St. 3Rd Floor – Ottawa, On
1(613)233-HACK 1-877-777-H8CK