rapid threat modeling : case study
DESCRIPTION
Rapid Threat Modeling: doctor's case study September 6th. 2011 Securitybyte Conference Bangalore, IndiaTRANSCRIPT
![Page 1: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/1.jpg)
rapid Threat Modelingidentifying threats in a webapp before coding it: the
case study of the innocent (but still nice) Doctor
Antonio FontesLength: 45+15 minutes
Securitybyte Conference – Sept 6th – 9th 2011
Bangalore
![Page 2: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/2.jpg)
About me
• Antonio Fontes
• Owner L7 Sécurité (Geneva, Switzerland)
• 6+ years experience in information security
• Fields of expertise:
– Online applications defense
2
– Security integration in the software development lifecycle
– Threat modeling, risk analysis and estimation
• Lecturer at the University of applied sciences, Western Switzerland
• OWASP:
– Chapter leader: Geneva
– Board member: Switzerland
http://L7securite.ch
![Page 3: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/3.jpg)
My objectives for today:
1. You understand the concept of threat modeling and its fast track approach
2. You can build a basic but still actionablethreat model for your web application
3
threat model for your web application
3. You know when you should build a threat model and what you should document in it
4. This new technique helps you feel more confident about the security of your web application.
http://L7securite.ch
![Page 4: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/4.jpg)
Disclaimer
• Don’t expect “100%” coverage
– Our main goal here is to prioritize the security
effort, not to replace testing activities!
• If full analysis is strictly necessary:
4
• If full analysis is strictly necessary:
– Use system-centric TM instead (much more
systematic)
– Extend with other SDLC security activities: review,
testing, best practices, secure APIs, etc.
http://L7securite.ch
![Page 5: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/5.jpg)
Panic mode?
• Don’t write what you see on the slides!
– They will be freely available on request
– and uploaded to:
5
– and uploaded to:
http://slideshare.net/starbuck3000
http://L7securite.ch
![Page 6: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/6.jpg)
Threat Modeling crash course
A repeatable process, to help
identify and document:
– A system’s characteristics and
security requirements
6
security requirements
– Data-flows
– Threats
– Potential responses to
these threats (controls)
http://L7securite.ch
![Page 7: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/7.jpg)
Threat Modeling crash course
A threat model is:
– Reusable: it can serve at differentstages of development, like design, implementation, deployment and testing
7
deployment and testing
– Editable: it’s an ongoing threat assessment of yourapplication. It should be updated along with the application
http://L7securite.ch
![Page 8: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/8.jpg)
Let's learn by doing…
8
Let's learn by doing…
http://L7securite.ch
![Page 9: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/9.jpg)
Case study
• A local pediatrician is
constantly receiving phone
calls (and messages on
Facebook!) from desperate
9
Facebook!) from desperate
parents, outside cabinet
opening hours.
http://L7securite.ch
![Page 10: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/10.jpg)
Case study
• He hired an assistant but
he refuses to answer late evening phone calls(and apparently, law is on his side…)
10
(and apparently, law is on his side…)
• He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone
number) but parents keep finding ways to
contact him outside regular hours.
http://L7securite.ch
![Page 11: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/11.jpg)
Case study
• His patients have a stunning idea: a webapp
for managing his appointments!
11
http://L7securite.ch
![Page 12: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/12.jpg)
Case study
• Basically, he wants his patients to be able, at
any time (night and day):
– to schedule for an appointment at the closest
free slot available
12
free slot available
– to describe the symptoms, to help him, if
necessary, reschedule the appointment or even
contact the family back (in case it looks worse than it
appears).
http://L7securite.ch
![Page 13: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/13.jpg)
Case study
• He contacts a local web agency
and describes his need.
• The web agency accepts to build the solution.
(easy job, easy money!)
13
(easy job, easy money!)
• They start immediately. Actually, they just
started designing the system yesterday!
http://L7securite.ch
![Page 14: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/14.jpg)
Case study
• The pediatrician reads news about an infosec
conference ☺
• He hears about guys, who wear black hats,
14
• He hears about guys, who wear black hats,
hack into web applications, seek chaos by
destroying databases, stealing and selling
personal data on the black market to large
corporations that want to control the world!
http://L7securite.ch
![Page 15: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/15.jpg)
Case study
• He meets a guy, who tells him about an
obscure technique called threat modeling.
• He says it might help the outsourcing web
15
• He says it might help the outsourcing web
agency to avoid doing some major mistakes,
and implement appropriate countermeasures
in the web application while still at design
time.
http://L7securite.ch
![Page 16: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/16.jpg)
Case study16
The doctor suddenly realises
that the web agency did not
talk about security the other
day...
http://L7securite.ch
day...
![Page 17: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/17.jpg)
Case study
• He hires you, for one day.
• Your job is to observe the
project, gather information,
and eventually, issue some
17
and eventually, issue some
recommendations...
http://L7securite.ch
![Page 18: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/18.jpg)
Task 1:
Understand and describe the system
18
a.k.a. « ask questions! »
http://L7securite.ch
![Page 19: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/19.jpg)
1. Describe (understand) the system
• What is the motive/driver of the client?
– Compliance?
– Intrusion follow-up?
– Awareness / self-determination / corporate
19
– Awareness / self-determination / corporate
culture ?
– Is someone-thing in particular threatening the
organization?
– Other reasons?
http://L7securite.ch
![Page 20: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/20.jpg)
1. Describe (understand) the system
• What is the business requirement?
• What role is the system playing in the organization?
• Will it be the only/major revenue source?
20
• Will it be the only/major revenue source?
• Will it bring money?
• Is it processing online transactions?
• Is it feeding other transactional systems?
• Is it storing/collecting sensitive/private information?
• Should it be always online or is it okay if it stops sometimes?
http://L7securite.ch
![Page 21: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/21.jpg)
1. Describe (understand) the system
• Is the business under particular data
processing regulation?
– Privacy?
– Healthcare?
21
– Healthcare?
– Food? Chemicals? Drugs?
– Transports? Energy?
– Legal? Financial?
http://L7securite.ch
![Page 22: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/22.jpg)
1. Describe (understand) the system
• Is the system protecting or supporting the life
of someone? Or can it endanger someone?
– Water cleaning?
– Transportation?
22
– Transportation?
– Energy?
– Health equipment?
– Interactions with the physical environment?
– Weaponized? Military?
http://L7securite.ch
![Page 23: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/23.jpg)
"The system is notbuilt to generate revenue."
"It is notprocessing orders."
"It allows my clients to schedule for an appointment. "
23
appointment. "
"Oh, I forgot, and it also allows them to provide some basic information on the case (symptoms)."
http://L7securite.ch
![Page 24: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/24.jpg)
“Well, I guess…certainly compliance with some health information Act?“
“It can be offline.”
“It is not consumed by third-party systems.”
24
“It is not consumed by third-party systems.”
“It is not interacting with people or things.”
“I will be the only one accessing it.”
…”and my assistant, of course!”
http://L7securite.ch
![Page 25: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/25.jpg)
1. Describe (understand) the system25
Motivator Comment
My employees/clients life/safety is at risk (SCADA systems,
energy, transports, food & drugs, etc.)
I want to stay compliant with laws and regulations
I just want to sleep peacefully and avoid hackers
I never want my systems to be compromised again!
http://L7securite.ch
I never want my systems to be compromised again!
I want to protect my employees/customers privacy
I want to make sure my customers pay for our goods/services
I want to keep the money inside my company
I cannot afford my website going offline
It is connected to our ERP
Threat Modeling really seems awesome! (seen the ad on TV)
![Page 26: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/26.jpg)
1. Describe (understand) the system26
Motivator Comment
My employees/clients life/safety is at risk (SCADA systems,
energy, transports, food & drugs, etc.)
not really…
I want to stay compliant with laws and regulations Are there any?
I just want to sleep peacefully and avoid hackers Yes!
I never want my systems to be compromised again! not really…
http://L7securite.ch
I never want my systems to be compromised again! not really…
I want to protect my employees/customers privacy Of course!
I want to make sure my customers pay for our goods/services Not applicable
I want to keep the money inside my company Not applicable
I cannot afford my website going offline Yes. They will call me.
It is connected to our ERP Our what??
Threat Modeling really seems awesome! (seen the ad on TV) Definitely!
![Page 27: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/27.jpg)
"I never had a website for my cabinet." (well, I think…)
"I just don't want a bad thing to happen when this service comes online.“
27
this service comes online.“
"I don't really know of particular regulatory requirements…"
http://L7securite.ch
![Page 28: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/28.jpg)
28
http://L7securite.ch
![Page 29: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/29.jpg)
29
http://L7securite.ch
![Page 30: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/30.jpg)
1. Describe (understand) the system30
Motivator Comment
My employees/clients life/safety is at risk (SCADA systems,
energy, transports, food & drugs, etc.)
not really…
I want to stay compliant with laws and regulations Are there any? ���� YES
I just want to sleep peacefully and avoid hackers Yes!
I never want my systems to be compromised again! not really…
http://L7securite.ch
I never want my systems to be compromised again! not really…
I want to protect my employees/customers privacy Of course!
I want to make sure my customers pay for our goods/services Not applicable
I want to keep the money inside my company Not applicable
I cannot afford my website going offline Yes. They will call me.
It is connected to our ERP Our what??
Threat Modeling really seems awesome! (seen the ad on TV) Definitely!
![Page 31: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/31.jpg)
1. Describe (understand) the system
Let's add the developer and the architect to the
discussion…
31
discussion…
http://L7securite.ch
![Page 32: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/32.jpg)
1. Describe (understand) the system
• Please describe the system as you imagine it:
– Technologies?
– Architecture?
– Functionalities? (use cases?)
32
– Functionalities? (use cases?)
– Components?
• What will be the major use cases?
http://L7securite.ch
![Page 33: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/33.jpg)
"It's a standard webapp, including a frontend application connected to a backenddatabase."
“Clients will create a profile with basic personal information (patient name/lastname, parent
33
information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password."
"Once they have logged in, they can schedule for an appointment."
http://L7securite.ch
![Page 34: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/34.jpg)
1. Describe (understand) the system
• What will be its typical usage scenarios?
– Visitors? Members? Other doctors? Access from
outside?
• Who (where) will host the system?
34
• Who (where) will host the system?
• How will users be authenticated?
• Where will users connect from?
– and where will the doctor connect from?
http://L7securite.ch
![Page 35: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/35.jpg)
"Users can connect and see their appointments, edit their info or cancel them."
"The cabinet will be using a supervisor access, who has entire view on the agenda and can
35
who has entire view on the agenda and can access details of every appointment."
“Users authenticate with username/password."“Credentials will be stored securely.""The system will be hosted on our web farm."
http://L7securite.ch
![Page 36: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/36.jpg)
"I will connect from work! Of course!"
36
…"and from home, if I can…"
http://L7securite.ch
![Page 37: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/37.jpg)
1. Describe (understand) the system
Can we draw this?
37
Can we draw this?
http://L7securite.ch
![Page 38: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/38.jpg)
Data-flow diagram38
http://L7securite.ch
![Page 39: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/39.jpg)
also known as… DFD39
http://L7securite.ch
![Page 40: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/40.jpg)
…may show actors…40
http://L7securite.ch
![Page 41: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/41.jpg)
…data processing units…41
http://L7securite.ch
![Page 42: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/42.jpg)
…data storage units…42
http://L7securite.ch
![Page 43: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/43.jpg)
…data transmission channels…43
http://L7securite.ch
![Page 44: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/44.jpg)
…and security trust zones!44
http://L7securite.ch
Who can
access this?
![Page 45: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/45.jpg)
1. Describe (understand) the system
• What/Where are the assets of highest value?
– Is there private/proprietary/regulated information
anywhere?
– Are user credentials stored? Where? How?
45
– Are user credentials stored? Where? How?
– Are there any financial/transactional flows?
– Is one of these components critical for your
business?
– Is the system connected to other more sensitive
systems? (company ERP? Bank? Machines?)
http://L7securite.ch
![Page 46: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/46.jpg)
"The accounts database contains PII about my patients."
"The accounts database contains credentials.""Money doesn't flow through the application.“
46
"Money doesn't flow through the application.“
“The system does not connectto anything else.”
“The system can turn offline. Patients will call me on my phone, as before!"
http://L7securite.ch
![Page 47: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/47.jpg)
“We host several customers on our shared hosting environment.”
47
“It is totally secure!”
http://L7securite.ch
![Page 48: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/48.jpg)
1. Describe (understand) the system
• How many occurrences of these assets are
you expecting in say…two years from today?
(We are gathering volumetric data here)
48
http://L7securite.ch
![Page 49: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/49.jpg)
"In two years?
I'd say around 300 family accounts.
49
3’600 appointments (6/family/year)
And 2400 urgent appointments…(4/family/year)"
http://L7securite.ch
![Page 50: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/50.jpg)
End of task 1
• It’s a non-transactional web application
• It is not connected to other systems
• It hosts patient health information + PII
– Data should be protected from unauthorized
50
– Data should be protected from unauthorized
access (in-transit + offline)
• It is accessible from the Internet
• It contains usernames + passwords
– Credentials storage should observe best practices
http://L7securite.ch
![Page 51: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/51.jpg)
Task 2:
Identify potential
threat agents
51
threat agents
http://L7securite.ch
![Page 52: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/52.jpg)
2. Identify potential threat agents
- Given what we know, who might be interested
in compromising your system?
- No one!
- Any competitor recently installed?
52
- Any competitor recently installed?
- Mmmmh…yes…One, actually. She just
arrived. She’s a pediatrician, too.
- Could she steal your patients?
- Oh!
http://L7securite.ch
![Page 53: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/53.jpg)
2. Identify potential threat agents
- Any businesses would be interested in
acquiring health details on 300 geographically-
linked families, including their problems,
illnesses, special situations?
53
illnesses, special situations?
- Any businesses interested in acquiring
personal details of 300 families including
usernames, passwords, contact details?
- Mmmmh…probably
http://L7securite.ch
![Page 54: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/54.jpg)
2. Identify potential threat agents
• Would anyone want to steal your data?
• Would anyone be able to sell it?
• Would anyone be interested in corrupting it?
• Would anyone benefit from an interruption of
54
• Would anyone benefit from an interruption of
your application?
http://L7securite.ch
![Page 55: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/55.jpg)
“You have a scary way of asking
55
“You have a scary way of asking questions…”
http://L7securite.ch
![Page 56: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/56.jpg)
2. Identify potential threat agents56
http://L7securite.ch
![Page 57: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/57.jpg)
2. Identify potential threat agents
Threat source Motivation Approach (strategy/tactics)
Dumb users Opportunistic Mistakes
Smart users Opportunistic Circumventing complex GUI
Script kiddies / hackers
(low-profile)
Opportunistic Use of automated exploit/scanning tools,
known vulnerabilities research
57
(low-profile) known vulnerabilities research
Hackers (higher profile) Targeted Vulnerability research
Competitors Targeted Hiring hackers
Other businesses Targeted Hiring hackers
Organized cybercriminals Targeted 0-day research and trade
Government / Military Targeted Long-term ops
APT magic Mixed Continuous + long-term + multilayer opshttp://L7securite.ch
![Page 58: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/58.jpg)
2. Identify potential threat sources
Which of these sources might hit or target my
business?
– With a high probability?
• Population size
58
• Population size
• Exposure
– With a high impact?
• Personal/health information disclosure (compliance)
– With the incentive of a high reward?
• Users/passwords stealing / health information trading
http://L7securite.ch
![Page 59: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/59.jpg)
2. Identify potential threat agents
Don’t forget to ask the customer if she/he has
access to confidential threat information:
– CIOs/CSOs in information critical organizations
may have access to undisclosed threat
59
may have access to undisclosed threat
information:
• National/international/industry threat analysis reports
– Don’t forget to ask!
http://L7securite.ch
![Page 60: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/60.jpg)
2. Identify potential threat agents
Threat source Motivation Approach (strategy/tactics)
Dumb users Opportunistic They can do mistakes, but not that critical
Organized cybercriminals Targeted They are not known for targeting small-
sized medical databases
Government / Military Targeted They should not be interested in the data.
60
Threats, which were removed:
Government / Military Targeted They should not be interested in the data.
-> no high-profile patients!
APT magic Mixed Joker*
http://L7securite.ch
![Page 61: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/61.jpg)
2. Identify potential threat agents
Threat source Motivation Comment
Smart users Opportunisti
c
They will try to bypass other patients
requests
Script kiddies / hackers
(low-profile)
Opportunisti
c
They will play with their tools
Several hours investment
Hackers (higher profile) Targeted They will try to hack into the application
61
Threats, which were prioritized:
Hackers (higher profile) Targeted They will try to hack into the application
during a day
Competitors Targeted Hiring a hacker to try stealing/corrupting
data during a few days
Other businesses Targeted Hiring a hacker to try stealing/corrupting
data during a few days
http://L7securite.ch
![Page 62: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/62.jpg)
2. Identify potential threat agents
Script Kiddies and low-profile hackers
Prevalence HIGH
Damage potential MEDIUM (repeated disturbances, reputation, data
corruption)
Tactics Automated security scanners, exploits testing, exploitation
of injection flaws, short-term bruteforcing/dictionary
62
Threat agent profile
of injection flaws, short-term bruteforcing/dictionary
attacks (high HTTP req. freq.)
OWASP Top10 direct attacks (A1, A3, A4, A6, A8, A10)
Business layer attacks No
Countermeasures Request throttling
Strong defense against OWASP T10 direct attacks
Secure configurations (systems, services)
http://L7securite.ch
![Page 63: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/63.jpg)
2. Identify potential threat agents
Hacker (high profile)
Prevalence LOW
Damage potential MEDIUM to HIGH
(personal reward, contract engagements)
Tactics Combination of automated + manual scanning
Lower HTTP request frequency
63
Threat agent profile
Lower HTTP request frequency
Short timespan vulnerability research
Full range OWASP T10 investigation, including A2 and A5
Business layer attacks No
Countermeasures Complete OWASP T10 risk coverage
http://L7securite.ch
![Page 64: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/64.jpg)
Task 3:
Identify major threat
scenarios
64
scenarios
http://L7securite.ch
![Page 65: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/65.jpg)
3. Identify major threat scenarios
• Which threat scenarios would be (really) bad for the business?
– Which threat source would trigger that scenario?
65
scenario?
– How would she/he/they proceed technically?
– What would be the impact for my business?
• Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)?
http://L7securite.ch
![Page 66: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/66.jpg)
3. Identify major threat scenarios
• Some helpers:
– Think about threats induced naturally, by the
technology itself.
– Think about what the CEO really doesn't want.
66
– Think about what the CEO really doesn't want.
• Think AIC:
– Availability, integrity, confidentiality
– Apply on every component
of the DFD!
http://L7securite.ch
![Page 67: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/67.jpg)
3. Identify major threats
# Threat scenario Agent Attack description
T1
T2
T3
T4
67
n
http://L7securite.ch
![Page 68: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/68.jpg)
3. Identify major threats
# Threat Source Attack details
T1 Page defacement, hacking for
fame
Script
kiddies
- Automated tools
- expl. of injection flaws
T2 Users circumventing the
appointment lock feature
(already booked)
Smart user - Eyesight tampering
68
(already booked)
T3 Corruption of the central
agenda
Competitor - expl. of injection flaws
- unauthorized
appointment
cancellation
T4 Extraction of the users info DB Competitor,
other bus.
- expl. of injection flaws
- unsecure direct
references
- expl. of authentication
flawshttp://L7securite.ch
![Page 69: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/69.jpg)
3. Identify major threats
# Threat Source Attack details
T5 Extraction of the appointment
(med) details
Competitor,
other bus.
- expl. of injection flaws
- unsecure direct
references
- expl. of authentication
flaws
69
flaws
T6 User credentials interception Script
kiddies
- traffic interception
attacks
- XSS
T7 Doctor's credentials
interception
Competitor,
other bus.
- same as T6
- trojan � bonus… ☺
http://L7securite.ch
![Page 70: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/70.jpg)
3. Identify major threats
# Threat Impact
T2 Users circumventing the appointment lock feature
(already booked)
Medium (Bus.)
T3 Corruption of the central agenda Medium (Bus.)
T6 Users credentials stealing Medium (bus)
T1 Page defacement, fame hacking High (Tech)
70
T1 Page defacement, fame hacking High (Tech)
T4 Extraction of the users info DB High (bus.)
T5 Extraction of the appointment (med) details Critical (bus.)
T7 Doctors' credentials stealing Critical (bus.)
-> T5
http://L7securite.ch
![Page 71: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/71.jpg)
How would we prevent/detect each scenario?
71
http://L7securite.ch
![Page 72: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/72.jpg)
3. Identify major threats72
Th# Attack Scenario prevention controls
T1 Defacement Layered hardening
T1 Defacement Parameter tampering defenses
T4 Privacy data extraction Parameter tampering defenses
T4 Privacy data extraction Unpredictable/unexposed profile/accounts references
http://L7securite.ch
T4 Privacy data extraction Unpredictable/unexposed profile/accounts references
T5 Medical data extract. Parameter tampering defenses
T5 Medical data extract. Unpredictable/unexposed appointment references
T5 Medical data extract. Defensive "appointment details" access control
T7 Doctor's account stealing Encrypted data transmission channel
T7 Doctors' account stealing Dynamic authentication (OTP)
T7 Doctors' account stealing Output encoding
… … …
![Page 73: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/73.jpg)
3. Identify major threats73
Th# Attack Scenario detection controls
T1 Defacement Homepage integrity checking
T4 Privacy data extraction Injection of honeypot data + usage monitoring
T5 Medical data extract. Injection of honeypot data + usage monitoring
T7 Doctor's account stealing Out-of-band notification of authentication events
http://L7securite.ch
T7 Doctor's account stealing Out-of-band notification of authentication events
… … …
![Page 74: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/74.jpg)
Task 4:
Document your observations
(aka "opportunities for
74
(aka "opportunities for
risk mitigation")
http://L7securite.ch
![Page 75: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/75.jpg)
4. Document
• Document:
– The threat agents model you selected for your TM
– The threat scenarios you identified
– The controls to prevent or detect these threat
75
– The controls to prevent or detect these threat
scenarios
• Recommend and prioritize:
– What should be absolutely done?
– In what order?
http://L7securite.ch
![Page 76: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/76.jpg)
4. Document76
C# Control(s) Priority Cost type
P1 Layered hardening High Medium
P2 Parameter tampering defense (input validation) High Medium
P3 Parameter tampering defense (parameterized queries) High Low
P4 Unpredictable/unexposed profile/accounts references High Medium
P5 Unpredictable/unexposed appointment references High Medium
P6 Defensive "appointment details" access control High Medium
http://L7securite.ch
P6 Defensive "appointment details" access control High Medium
P7 Encrypted data transmission channel at least during auth. Sequence High Medium
P8 Dynamic authentication model (OTP) for the supervisor account High High
P9 Output encoding on all dynamic data returned to the user High Medium
D1 Homepage integrity checking Low Low
D2 Injection of honeypot data + usage monitoring Low High
D3 Injection of honeypot data + usage monitoring Low High
D4 Out-of-band notification of authentication events Low Low
![Page 77: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/77.jpg)
4. Document77
C# Control(s) Priority Action
P1 Layered hardening High Implement
P2 Parameter tampering defense (input validation) High Implement
P3 Parameter tampering defense (parameterized queries) High Implement
P4 Unpredictable/unexposed profile/accounts references High Implement
P5 Unpredictable/unexposed appointment references High Next ver.
P6 Defensive "appointment details" access control High Implement
http://L7securite.ch
P6 Defensive "appointment details" access control High Implement
P7 Encrypted data transmission channel at least during auth. Sequence High Implement
P8 Dynamic authentication model (OTP) for the supervisor account High Next ver.
P9 Output encoding on all dynamic data returned to the user High Implement
D1 Homepage integrity checking Low Implement
D2 Injection of honeypot data + usage monitoring Low Postpone
D3 Injection of honeypot data + usage monitoring Low Postpone
D4 Out-of-band notification of authentication events Low Implement
![Page 78: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/78.jpg)
4. Document
Expected threat coverage for next version:
78
# Threat Impact Coverage
T1 Page defacement, hacking for fame High Complete (P+D)
T4 Extraction of the users details DB High Complete (P)
T5 Extraction of the appointment (med) details Critical Partial
http://L7securite.ch
T5 Extraction of the appointment (med) details Critical Partial
T7 Doctor's credentials interception Critical Partial
![Page 79: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/79.jpg)
79
http://L7securite.ch
![Page 80: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/80.jpg)
Conclusion…and opportunities….
80
Conclusion…and opportunities….
http://L7securite.ch
![Page 81: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/81.jpg)
Conclusion
rTM is imprecise, inexact, undefined:
– Requires good understanding
of the business case
– Requires good knowledge of
81
– Requires good knowledge of
web application threats
– Requires common sense
– Can be frustrating the
first times
http://L7securite.ch
![Page 82: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/82.jpg)
Conclusion
Repeating the basic process a a few times
quickly brings good results:
1. Characterize the system
2. Identify the threat sources
82
2. Identify the threat sources
3. Identify the major threats
4. Document the countermeasures
5. Transmit (translate) to the team
http://L7securite.ch
![Page 83: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/83.jpg)
Conclusion
"Who should make the TM?"
– Theoretically: the design team
– Practically: an appsec guy with good knowledge of
internet threats, web attack techniques
83
internet threats, web attack techniques
and the ability to understand what is
important for the business under
assessment will definitely set
the "efficiency" attribute.
http://L7securite.ch
![Page 84: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/84.jpg)
Conclusion
• "When should I make a TM?"
– Sometime is good. Early is better.
– If the objective is to avoid implementing poor
code � do it at design time.
84
code � do it at design time.
– After v1 is online: when new data "assets" appear
in the data-flow diagram, it's usually a good sign
to update the TM. � yes, it can be updated!
– If you conduct risk-driven vulnerability
assessments or code reviews, the TM will help.
http://L7securite.ch
![Page 85: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/85.jpg)
Conclusion
• TM can be performed early:
85
Analyze Design Implement Verify Deploy Respond
Security Secure Security Incident
response
http://L7securite.ch
Security
requirements Secure
design
Secure
coding
Code review
Security
testing Secure
deployment
response
Vulnerability
managementRisk
analysis Risk
assessment Penetration
testing
Governance (Strategy , Metrics)
Policy / Compliance
Training & awareness
Threat
modeling
Design
review
![Page 86: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/86.jpg)
Conclusion
TM can also be performed later (risk-based testing):
86
Analyze Design Implement Verify Deploy Respond
Security Secure Security Secure Incident
response
http://L7securite.ch
Security
requirements Secure
design
Secure
coding
Code
review
Security
testing
Secure
deployment response
Vulnerability
managementRisk
analysisRisk
assessment
Penetration
testing
Governance (Strategy , Metrics)
Policy / Compliance
Training & awareness
Threat
modeling
Design
review
Threat
modeling
Threat
modeling
![Page 87: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/87.jpg)
Conclusion
• TM can be performed from an asset
perspective:
– Aka the asset-centric approach (mostly what we
just did)
87
just did)
• It can be performed from an attacker
perspective:
– Aka the attacker-centric approach
• Who would attack the system with what means?
• (remember the “threat agent profile” cards)
http://L7securite.ch
![Page 88: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/88.jpg)
Conclusion
• TMing can also be performed systematically:
– Aka the system-centric approach
– Most detailed and rigorous technique
• Use of threat identification tools: STRIDE
88
• Use of threat identification tools: STRIDE
– Spoofing, Tampering, Repudiation, Information disclosure,
Denial of service, Elevation of privileges…
• Use of threat classification tools: DREAD
– Damageability, Reproducibility, Exploitability, Affected
population, Discoverability…
• Structured DFD analysis (see next slides)
http://L7securite.ch
![Page 89: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/89.jpg)
Conclusion
• "What should be documented in a TM? "
– Basically: what you think is right. There is no rule
(yet). TM'ing is never absolute.
– If you spend days writing a threat model for a
89
– If you spend days writing a threat model for a
single web app, there might be a problem…
– Remember that threat modeling is often a way of
both formalizing and engaging on the most
important controls, which might be forgotten
later.
http://L7securite.ch
![Page 90: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/90.jpg)
Conclusion90
http://L7securite.ch
![Page 91: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/91.jpg)
Conclusion91
http://L7securite.ch
![Page 92: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/92.jpg)
Conclusion
• "Your example was really 'basic'.
How can I reach next level?"
1. Practice your DFD drawing skills
2. Stay updated on new web attacks, threats and
92
2. Stay updated on new web attacks, threats and
intrusion trends
3. Read feedback from field practitioners (some good
references are provided at end of presentation)
4. Standardize your technique:
• ISO 27005 : Information security risk management (§8.2)
• NIST SP-800-30: Risk management guide (§3)
http://L7securite.ch
![Page 93: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/93.jpg)
Conclusion
"Do pediatricians feel more confident about
their web app?"
93
http://L7securite.ch
YES!
![Page 94: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/94.jpg)
Questions?94
http://L7securite.ch
![Page 95: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/95.jpg)
Merci! / Thank you!
Contact me: [email protected]
Follow me: @starbuck3000
Discover L7: http://L7securite.ch
95
Discover L7: http://L7securite.ch
Download these slides:
http://slideshare.net/starbuck3000
http://L7securite.ch
![Page 96: Rapid Threat Modeling : case study](https://reader034.vdocument.in/reader034/viewer/2022042510/557594fbd8b42ae7708b51fb/html5/thumbnails/96.jpg)
Recommended readings:
• Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx
• Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling
• Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling
96
http://www.owasp.org/index.php/Application_Threat_Modeling
• Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx
• Comments on threat modeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette
• NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://L7securite.ch