the art of threat modeling - starchapter€¦ · regulated information sap, customer, third...
TRANSCRIPT
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
March 16, 2016
Mark Adams Executive Director – Office of the CISO
The Art of Threat Modeling
2 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Growth of the Threat
password guessing self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
packet spoofing
back doors
hijacking sessions
sweepers
sniffers
network mgmt. diagnostics
distributed attack tools
automated probes/scans
denial of service
www attacks
burglaries
staging
“stealth” / advanced scanning techniques
cross site scripting
sophisticated c2
… next?
1980 1985 2015 1990 1995 2000 2005 2010
Low
High
Soph
istic
atio
n Tools
Actors
3 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Traditional Security is Insufficient
4 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
5 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
dvanced Defense Strategy
Threat Modeling
ss
et In
vent
ory
6 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Ass
et In
vent
ory
7 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Determine Assets & Locations
Asset: Location:
Member Data Infrastructure, ERP System, BillPay
Regulated Information SAP, Customer, Third Parties, Email, Laptops, Cloud (Apps / Storage)
Intellectual Property (IP) R&D Systems, CAD, FTPS Servers
Corporate Strategy File Shares, Email, Laptops, Mobile(s)
Financials (ERP systems, etc.) SAP, JD Edwards (In House)
Employee PII HR Database, Cloud Providers
Sales, Inventory, Logistics forecast and planning data Corporate Network and Stores
A simple list will do…
8 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Act
or P
rofil
es
9 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Who Are They? – Know Your Enemy
Act
or P
rofil
es
10 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Act
or P
rofil
es
11 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Atta
ck V
ecto
r Ana
lysi
s
12 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Atta
ck V
ecto
r Ana
lysi
s
13 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
What are Their Tactics
Atta
ck V
ecto
r Ana
lysi
s
14 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
What are Their Tactics
Atta
ck V
ecto
r Ana
lysi
s Supplier
Customer Data Pulled
Credentials Out
POS Software Distribution System
Supplier System
THE ATTACKER’S
TARGET
Credentials Used to
Get Inside
POS Data
Pulled
Moved to Internal Server
Escalates Privileges
Data Exfiltrated in Pieces
Lateral Movement è
External Server
15 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
16 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
Intelligence-Driven Defense (aka the Cyber “Kill Chain”)
17 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
RESUR-RECTION DATA THEFT
RECON
Advanced Malware Threat
Cyber “Kill Chain”
LURE EXPLOIT
EXECUTED INJECT THRU BACKDOOR
ESTABLISH CPMMAND AND
CONTROL
18 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
TURNING POINT PACKING
RESUR-RECTION DATA THEFT
RECON
Cyber “Kill Chain”
Insider Threat
19 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
TURNING POINT PACKING
RESUR-RECTION DATA THEFT
RECON
Cyber “Kill Chain” Disruption
Insider Threat Fallback Position
Update Resume
Stop Attacker
Here
RECON
20 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
Social Media Posts
General Security Awareness
Security Staff Skills Policy
Segregation of Duties
Acceptable Use Practices
Social Engineering Resistance
Security Awareness &
Training
Social Engineering
Assessments
3rd Party Secure Contract
Language
Risk Assessments Operational Monitoring
Intelligence Feed
Forensics On / Off Boarding
Vulnerability Management
System Hardening /
Patching Investigations
File Activity Monitoring
Application Whitelisting
Log Correlation or SIEM
DLP
Behavioral Analysis
Privileged Rights Management
CommunicationMonitoring
Data Masking Encryption
Segmentation
Fraud Detection
Multi-factor Authentication
Intrusion Det & Prev.
Hardened Firewall
File Integrity Monitoring
Adv. Endpoint Protection
Malware Detonation
Web Content Filter
Network Access Control (NAC)
Incident Frequency &
Severity People Trained
Patch Compliance Endpoint Compliance
Vulnerability Resolution Rate
Access Control Compliance
“Air Gap” Backups
Runtime Application Self-
Protection
Web Application Firewall
Metrics
Incident Response
Anomaly Detection Asset Inventory
21 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
TURNING POINT PACKING RESUR-
RECTION DATA THEFT RECON
Adv
ance
d D
efen
se S
trat
egy Countermeasure Mapping (Insider)
General Security Awareness
Acceptable Use Practices
Security Awareness &
Training
Behavioral Analysis
CommunicationMonitoring
General Security Awareness
Policy
Acceptable Use Practices
Incident Response
Log Correlation or SIEM
Privileged Rights Management People Trained
Incident Frequency &
Severity
Access Control Compliance
File Activity Monitoring
Log Correlation or SIEM
DLP
Behavioral Analysis
Privileged Rights Management
Data Masking Encryption
Incident Response
Anomaly Detection
DLP
Log Correlation or SIEM
Security Staff Skills
Security Staff Skills
Incident Response
Forensics Operational Monitoring
Operational Monitoring
Fraud Detection
Incident Frequency &
Severity
22 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
TURNING POINT PACKING RESUR-
RECTION DATA THEFT RECON
Adv
ance
d D
efen
se S
trat
egy Countermeasure Mapping (Insider)
General Security Awareness
Acceptable Use Practices
Security Awareness &
Training
Behavioral Analysis
CommunicationMonitoring
General Security Awareness
Policy
Acceptable Use Practices
Incident Response
Log Correlation or SIEM
Privileged Rights Management People Trained
Incident Frequency &
Severity
Access Control Compliance
File Activity Monitoring
Log Correlation or SIEM
DLP
Behavioral Analysis
Privileged Rights Management
Data Masking Encryption
Incident Response
Anomaly Detection
DLP
Log Correlation or SIEM
Security Staff Skills
Security Staff Skills
Incident Response
Forensics Operational Monitoring
Operational Monitoring
Fraud Detection
Incident Frequency &
Severity
23 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
Adv
ance
d D
efen
se S
trat
egy
DATA THEFT RECON PACKING TURNING POINT
RESUR-RECTION
24 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Adv
ance
d D
efen
se S
trat
egy
Adv
ance
d D
efen
se S
trat
egy
DATA THEFT RECON PACKING TURNING POINT
RESUR-RECTION
25 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Summary
Know Your Crown Jewels and Where They’re Hidden
Know Your Adversary – Motives, Means and Methods
Know How Known Attack Patterns Exploit Your Vulnerabilities
Know the State of Your Defenses and Position Assets Strategically
26 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Q&A
?
27 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Why We Exist
Create confidence for a more connected world
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.