the art of threat modeling - starchapter€¦ · regulated information sap, customer, third...

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

March 16, 2016

Mark Adams Executive Director – Office of the CISO

The Art of Threat Modeling

2 Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Growth of the Threat

password guessing self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

packet spoofing

back doors

hijacking sessions

sweepers

sniffers

network mgmt. diagnostics

distributed attack tools

automated probes/scans

denial of service

www attacks

burglaries

staging

“stealth” / advanced scanning techniques

cross site scripting

sophisticated c2

… next?

1980 1985 2015 1990 1995 2000 2005 2010

Low

High

Soph

istic

atio

n Tools

Actors


Traditional Security is Insufficient


http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


dvanced Defense Strategy

Threat Modeling

ss

et In

vent

ory


Ass

et In

vent

ory


Determine Assets & Locations

Asset: Location:

Member Data Infrastructure, ERP System, BillPay

Regulated Information SAP, Customer, Third Parties, Email, Laptops, Cloud (Apps / Storage)

Intellectual Property (IP) R&D Systems, CAD, FTPS Servers

Corporate Strategy File Shares, Email, Laptops, Mobile(s)

Financials (ERP systems, etc.) SAP, JD Edwards (In House)

Employee PII HR Database, Cloud Providers

Sales, Inventory, Logistics forecast and planning data Corporate Network and Stores

A simple list will do…


Act

or P

rofil

es


Who Are They? – Know Your Enemy

Act

or P

rofil

es


Act

or P

rofil

es


Atta

ck V

ecto

r Ana

lysi

s


What are Their Tactics

Atta

ck V

ecto

r Ana

lysi

s


What are Their Tactics

Atta

ck V

ecto

r Ana

lysi

s Supplier

Customer Data Pulled

Credentials Out

POS Software Distribution System

Supplier System

THE ATTACKER’S

TARGET

Credentials Used to

Get Inside

POS Data

Pulled

Moved to Internal Server

Escalates Privileges

Data Exfiltrated in Pieces

Lateral Movement è

External Server


Adv

ance

d D

efen

se S

trat

egy


Adv

ance

d D

efen

se S

trat

egy

Intelligence-Driven Defense (aka the Cyber “Kill Chain”)


Adv

ance

d D

efen

se S

trat

egy

RESUR-RECTION DATA THEFT

RECON

Advanced Malware Threat

Cyber “Kill Chain”

LURE EXPLOIT

EXECUTED INJECT THRU BACKDOOR

ESTABLISH CPMMAND AND

CONTROL


Adv

ance

d D

efen

se S

trat

egy

TURNING POINT PACKING


RECON

Cyber “Kill Chain”

Insider Threat


Adv

ance

d D

efen

se S

trat

egy

TURNING POINT PACKING


RECON

Cyber “Kill Chain” Disruption

Insider Threat Fallback Position

Update Resume

Stop Attacker

Here

RECON


Adv

ance

d D

efen

se S

trat

egy

Social Media Posts

General Security Awareness

Security Staff Skills Policy

Segregation of Duties

Acceptable Use Practices

Social Engineering Resistance

Security Awareness &

Training

Social Engineering

Assessments

3rd Party Secure Contract

Language

Risk Assessments Operational Monitoring

Intelligence Feed

Forensics On / Off Boarding

Vulnerability Management

System Hardening /

Patching Investigations

File Activity Monitoring

Application Whitelisting

Log Correlation or SIEM

DLP

Behavioral Analysis

Privileged Rights Management

CommunicationMonitoring

Data Masking Encryption

Segmentation

Fraud Detection

Multi-factor Authentication

Intrusion Det & Prev.

Hardened Firewall

File Integrity Monitoring

Adv. Endpoint Protection

Malware Detonation

Web Content Filter

Network Access Control (NAC)

Incident Frequency &

Severity People Trained

Patch Compliance Endpoint Compliance

Vulnerability Resolution Rate

Access Control Compliance

“Air Gap” Backups

Runtime Application Self-

Protection

Web Application Firewall

Metrics

Incident Response

Anomaly Detection Asset Inventory


TURNING POINT PACKING RESUR-

RECTION DATA THEFT RECON

Adv

ance

d D

efen

se S

trat

egy Countermeasure Mapping (Insider)




Training

Behavioral Analysis



Policy


Incident Response


Privileged Rights Management People Trained


Severity




DLP

Behavioral Analysis



Incident Response

Anomaly Detection

DLP


Security Staff Skills


Incident Response

Forensics Operational Monitoring

Operational Monitoring

Fraud Detection


Severity


TURNING POINT PACKING RESUR-

RECTION DATA THEFT RECON

Adv

ance

d D

efen

se S

trat

egy Countermeasure Mapping (Insider)




Training

Behavioral Analysis



Policy


Incident Response


Privileged Rights Management People Trained


Severity




DLP

Behavioral Analysis



Incident Response

Anomaly Detection

DLP




Incident Response

Forensics Operational Monitoring

Operational Monitoring

Fraud Detection


Severity


Adv

ance

d D

efen

se S

trat

egy

Adv

ance

d D

efen

se S

trat

egy

DATA THEFT RECON PACKING TURNING POINT

RESUR-RECTION


Summary

Know Your Crown Jewels and Where They’re Hidden

Know Your Adversary – Motives, Means and Methods

Know How Known Attack Patterns Exploit Your Vulnerabilities

Know the State of Your Defenses and Position Assets Strategically


Q&A

?


Why We Exist

Create confidence for a more connected world

[email protected]

the art of threat modeling - starchapter€¦ · regulated information sap, customer, third...

Documents