Threat Modeling

1. Threat Modeling James Walden

2. Topics • Threat Generation. • Data Flow Diagrams. • Attack Trees. • Risk Modeling. • Threat Modeling Exercise.

3. Requirements • Actors • People (roles) who interact with system. • Assets • Specific pieces of data attacker wants. • Actions • What Actors do to Assets. • Ex: Create, Read, Update, Delete.

4. Trike7: Actors

5. Trike7: Actor-Asset-Action Matrix

6. Rules • Rules apply to each Action. • Limit circumstances in which Actions can occur. • Boolean tree of conditionals. • Actors are represented as rule: • User is in Role

7. Trike7: Part of Rules Tree

8. Threat Generation • Use Actor-Asset-Action matrix. • Two types of threats via Rules: • Denial of Service: Actor prevented from performing allowed Action. • Elevation of Privilege: Actor performs an action which is prohibited by matrix.

9. Data Flow Diagrams • Visual model of system data flow. • Rectangles: External actors. • Circles: Processes. • Double Lines: Data stores. • Lines: Data flows. • Dotted Lines: Trust boundaries. • Hierarchical decomposition • Until no process crosses trust boundaries.

10. Trike3 Example: Data Flow Context Diagram

11. Trike3 Example: Data Flow Diagram Level 0

12. Trike3 Example: Data Flow Diagram Level 1

13. Attack Trees • Root node is a threat. • Subnodes are attacks to realize threat. • Attacks may be re-used in other trees. • Hierarchical decomposition • Until determine risk is acceptable or not.

14. Trike7 Attack Tree Example

15. Attack Graph • Encompasses all attacks vs system. • Set of interlinked attack trees. • Auto-generation • High-level attack skeleton. • Attack libraries • Many sub-trees re-appear. • Attached to tagged technologies in DFD. • Need security expertise for full tree.

16. Risk Modeling • Business assigns values($) to Assets. • Rate Actions on each Asset. • 1-5 relative scale, with 5 being worst. • Ranked twice: denial, elevation • Assign each Actor a risk level 1-5. Risk = Value of Asset * Action risk.

17. Trike7 Threat Risk Grid

18. Threat Modeling Process • Preparation. • Develop requirements, DFDs. • Brainstorming. • Brainstorm possible threats. • Drafting. • Review. • Verification. • QA team develops tests. • Closure.

19. Exercise: Online news site. • Actors • Authors, Editors, Readers. • Data Stores • Database: articles, comments, users. • Logs • Processes • Web server

20. Exercise: Rules. • Authors can submit Articles for publish. • Editors can publish Articles. • Editors can C, R, U, D Articles, Comments. • Readers can read Articles, Comments. • Readers can C, R, U, D their own Comments to Articles. • Anonymous can create Reader accounts. • Editors can C, R, U, D accounts.

21. Exercise: Deliverables • Actor-Asset-Action Matrix • Rules Tree • DFDs • Attack Tree • Risk Model

22. References • Ben Hickman, “Application Security and Threat Modeling,” http://cpd.ogi.edu/seminars04/hickmanthreatmodeling.pdf, 2004. • Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003. • Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” http://dymaxion.org/trike/, 2005. • Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004. • Peter Torr, “Demystifying the Threat-Modeling Process,” IEEE Security & Privacy, Oct/Nov 2005. • Peter Torr, “Guerilla Threat Modeling,” http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx, 2005. • Trike Threat Modeling Tool, http://www.octotrike.org/, 2005.