Threat Modeling 101: ATT&CK, D3FEND, and the Security/Convenience Spectrum - Steve Grant

thank you so much um pleasure to be here obviously this is threat modeling 101 uh we'll be covering threat modeling attack defend the security convenience spectrum those are all really really massive topics so this is a high level talk first and foremost i respect your time if we start getting into this and you say you want to go deeper feel free to head out go check out some vendors explore another talk remember your time is valuable so make sure you're in the right spot secondly we all just ate lunch if you just need some nice soft voice to help you fall asleep i will not be offended close your eyes have a great nap enjoy

the time away from work so all that being said ignore that no sleeping in his talk all that being said my name is steve grant my pronouns are he and him um for work i am a senior engineering manager and product owner at fifth season i'll break each of those down starting with fifth season so we're based here out of pittsburgh we are a controlled environment agriculture vertical indoor farm really a lot of cool buzzwords basically we're just robot farmers we use technology to do all of our decision making and we produce a million pounds of leafy greens right out of braddock right next to a steel mill so go to giant eagle check it out it's cool stuff

the other part i'm a senior manager and a product owner normally we see that as two different things right our product owners say here's what we need to do go figure it out and then our engineering managers say okay great here's how we're going to accomplish it well when i have to wear both of those hats at the same time it really makes me think of okay what's important to the business how can we as a team do this and do this right without having the technical debt in the future so a lot of what we're going to be talking about today is kind of driven from that perspective of four leaders for product owners for

managers and people that are just generally new to security how do we get involved with some of these concepts i don't have a lot of social but please hit me up on linkedin i had some qr codes here that aren't working but if you want to copy this slide deck just send me a message as well as my manager readme i think it'd be awesome if all managers came with readme files and so there's a site called manager readme where you can go and check out myself and encourage your managers and other people in your leadership to write their own readme files outside of that i'm a big ci cd junkie grew up and cut

my teeth on the devops this admin side of life but huge board game player if anyone wants to play some magic later hit me up always looking for a good fish taco so if you've got a good recipe send that my way as well so breaking all that down our little dash dash help as i said i'm not a cyber security engineer i'm focusing on the business helping the business get the goals that they need to do better work a lot of people here might be in that same boat a lot of people aren't but at the end of the day we're all just trying to have good secure systems right there's a hundred thousand different

ways that we can accomplish that goal so with some of my backgrounds in systems engineering and other tools i'm focused now on bringing this to the forefront like i've said convincing other people in leadership that these are the things we need to be pursuing these are the roads that we need to go down and the first and foremost step in doing that is having these kinds of threat models and some of the tools to help understand our threat models are going to be this miter attack and defend framework all right introductions out of the way heads up let's go why is security important relevant xkcd right every architecture every infrastructure that we have is going to be composed of

thousands and thousands and thousands of other little pieces how many people here have written all those pieces yourself absolutely no one right even if you go down and you write your full application you're probably writing it on someone else's operating system or you're probably using hardware you did not assemble unless you're printing your own silicon chips like we're relying on other people in the community in the culture to help with the security right so we need to trust and understand that nothing that we have uh is fully in our control so we need to be prepared for some of this and so then we might be asking all right cool why is that important really simple this is my favorite uh

clip art that i found out on the internet it's a happy guy holding money right why is security important why do we care the technology industry is ridiculous 65 of global global gdp is technology driven people in our field people in the technology space we are at the forefront of the money that's going and driving the world forward when technology and security events happen those things fall apart so of course businesses are going to say yes we need to invest in security we need to do these things and it's our job to help explain it to a lot of these people so what is threat modeling right you hear this i've heard this talk like or

mentioned a couple times already in just various talks that we've had um is it some crazy ridiculous thing not really it can be really boils down to three questions what are we talking about where can it go wrong and then what are you going to do about it so it's it's really simple when you think of it in a nice easy sentence x poses a risk to y so i'm going to do z we are all humans we have evolved to just kind of inherently have this notion and understanding of things you know i'm worried about falling down the stairs so i'm going to hold the handrail or maybe i shouldn't have drinks with my neighbors the night

before i go speak at b-sides because then i might do a poor job on my performance irrelevant i just say so let's think through this and with kind of this easy mode notion right doors just login services for our houses that's all they are everyone knows doors we've all used them so let's think of this scope what is the door we want to focus on that one item they allow this ingress egress for this house they're composed of glass wood aluminum what other materials make them up okay we know our scope we understand what we're talking about we've kind of reduced this down what are some threats that we have here right lock picks everyone's hopefully

checked out the lock picking village you picked up a tool or trick or something and now you can go and pick locks you are now a threat to all the other house login services in the world congratulations smart lock hackers right smart locks are being pretty popular you connect them with your home iot system and now someone on the other side of the world could invade your wi-fi and unlock your door for you for someone else to come in or you know what if this google picture that i found is your house i would say a large rock is a very strong threat to your door and so it's thinking about all these things right what are the the

things if you have a child or anyone else you yourself are a forgetful human failure to use the service correctly is also a big threat um so we have this notion of right we know the things that can go wrong we know what we're talking about what are you going to do about it so the final step in any kind of a threat model is to mitigate the risks motion alarms are great for a sliding door like this if you want to get really crazy you know what hire guards with dogs and you know set up a massive security system around your house it's probably not practical for most people but you know what if

this was my door i might just take an old broom handle and shove it down in the corner because that'll work 98 of the time see exhibit a large rocks um so it's it's again just this notion and we do this all the time as i said this is very intrinsic to us of how threat modeling approaches but when we start thinking about software and technology this is really where we need to start being a little bit more specific so this example is taken straight from the owasp website they do a great breakdown of the threat modeling process they run through it with this college library website right really think basic example staff students can log in librarians can

add books remove books add users etc right like real simple basic kind of application so as we start thinking about this you know number one assessing our scope where do we want to draw the lines right all these systems and subsystems and subsystems of those systems are interconnected for the purpose of our specific threat model that we're talking about what do we care about because you could go down the rabbit hole and start getting into the bare metal that's hosting your college library website so really understand who do you want to trust and what do you want to control and there has to be a level of trust of your subsystems or of these other black

boxes that you're just blindly accepting the output from them as your input so figure out whether you're zooming in or zooming out and whether you want to just say you know what we trust our systems engineers we've done our research on our vendors and our third party we understand that they're going to do a good job protecting their systems let's just focus on the stuff that we are writing in-house or you could say you know what we're doing a deep dive into every tool we're only using open source software that we understand and going down that road so first steps going through assessing scope probably i would say the most important part of figuring out what you're

actually talking about just draw it out remember i'm a manager i left technology and i lost any intelligence that i had i need nice pictures anyone in your leadership will appreciate a nice picture so we can look at these kind of things and we can already see all right we've got a lot of points of contact a lot of data flow where we're storing a lot of this information what are some of these external dependencies that we care about where are we drawing those trust borders and saying we will allow these things to come in versus not what are these exit points which are just as important as entry points if a hacker can get into your system but

can't really do anything with the information you have some level of coverage there um and again just re-establishing the the trust levels so looking at this we're thinking about this library example uh where do we want to start our scope is assessed let's think through those three questions here's what we're talking about what can go wrong with it that's where mitre attack really comes into play so this is massive i'm sorry anyone in the back like you go to attack.mitre.org this is what you see this is a little overwhelming especially if you're sitting in the back of the room and it's all just blurry to you so what are we actually looking at here real simple it's a user base or

knowledge base of everything that can go wrong right played a lot of street fighter ii i would always get my butt beat and i would say all right i know that move i recognize that that's that hadouken i'm used to that thing hitting me in the face i don't know how they do it this is what mitre attack is right it says here's all the things that can hit you in the face and then here's how they're done so it's this massive massive library of all these different things that we can utilize to understand how someone might try to impact our system so if you drill into this there's 191 techniques and those techniques break

down further into 386 different sub techniques and so again that is a lot of information right if you're starting your security program if you're trying to figure out which direction to take your team what do you just throw a dart at this board it's like no there's other good information out there we got to think who or what is most likely going to impact our system what is the best use case if we've got a limited amount of time how do we approach this so thinking about this some of our first places you know database files comes up how do we secure our database we've got the sql queries reaching now we've got the different

user groups and then those calls going through this limited example obviously we would have had this mapped out a lot deeper with the technologies and tools available but it's quite obvious when you start thinking about it it's us we're the baddies we're the bad people us being humans interacting with your system i don't care how secure your system is there's probably a username or password that breaks it pretty quickly i love this this comes from the verizon data breach investigation report again another fantastic read they publish that every year definitely check it out 82 percent of breaches involve the human element right look at this graph is it easier to create a zero day and create

some exploitative vulnerability or just steal someone's credentials like these are really easy concepts so we say okay if we know our users are probably the weak link in the system let's keep that frame of mind and go into this miter attack framework so once you start diving into some of this you can really poke into things so you dive into that big miter chart you scroll down you find something that kind of relates to what you're talking about and we come here oh credentials from password stores okay again dumb manager hat let me read what some of this is uh people steal your local password stores okay i understand what that attack vector looks like but with these and a

couple of the other ones let's dive into some of these sub techniques to really understand what's going on credentials from web browsers we're all using web browsers what does this look like and again mitre attack just really dives deep into a lot of this for those in the back that can't see this if you're on a windows system using google chrome here's how you get the database file from that system here's the sql you can use to extract that information and here's the api function to decrypt that and all this information and all these attack patterns are right there at your fingertips if you're running through that attack system and what's really great about attack is

it breaks all these down into these four main areas so one understanding what the attack is and how it works again the manager give me nice simple words let me understand a lot of these things browser store passwords so they must store them somewhere right thank you procedure examples as we said we're getting used to hitting the or we're used to getting hit in the face with those sudukins who's doing that well we've got silver terrier using agent tesla and they try it roughly 17 000 times a month and they yield almost a thousand successful exploits these are references to different nsa papers different government papers other things that are coming out from analysts saying

hey here's an attack we saw here's how they did it and then mitre attack is taking all that information and building it out into that framework so we're all using the same language so when we start thinking about mitigations attack leads us down some good rabbit holes of things that we can do to work with some of these mitigations and remember that's our third question in our threat model of you know what are we talking about how is it going to get broken and what are we going to do about it and attack again presents that in a nice way so you can say here's how i can mitigate it here's how i can detect it

but let's go a step deeper let's jump into mitre's defend so a lot of people have probably heard of mitre attack miter defend went under the radar because it came out mid-2021 still in covid craziness we're not going to conferences might have you know just completely missed your radar but defend.miter.org they use the elite three on defend just as a point of note keep that in mind because we're hackers right you got to so might defend is really interesting because these are just fully interactive websites so if we go in and look at these artifacts that we have here in the middle we can start well i guess let me say to break this one down further this

is your rock paper scissors map right if mitre attack is saying here's all the bad things that can happen here's how they do it mitered defend is saying here's what beats what obviously both coming from mitre spoiler alert there's going to be some connections between the two so that being said we can start using for some of these artifacts right we're concerned about our users and specifically our user accounts so we can just go to defend search user account and boom great more information for people that are trying to figure this out for the first time making sure we're all talking about the same thing and then what's great about defend is we're seeing where some of

these other pieces are that might relate to this puzzle so if you're exploring this road for the first time you can say i'm interested in user accounts okay what composes user accounts what goes into it and then you get these wonderful charts showing other things that contribute to it diving further into this and again this is all on the site you start seeing related countermeasure techniques and related offensive techniques so all these red ones are attack vectors so if we go back to miter attack we could find each of these listed in that massive massive chart somewhere and how the action impacts the artifact itself similarly we have all these related counter measures that we can use to

prevent some of these things and so maybe we have a strong password policy that strengthens our user account or maybe biometrics for authentication or multi-factor authentication right multi-factor is huge we should all be doing that so if we dive into multi-factor hey great defend again says here's all the different attack vectors that multi-factor authentication is going to help you out with so as we're building these models we can start to determine where do we get the best bang for our buck which of these tools is going to help us out and so just going looking at multi-factor we've got this list of different ways that we can stop whatever that attack vector is that we're

interested in so the fun thing is you can make this into any kind of training activity if you want right what attack vector is hidden here and start working on this with some of your team you know what things could access your keyboard input device but could be isolated or detected using i o port restriction key logging and then some of these maps are pretty complicated when you start mapping out the ways all these different things can interact together so you know what are something that's accessing credentials and trying to access command history logs right hey look our bash history this is a real thing hackers get into your system and they can just go and see your bass bash

history files and some of these defend techniques are ways that we can prevent that and slow things down so great we are all happy we now have this wonderful threat model we understand what we're talking about how things can occur and what we can do about them right bring this back to work and you're now famous not quite yet because behind all of this behind every one of these companies is this notion of business value and we all love cyber security right that's why we're here we think security is really important we think it's cool we think it's where we should put all of our money in but ask your boss what is more important that your email server

stays up or that you have a strong cyber security problem more times out of not they'll probably say we need email for business functionality and so when we start thinking about these it's like how do we do this how do we sell this because it's always roi right everything is about roi when it comes to businesses remember 65 of global gdp there's a lot of money on the table when we're talking about cyber security and some of this is really really hard to present and say this is why it's important and some of these security practices are a real pain and some of them are terrible for users some of them are terrible for engineers some of them are

terrible for leadership who has to pay for some of this and so organizations will treat our cyber security like any other kind of operational expense prioritize it based off of that return on investment so one of the things in our jobs as we're building out these threat models using the miter tools and technology is to understand what that roi impact is really understand this notion of the secure side versus the convenience side i don't know how many of you were in the privacy talk earlier but there's a lot of really cool things that we can do to be super super secure guess what it's a real pain in the ass and it works sure but again you've got a lot of hoops you

gotta jump through in order to make that happen and someone has to use that convenience and so it really depends on where you want to break that cost down who's going to pay that cost and what does that actually look like is it just you know requiring re-authentication and multi-factor every single call your application makes well then your users are going to eat that cost and they're likely going to hate it and want nothing to do with it is it just a really cool out of the box application that you want to buy great your leadership has to pour their money into it this is something we're going to write in-house something we're going to

maintain build and work on awesome that's engineering time that's going into all these things and so like any good scrum agile practitioner we get to point things we can size things however you want to call it if we look at these different efforts and these different actions that we can take we can explore these different levels of effort whether it's a complexity thing whether it's an exertion thing a risk to your current systems or different resources that it is and each of these will map somewhere to a different cost that someone has to pay that could be your opex that could be your capex your customer support cost or even just your customer experience right

if your system sucks to use you're going to lose customers that's going to lose business and leadership's not going to be happy and so we look at you know thinking back to our library example let's think you know we have our users we know multi-factor authentication is a good way to do this how do we approach this our library is on google suite you know 90 of the world is on google suite or office 365. for google suite hey i want to enforce two-step verification that's it it's a check box it's included out of the box right if you're using google suites and you don't have multi-factor authentication enabled you're doing something wrong because it's literally one button click

sure you might have some experience with your users that have to re-authenticate the first time or if they lose their cookies or change their device having to re-authenticate with multi-factor and that's where some of that cost comes into play and then you go through these exercises and you can write these little blurbs and say for this threat model we think users are a big thing that we need to worry about here's all the attack vectors that can happen with compromised credentials here's a solution that we think will work it's low complexity low exertion mild risk in case you have a service that's using this that would need to get re-authenticated but our resource implementation is

really minimal so when you think of that on that spectrum it's a high level of security with a fairly low cost and therefore a high convenience factor as well so multi-factor again i can't say this enough users are bad multi-factor is good so the the final part here is is the security worth it right you know we have to think sanely about security what is within your realm of control what are you willing to risk right are you worried about ninjas beating you up in the street probably not if a ninja approached me in the street i'm done but i'm not you know that's not an active part of my mental threat model in everyday life

snakes are a common fear for a lot of people snakes on a plane maybe even for some but how many people are afraid of cars right what is more likely to injure you a snake or a car so think about these kinds of things you know where your fears are set where your threat model is based and then avoid going down these dark alleys if i know there's ninjas and snakes down this alley i'm not going to go there should i allow my users to click links that get sent to them should i allow them to install their own software choose in your model what level of trust you want to have what capabilities you

give to your users and the the final part here is you know think more broadly right i'm not so focused on one specific type of snake that i'm going to miss everything else reptiles in general let me just focus on what do i do if i get poisoned right seems like a fair response have these broader scenarios these broader playbooks incorporated in your threat model so that way you can understand and you're not lost down the weeds too much and all this is great right we come to this conference we learn all this this is all just wonderful theory none of it means anything in cyber security unless we actually do something with it each of these areas that i've talked

about could use their own deep dive you know portions every slide here could probably be its own talk as you go down these rabbit holes especially with miter attack and defend so i'm going pretty quick so i want to take some time after this and kind of poke around attack and defend show you what that looks like and i strongly encourage you to do the same these are open source projects they are free tools to use save them show them to your leadership show them to your team and then we can all start speaking the same language and then additionally as you're thinking about this and it's one of those things once you see it you can't unsee it

you'll start thinking about personal threat models in your personal life and your personal security and then that's where you start building those memories and bring those to your corporate security atomic habits aggregation of marginal gains again what are your small things you can do that can have big impacts preda principle focus on the vital few make those changes iterate make those changes iterate do what works and by the end you've got all these different security measures encompassing broad spectrums of different ways to prevent you from being infiltrated defense in depth is a goal but you have to start somewhere that somewhere of course is users and remember you're not alone on this journey right we're all here at b-sides

we're all friends so next year i want to see someone up here diving into one of these techniques come give a talk at b-sides it's not scary i promise you but get involved get to meetups understand what the industry is doing subscribe to newsletters follow different youtube channels see what's going on there so that way you can stay fluent with it because we're all in this together i would say 65 percent of the world is in this together as we navigate these cyber security roads there's a lot of good information out there final tldr threat modeling really simple x poses a risk to y so i'm going to do z at the highest level it's your choice on how

deep you want to get into that play around with attack and defend and then prioritize your biggest bang for your buck you've heard me harboring credential hardening but then you dive into these matrixes and got plenty of time to do that here so let's go ahead and jump over to that so if i go to the mitre defense site this is it as i said defend.miter.org all these nodes are active these are different areas that we can jump in so you've heard me harping on credential hardening let's just click credential hardening these are those things that we were just talking about all the different sub techniques by activating credential hardening these are all the different

artifacts that we're going to be able to start securing so you can dive down into each of those ones and hey look here's all the related attack techniques that we now have coverage for so if we want to jump around and poke around with some of these we definitely can do that if we look at credential accessing os credential dumping we can search these up os credential dumping i will add this is constantly under work from the team at mitre so as they're rolling out new features read their release notes maybe that link was supposed to work and it didn't i don't know but i could jump over here to credential hardening and that gives me a lot of these inferred

relationships that we were just talking about look at all this stuff that comes in what an os credential hardening or os credential dumping attack can do the different artifacts that that level of effort can hit so again strongly strongly encourage go through these poke around there's a lot to see here multi-factor authentication these were the screenshots that i was showing earlier the attack website attack.mitre.org same thing we've got all this ridiculous amount of information here so if we wanted to dive into those credentials from password stores here it is oh hey look here's that agent tesla that we were just talking about here's all the references to different papers here's the reference paper from fortinet

of that group out of nigeria and attack matrices that they used so all that information is linkable through that attack framework you're able to dive into it and explore it around so again strongly strongly encourage that dive deep into these these tools are phenomenal so keep that one at a tight 30 we don't need to go the whole 45 but thank you for the time hopefully you learned something if anyone has questions i will try my best to answer them thank you