Threat modeling 101, or "Why you shouldn't worry about bears on Fiji"

all right so we've got about a minute before gonna start you guys are stuck with me for the next 50 minutes hi everyone um just want to get a kind of a quick survey of the room so i know kind of my audience a little bit so any students in the uh in the audience oh all industry all right cool uh any mill military cool it's all industry all right sweet well i can go ahead and get started so um welcome to my talk everyone my name is turtle ibeolu um talk here threat modeling 101 or why you shouldn't worry about bears in fiji i swear they didn't put me after him on purpose after he just talked about

threat modeling and and attack but we talk about threat modeling a lot in the industry but then don't actually talk about how to do it and so want to focus a little bit on that so so a little bit about me also i was in the military for about eight years in the air force we have a very very certain way of how we do our talks uh how my old boss used to tell me is that tell me what you're going to tell me then tell it to me then at the end tell me what you told me just to make sure i paid attention so here we go i'm going to tell you what

i'm going to tell you so i'm going to talk a little bit about who i am i'm going to start off with a little bit about common taxonomy so what do i mean by common taxonomy when we say things in the industry we oftentimes say the same words and often mean different things so i'm going to level set in the beginning just to make sure that we have certain definitions and that we're all on the same page as what we're talking about now we're going to go into threat modeling and then we're going to actually do so a little funding fun little exercise where we're going to threat model we're going to plan for an

island vacation uh then once we do that it's like great that's that's awesome so how is that relevant to what i do for attack how do i how do i define my enterprise with this you know threat modeling concept well we're going to go a bit into miter attack which we thankfully already did before if you're watching the talk and we're going to talk a little bit about five questions that you should ask yourself when you're going to build a fret model for your environment and once you've got your threat model okay now what what do i do with this thing well we can talk a little bit about how you can use your threat model to

prioritize vulnerability management patch management and talk about how you can use your threat model to improve your logging and analytics how you can use it to drive budget training and exercises and uh how to do that mythical purple teaming stuff that everyone's talking about which is uh pretty awesome really and we'll talk about questions so a little bit about me uh yes that's that's me right there that adorable little thing in the blue jet no i'm just kidding that's my daughter i'm in the back there uh i graduated the air force academy in 2010 uh i did some cyber warfare stuff for the air force for eight years last assignment was a mission planner fire support planner i

was with uh 105 cmt it's the combat cyber mission teams i was over at nsa georgia for about three and a half years um after that once i got sick of being in the military and decided to go civilian i went to the chertoff group which was founded by former secretary of homeland security michael chertoff was there for about three and a half years where i was doing purple teaming i learned a lot about risk assessments and doing risk management and then a lot about threat modeling and currently i'm senior director at stride consulting we do it and ot cyber security services over there this is also first time speaker and first time out of

b side so woohoo thank you thank you okay so common taxonomy like i mentioned before there are four different definitions terms that we often use and we oftentimes mix up in the industry threat vulnerability impact and risk and all of these are interconnected and we often sometimes make some of these things up so i went with merriam-webster definitions for a lot of these so if they suck blend the dictionary but i'm going to try and put them into context so in this case threat a person being or group that threatens something that is threatening hard vulnerability open to attacker damage notice with vulnerability it's not necessarily anything we're not talking about necessarily cves we're not talking

about uh we're not talking about a code vulnerability i mean if you have telnet open to the wide open internet there's that's that's not above that's a feature but you would still call that a vulnerability it's not something that you would want so configuration is included there as well impact the force or impression of one thing on another significant or major effect this is the thing that we as cyber security professionals often have a hard time explaining to business executives it's the so what factor so what if this vulnerability gets exploited so what um if ransomware actors are on the rise what does that have to do with me and that's that's one of the important

parts and then risk that's the possibility of loss or injury now how do all these things come together threat vulnerability impact equals risk how you measure your risk how you can quantify your risk is taking those three things and putting them together it's pseudomathematical you can quantify it in a number of different ways you can put ordinal levels on each of those high medium low vary them out however you like but these three things all come together to give you your system or enterprise risk or your device risk you can expand it as wide as you want and you can go down to as granular level as you want so now that we're all on the same page

let's talk a little bit about threat modeling because we talk about it in the industry all the time but i don't see a lot of people doing it and it's often not an issue of it's a lot of work or there's a lot of different ways it's mostly people don't have an idea of how they should again go about doing this now as a military planner one of the easiest things that we would have to go in when we would do a plan the boss would always ask you what's my adversary is what's the bad guy's most likely course of action and most dangerous course of action because that's all i can care about i don't have the bandwidth to

take into account anything else so that was my first start my first way of doing it but then i thought there's an even more uh instinctual way that we all do threat modeling all the time so if you go out you're on your commute and you get into your car you're going you're going into your car you're driving in you're in this big metal box that's moving at 60 miles per hour and there are other people moving in big metal boxes at 60 miles per hour these are threats to your beam you're a soft squishy being that is liable to newton's first law of uh first law of physics an object in motion stays in

motion so suddenly someone crashes into you you go flying because you're still moving at motion at that same speed so what do you do how do you mitigate that threat and put on a seat belt everyone goes ahead puts on seat belts to safety control your cars have air bags that other people have thought of what about covet 19 it's a global pandemic we've we're still living under it for the most part it how do we deal with the global pandemic what mitigations what safety controls can we put in place well we can wear masks can i just stop for a second and just mention man that is a creepy stock photo of people with masks i mean they're

looking straight into your soul and it i mean it it it looks like the scene out of inception where you know all the dream npcs suddenly stop and stare at you because uh you did something that was not aligned with the dream it's just i makes me wonder what the uh what the photographer did to piss all of them off um that's another threat the cops and that's for everyone because no one no one wants to be stopped on the road because i mean no cop is just going to come by and just be like hey how's your day going you doing all right i mean it's rough out there you doing good no all right man just take care of it be

easy have a good day no so what are we gonna do well we're gonna you know try and hide avoid distract if we can and then uh record everything that we can when we're engaging and then if you're batman uh well then there he's afraid of uh of the girl scouts girl scouts knocking on my door i don't have any cash uh so if you're batman what do you do you don't open the door all right that's correct marlon questions and all right thanks no i'm just kidding so now that we have an understanding that we do threat modeling every day every time we step out the door every time we engage in something if we're gonna go

skiing we put on a helmet if we go um if we go surfing we we strap ourselves to the surfboard so it doesn't hit ourselves in the head we do this all the time so taking that into account let's let's plan a trip to fiji uh the mythical vacation island um what are some things some reach out what are some things you need to worry about when you go on an island vacation anyway sunburn yes called it's definitely one of the first ones so what's one of the things that you can do to help prevent that identification yeah that's i guess that's one way so you can just put on some sunscreen by the way if anyone gets that reference

um that's this is your midday reminder to take your ibuprofen for your back pain it's from robocop 1980 something uh what are some other things that we need to worry about on an island vacation

that that may be one thing usually because of maybe bugs mosquitoes mosquitoes carry in the before times before covet we used to worry about all sorts of all sorts of uh mosquito-borne diseases like zika anyone remember zika or west nile those are some things so what do you do to worry about to prevent mosquito bites bug spray there we go some other things that we need to worry about while we're in there some people may get seasick you get to an island go hop on a hop on a boat or maybe you're flying in there your motion sickness what what are some things you can do to take to prevent motion sickness ginger root you can also take dramamine

now what's one thing you don't have to worry about if you're in fiji or there's a lot of things that you don't have to worry about in fiji and one of those things is bears well maybe not that there that bear will probably definitely be over there but these bears these bears you definitely don't have to worry about while you're in fiji now this makes sense to us on on a common sense level in the physical realm but why is it that when we start to go then into the logical realm finally bringing it back to cyber security um that we start to accept a lot of these threat intelligence reports etc and we're looking at everything and suddenly

if if i'm not in government or security or uh or one of these targets why do i care about fancy bear apt-28 if i work in let's say the electrical grid or if i work as a fashion company's sizzle why do i care about fancy bear the answer is i don't and that's part of the things that we need to consider because right now a lot of how we design security is more focused on vulnerability and less on threatened behavior and looking at a lot of the different a lot of the different threats that are out there because there's a great multitude of them we oftentimes get overwhelmed by the endless possibilities and of what

we need to be protecting against so we go and we try and get threat intelligence uh by threat intelligence reports to come in and populate our sims with iocs oftentimes with a lot of data that's not relevant to us and so we have our devices spinning on countless cycles looking for techniques that they're never going to see but we sit and think oh yeah we're all good we're all good if fancy bear suddenly decides to you know target my small fashion company in new york city so now we just spent how long doing this yes so what's the point in getting into that it's trying to get that idea of bringing that common sense mentality into

how we model for our own organizations it's to use tools like miter attack which i'm going to go into and thankfully i don't have to actually go about explaining attack if anyone's been in the the previous talk we can use that to model threats that are relevant but also likely and start taking that very very wide list of the possible and narrowing it down to the probable and focusing there so what is attack um if you sat in the last talk the attack stands for adversarial tactics techniques and common knowledge was created by the uh by the mitre corporation which is one of the largest federally funded research and development centers in the united states it is an open

source framework that allows you to abstract out adversarial tactics techniques and procedures i won't go fully into the use of attack there's lots of open source tools that's available there but one of the best parts about attack is that it is a great starting point for being able to identify threat actors because there is a large list of threat actors there's other sources great sources of threat actor data malpedia is a great one if you can get get an invite into it there are other open source threat intelligence platforms to be able to pull data from but attack is probably one of the best starting points and the reason for that being the best starting point is

the navigator the navigator allows you to be able to take those groups and visually immediately be able to put up a list of tactics and techniques that are specific to those groups so it's a great place to start off and say okay i want to look for organizations that target hospitals i want to look for an organization that targets consumer packaged goods i want to target i want to find groups that have targeted aerospace and defense before and it's literally just a go to the groups page hit a control f and start looking through the description of groups that have targeted that before and then move from there so in that vein if you're looking to build a threat

model for yourself there are five questions i've found that are really important or valuable in building that threat model the first is again what business am i at that's where we started off with what do i do how does that make me valuable to different groups now some cases there's groups like ransomware ransomware is ubiquitous they don't care where you uh what business that you're in they only care that they can get in that they can compromise that they can then encrypt and then provide feed your ransom they care about getting paid but there are other organizations that have very specific geopolitical affiliations that have that only target specific organizations and understanding your own business and how

that can lead different groups is the first step so what adversaries are interested in me then what ttps have they used in in the past what tactics techniques and procedures once you have an idea of that you can start taking that huge attack framework there and start narrowing it down into something that's feasible because the idea is not to get the coverage across the entire framework number one that's going to be impossible there's going to be too much telemetry for you to try and ingest in even in a small organization and it's going to provide a lot of false positives it's going to put yourselves under a lot of strain for things that may not even be

relevant to your organization and then once you have an idea of what those ttps are next question to ask is well i paid a lot of money for my sim i'm paying a lot of money monthly for my edr i'm paying a lot of money for these email gateways and things like that are my controls actually working are they actually doing what they are supposed to be for the ttps that i'm worried about that i'm concerned about and then if i have that cross mapping then i can say well have i actually tested that have i actually done something to be able to prove that that's actually the case so let's start off and build a threat model in this case

i decided not to go with with ransomware i decided since i'm working right now in the ot industry in the ot environment let's pretend for a second that you work for an electrical company you're providing power to say i don't know let's pick florida let's pick gainesville in gainesville florida and you're providing electricity to the people of gainesville so you are trying to build a threat model for your for yourself and you are interested in what ttps have been known to be used by adversaries that have targeted electrical grids or organizations in the past we can take the list of different ot and scada compromises that we know that's on the on the left side here

and then we start filtering that down to energy and power con center and also power sector and also geopolitical considerations like um okay if they've only targeted power centers in iran that's not really going to bother me while i'm in gainesville is it so while the techniques may be useful to have is it relevant is it likely then we narrow that down and once we've narrowed that down we can use tools like navigator to be able to then take the relevant ttps and to narrow it down and say okay here's the large here's now the what was once a gigantic thing that i had to worry about now maybe not so not so tiny but also not so

huge either so it starts to become more manageable once you've done that then you can start focusing on those things that are more critical and criticality is a touchy subject depending on what organization what methodology etc that you use but i like to focus on uh two different things uh there was one great talk done in attack con 2019 by travis smith it's called the teach method i have the links and stuff in the in the slides which are going to go out but it basically looks at the difficulty of executing a technique teach method talks about whether it's trivial whether it's easy whether it requires external c2 whether it's really hard to do and the idea there being is that

humans are lazy by nature if i can do something with a metasploit module or with a single line of command with command line as opposed to having to write my own poc for something it's buggy it may not necessarily be test i'm going to use the my split module i'm going to use the ttps that have stable code i'm going to use the ones that uh that are viable before i go and design my own exploit for something and so you can start narrowing narrowing those ttps down from okay this is something that's very trivial to execute so i can will probably see that more often or hey there's metasploit modules for this vulnerability and it's within my

threat model these guys have done something like this before this is something i need to focus on and you can start picking out those different those different ttps that are critical to you i'm going to pause right here just to say so far does anyone have any questions sure

i'm using those terms interchangeably so a threat actor is just someone who is looking to be to cause to cause threatened harm to you

so i choose the model of a from a threat asset perspective so or from a threat perspective mostly because the assets first of all from an asset protection perspective the idea is to first have an understanding of all the assets that you have in place many organizations that would go to simply do not and so by focusing on the threat actors and the ttps that they've engaged in in the past you can begin to identify different paths different paths of movement through your environment now as a whole what i would like to see is in an organization is if there is good asset management if there is a good understanding if there is a business

impact analysis that would be uh the the uh the holy grail there for me to be able to go into an organization and say hey you have a business impact analysis i know which devices within your organization have an rto of four hours or less because if it's if it's down for that much longer you start to bleed money or if you're in the ot sector if this machine goes down this plc this rtu goes down things can start going boom or power doesn't go out to a lot of organizations having that is not um contrary to or one they're complementary so having one does not necessarily preclude you from having the other they in fact go together because

that asset uh protection aspect more plays along in the impact and the vulnerability perspectives of of the whole risk equation you've got threat you've got vulnerability and you've got impact from the reason why i focus on threat in this case not because it's greater than or uh or that you can't do all three of them you should be but as a human nature as a sort of uh common-sense way of how we go about modeling threats in real life we can take that and apply it very effectively in how we plan our security controls in a logical environment does that make sense

from my from my experience yes any other questions okay so i'll try not to repeat my last question i i i guess what i'm hearing is but i get you know that the firmware's like open source but what prevents someone from just putting something trying to attack some garbage and like there has to be some kind of that joke of propagating obviously someone just makes some crap sure so yeah so the minor organization um they do have people that vet things that go in so while i said that you can go in and say you want to put in a new group let's say you want to put in a new group to the framework um there

needs to be some sort of evidence to show that that group has existed or some sort of report something to tie back to to say um there's a group that is exploiting these are their ttps that they've exploited in the past if that data is available these are the organizations they've targeted and you can't just send that up and then not provide any evidence because then it just won't be accepted much in similar vein there's a lot of cases as as was mentioned before particularly in techniques that this is where you often see it the most where you will have pen testers engage in in many techniques that are not novel that have been around for a while but

because we haven't seen threat actors actually using them in the wild using them to actually compromise an organization and either extract payment or uh or steal data or do some other form of impact um it's not added there's no evidence to to show that not to say that it doesn't exist okay so now that we've built our threat model now we have our threat model available to us now what what do we do with this thing that this looks like a little excel spreadsheet how do i how do i use this to be able to uh do something to improve my organization so there are four things that i mentioned before prioritizing vulnerabilities or improving your patch management

improving logging and analytics driving budget for training exercises making purchases and purple cleaning which is really just an amalgamation of red and blue teaming so how does this help patch management patch and vulnerability management is one of the things that it tends to it management tends to struggle with a lot it's a matter of okay i've got this i've got 10 of these vulnerabilities that have a cvss score of 9.8 and then i've got about 100 others right behind it and how do i how do i prioritize my downtime windows to be able to focus on what is most important how do i even decide what is most important because oftentimes the cvss score just doesn't cut

and using the threat model you can go ahead and be able to identify hey these devices that are boundary devices that fall within the ttps that have been used by my initial access by uh in initial access by my by my threat actors so to say remote external services these threat actors have done procedures that have involved using log4j to be able to get into an environment these organizations that have targeted me have used um spring for shell in other organizations and we have that as the top of the priority and oh by the way it's you know 9.8 and it's unauthenticated rce and all this bad juju and it's on the outside of my

network you can use this as a method to be able to prioritize those functions to be able to say this sits higher on my stack of things that i need to focus on as opposed to not which by the way there are also other aspects that involved in that if you guys are using patch and vulnerability management tools miter also by the way they created the cvss score as well originally and they've also added additional functions onto that that's called like the temporal score if you guys don't know the temporal score is basically yes this is a bad vulnerability but oh by the way there's also stable poc code on exploit db to actually exploit this vulnerability so

you can see a temporal aspect of it so that gives you like your vulnerability and your likelihood of exploitation so that combined with it being on your threat model gives you really good indicators to be able to say yes i really need to prioritize this so how does this help with logging what the what how how do we how do we focus on with this threat model to focus on logging well if we take the ttps that fall within our threat model if you go down to uh down to the miter page if you're clicking down and and engaging further what you're going to start to see is in the detection section there's something called data sources

those data sources are is it's a sort of object-oriented model to focus on what are the individual things i need to be logging and collecting on if i am going to detect this ttp so for instance in this case process injection process injection is a very common technique that can be used for privilege escalation that can be used for to be able to bypass application white listing can be used for a ton of different things what are some of the ways that you can be able to detect now most of the time you're hoping that your edr is going to be looking for this but that may not necessarily be the case your edr may not

necessarily be pulling those logs so you need to be able to ask the question are we monitoring for dllpe file events are we looking for os api execution are we looking for process access hopefully you have a team that you can access though that you can ask this to or maybe an mssp if you're hopefully dealing with that but most of the time it may just be you know the one guy whose side job it is to every now and then look at the similars but there are other tools that are also involved that can help demystify this there's a great program uh not program but project called osm ossem that actually takes these data sources and ties them

directly to windows event logs so you can go through and say oh um os api execution go down to os sem and say oh that's windows event id 4892 and to be able to then go head back to the poor one guy who's dealing with the sim and say are we taking our windows event logs and are we forwarding them to the sim and are we actually getting this particular event id hopefully the answer is yes but if not it gives you an opportunity to be able to then fix that and then additionally there's a great talk given by a colleague of mine back in 2019 golf sponsor where you talked about how you can use

how you can improve on pulling logs this allows you to be able to look at data sources because you're looking at from a data source perspective this forces you to identify who your log creators are versus who your log consumers are so that you avoid this kind of spaghetti ball of pain situation and come out to something that may be a little more easy to manage and flow with if you haven't listened to the talk highly recommend you go ahead look it up i believe it's on youtube you can just pull it up from any of the old black hat tops and then yeah you mean i can ask for more money yes yes you can you can't ask

for more budget and you can use the threat model to be able to drive that when you have the threat model and you can identify when data sources aren't being collected you can use the threat model to point out hey these are the things that we can't collect because we don't have the tooling for so you can ask for more tooling or these are some of the controls like network segmentation that help mitigate some of these techniques and that falls within our threat model you can use that as evidence to be able to drive for a network restructure program or segmentation project specifically for high value areas you can use it to drive for mfa

implementation if the organization has been dragging their feet on doing that for training if you're if you have a sim and your it's kind of sitting at shelfware right now because there's not enough people to be able to run the analytics or to be able to pull the logs you can use the threat model as a tool to be able to say hey look we we're collecting the data sources but we don't know how to use our tool well enough to be able to get the analytics we need out of it you can drive for the training to be able to get on that to get the certifications or to do those internal development projects to be able

to pull and parse data and you can use it for tabletop exercises for backup exercise to be able to say are we really prepared for ransomware we're looking for all these things when was the last time we actually ran our backups when was the last time we actually checked the integrity for them because it falls within our threat model here and it's something we need to worry about and of course you can also use it for pen test pen testing red teaming which kind of bleeds immediately into purple team so i don't really need to go uh into purple teaming since we we talked a little bit about it uh in the last talk but

uh to basically sum it up purple teaming is designed to enhance information sharing it's the it's the goal what we were always promised for in pen testing and red team it's the idea that pen testing and red teaming informs the blue team and actually improves security that's what the job of what red timing and pen testing should have always been but sometimes we need that marriage counselor in between to get to get them to talk to each other and get that information and threat modeling allows you to be able to focus on those techniques so that if llm and r password spraying is not in your threat model but the pen testers are coming in and

doing that on an annual basis and you haven't been able to fix that that's an opportunity for you to be able to turn around and say you know what can we align some more realistic threats that we're going to be expecting that are going to be in our environment gives you that opportunity to be able to have that conversation

so we're a little bit early but going coming down to the end now as i said i was going to tell you what i was going to tell you i was going to tell it to you then i'm going to tell you what i told you we talked about me we talked about common taxonomy talked a little bit about threat modeling in our island vacation how do we use this for our enterprise and what is it useful for with that any questions sure how do you deal with situations where they think they've done a threat model but it's so out of line with the actual risks or threats that they should be facing so like

if they're looking at their front model for you as crazy abd 28 but really they should be concerned about this how would you have the discussions just to make sure so yes so the question was how do you deal with a situation where you come across an organization that says they have done threat modeling but when you look at the threat model um the threats are not relevant or likely and how do you engage in that conversation and you know in a in a savvy way to be able to direct the energy more towards the more relevant and likely threats which is a great question one of the one of the things that i i like to focus on

so i focus on two different aspects and one is the is the relevancy aspect the other is the timelier likelihood aspect i've come across uh some organizations that have a threat model uh for a group like say um i'm gonna blank on one that that is not in existence anymore but let's say i believe our evil closed up shop but let's use uh something older we can use one of the original apt groups um if you look at apt i believe there's 32 one of the apt groups that if you go and look at any of the recent threat intelligence that's available there you go to a page you go to look at that group it'll show the dates of when

that threat intelligence was posted and some of those groups that are still on attack for instance they haven't been active since 2012 but yet those groups are on the threat model that's when you can turn around and say well okay you know eight years in our environment that's like a lifetime it's very much likely that a lot of these techniques are not only no longer effective but also that the group itself has probably disbanded and moved on to other projects or into other teams but if we're not seeing any relevant activity and you can set whatever date you want for that night i usually use um two years as my max limit if i'm going

to build a threat model for an organization and if i don't see any any reports that have that show up within a two sometimes three year time time period for my intents and purposes i'm going to focus on other groups because there are a lot of organizations and the cross mapping of ttps for those groups often becomes pretty wide so we want to make sure that we're not testing the whole ocean so we focus on those that are timely and then in the other case is the relevancy in which case identifying those groups that and pointing back to the reports to show look this is the organization that targeted this this is the the business objectives

of that organization your business objectives and their business objectives don't align and by being able to point that out you can say because there's a very human psychological aspect every team has a particular mission that they're focused on and they don't often deviate from that the only exception to that rule always is ransomware because they don't care about who they're targeting they're in it for the money they're not in it for intelligence or creating an impact they're in it for money so they're going to target everyone so that makes it easy because ransomware involves is involved in every threat model that you're going to build but that also makes it a little more difficult because

it expands the number of techniques that you have to go through um so great question so again the focus is on the relevancy being able to match those business objectives and to to show when they diverge and also the timeliness of the of the intelligence data to be able to say if this group hasn't been active in the last three years then it's probably not worth putting on your throat mop any other questions well thanks everyone appreciate it