BSides Iowa 2018: "Threat Modeling in practice"

okay good afternoon how was your lunch good cool thanks for being inside where it's warm we're gonna talking about threat modeling when he's been Schmidt I work at de Walla here in town so I leave there security team you protect data and identities one of the ways we do it is sometimes threat modeling so we're gonna go through a model today that I started on second TSM I'm also on the board a sec TSM so I kind of decomposed what sec TSM looks like like a captain the CTF what's going on you're gonna see the server that runs on you're gonna see the environment that does our payment processing we'll walk through how we can

decompose that and look at something called stride which is a Microsoft threat modeling process if you will so we'll put our hats on together and do some threat modeling there's no like real good way to do this meaning there's no like standard ironclad way I've actually worked with X Microsoft errs and it's a different project and they had a different way of doing it too so this is a flavor of stride you can roll your own we'll talk about other ones as well gotta do a little pitch for Dualla we are hiring engineering team and kind of across the board so if you want to talk to you about that find me afterwards or business Cardinal chat so

we're gonna talk about what in why four threat modeling we'll go through some methodologies there's a bunch of them the two leading ones stride and one called pasta which I don't know a ton about but it looks pretty neat or the ones we'll touch on mostly stride we have a diagram of it's very simple decomposition of SEC TSM and how you could spoof tamper etc so that's where we'll do it live if you will and I love that Bill O'Reilly clip if you guys seen that the Bill O'Reilly clip if not it's always good for a laugh so I'm not gonna use the expletives but we're gonna do it live alright I won't do it live so why

does threat modeling matter well our adversaries continue to innovate they're constantly changing their game so process hollowing is a good example of taking code that's suspended if you will and the code behind it's replaced and then you have the process running but it's not no longer trusted side-channel attacks spectrum meltdown the good guys finally me not but it's a side channel attack domain fronting so you can obfuscate we're coming from crypto Jack and which I think it's stupid and I don't want to just you never you say blockchain or machine learning you get kind of a snicker out of the group so I had to do something to get snicker out of the group so that's

someone with Bitcoin but crypto jacking I think is pretty much dumb but if you can get someone's browser to run a miner and get some manera or a Bitcoin in the side which really doesn't work you can do that so our adversaries are screwing around they're always doing new stuff so we played defense at least I think we all played defense here so we have to do new stuff we can't just sit on dmz s and patching and antivirus and super long passwords and patching cycles like that's just not enough anymore so there's new practices I think are exciting so you can be a defender and do cool stuff so immutable infrastructure architecture where you are constantly rolling your

environment to keep it fresh reduce your tax surface and be able to monitor better deception technologies I hate that term but I'm gonna use it anyways this is honey pots are cool again so a good example is ever eaten the image a machine you could sprinkle honey tokens on it like a PDF or an Excel spreadsheet called passwords SL xx that's sitting on your disabled administrator's desktop no-one's gonna go there but an adversary when they do hopefully they set off of a signal or putting honey pots in your environment to cetera zero trust networking this is really interesting I used to kind of snicker a long time about the Jericho forum this is 10-15 years ago showing my age but they

started what concept of what you should build some that should defend itself no matter what network gets on that's a predecessor to zero trust networking now that's you've heard of Google's beyond Corp or duo has certain design patterns where you can put something in an untrusted Network it doesn't matter strong authentication and a proxy will save you intelligence-driven instant response if you get your IR plan out and you go do stuff the same time everywhere are you really adapting are you learning from the incidents do you have that tracked as intelligence you become faster and better at responding to whatever series are doing and then threat modeling so of these five the one I want to talk about

is threat modeling so that's kind of the book there's many other resources but this is more or less than definitive the book so Adams Shostak from Microsoft wrote that book I had a chance to meet him a couple months ago a very interesting individual so I want to talk about his methodology book and how it can apply to sec TSM cool so what and why so we're gonna get some of this definition stuff out of the way so I like this definition from Brooke Schoenfeld from McAfee you give us an app set Callie 2018 which we'll talk about in a second but technique to identify the attack system must resist in defenses it'll make the system or

bring it back to a desired defensive state it's kind of long but it's clean that's we're gonna do today is apply those techniques to find what it must resist and what defenses will bring it back so what are like some benefits here of doing threat modeling how is it different than scanning or careful design well you can probably find your security bugs earlier because this should be done on the front end you don't write an application and then say can you go design a threat model like it's kind of late so should be done earlier understand your security requirements better engineering delivery better solutions and address issues other techniques will not a static code analysis tool is not going to do give

you a robust threat model it'll tell you how your codes doing but it's gonna miss other things so what's the goal of a robust threat model so if you have to preach this up to the board what's the goal improve security design drive testing reduce cost that's the value proposition if you're in a puffy chair what does this stuff actually do so there are methodologies out there we're gonna talk about stride today stride is an acronym will cover in a second spoofing tampering repudiation information disclosure denial service and elevation of privileges is what it stands for there's also a correlating risk assessment called dread will touch on pasta is the other one and I don't

remember what it stands for I should but it is another threat modeling approach it's a little newer but it's more risk centric and there's evidence based and so I looked at a presentation some other things it's big it's big and meaty so we won't talk about pasta a ton but if you want to do research afterwards I look at stride and pasta octave is cool but it's low risk us hasn't think Carnegie Mellon if I respect a lot certs from Carnegie Mellon they know what they're doing trike is older I don't really see it being used much but Mozilla was big in Detroit get back in the day and then fast isn't another one threat model or calm I'm

just kind of a threat model online service has their own methodology that's simplified but I think focusing on strides the best thing we should do today for our time that's the one I know best so that's that's kind of why - right is there a template and I think this is kind of a starting point that's difficult how do you start doing this stuff because Adams book is deep and it has like it goes into cryptography it goes into all kinds of things so can you give me like a PDF or a template and the simple answer is well they sort of exist but not really there's no real standards publicly available content varies and

depth and applicability and examples of hit-or-miss so the hardest part is getting started and a tab SEC cally some dumping ahead of myself they posted their videos a month or two ago and that's that was like the theme of the conference was threat model they talked about it a lot that a panel so I think you're gonna see more materials come available in the near future and I had AG lofty goal I didn't get it done of putting a template on github so I'll see if I can get that done too but OS was doing a good job bringing people together so the atom from stride and the gentleman named Tony Tony you've ease when he goes but I forgot his last name

he's the pasta guy they've collaborated on some templates they just haven't published them yet so they're coming don't let it be a barrier so what is stride it's been around a long time in 2002 there's that famous trustworthy computing initiative Microsoft the big memo from gates and we're gonna take stuff serious we're gonna build security into our products and they really started fuzzing and doing all these great things stride came out of that adam had a lot of money and the initiative to go ahead and start threat modeling and getting data and doing this so it's an acronym of threats we'll cover each of these but spoofing and we know what that is tampering with data

repudiation so I didn't order that Tesla Chen did well that's a problem who ordered the Tesla they got to pay for it if it's delivered on time information disclosure denial service elevation of privilege there's probably a ton of other threats but this is the the areas will bucket or put them into all right so that's the threats well what what is what other things are inside of a threat model well we're gonna go through an application decomposition today we're also going to overlay a data flow diagram a very simple one we're gonna kind of stop there because we could keep going this is not meant to be a workshop normal if I to teach one of those we'll

talk about attack trees it's another way of thinking about how an attackers objectives might want to be applied to a threat model will talk about threat actors very briefly and then some countermeasures all right I mentioned dread earlier so we're getting out getting through this acronym soup when you identify all your threats like a threat as an unauthorized user in the portal of the CTF well what could they do if you want to actually remediates red or prevent it well you gotta like blanket somehow right so typically if you do risk management you kind of go back to the impact and likelihood which is fine but there's other ways you could do it what's the

damage reproducibility exploitability affected users and discoverability other ways you can look at what that threat could do and what you do to respond to that threat we're not gonna find a ton of time on dread but I wanted you to know you can go deeper I have to identify threats and you want to rank them dread is a good way of doing it I think when I did it with some X Microsoft as we did dead I think we got rid of reproducibility but anyways ranking system can help so if there are threats what are they violating so classic security is confidentiality integrity and availability there's a couple more aids so CIA 3 is how I'm

seeing it now right well if we map those to the threats I think it's interesting because it gets us in the mindset of how do we think about the classics here with these new threats where identified threats we're worried about authentication integrity non repudiation confidentiality availability and authorization so that's just being broken by these threats a little more of the definition side and these are right from show stacked a book though they're worth repeating and then we'll give examples of each spoofing pertaining to me someone or something you're not tampering is messing with something disk network memory you name it and adversaries now our more in memory than they are in disk repudiation we already know what that is

claiming you didn't do something or we're not responsible like claiming to buy a test a little bit was really someone else there's mission disclosure that's a breach that's letting data out to an adversary denial service that's a DDoS or it could be just spiking and pegging a CPU on purpose like in college writing a fork bomb to piss off the TA you don't do that because you would just go ahead and use a murder cpu an elevation of privilege allowing someone or something to do something they're not authorized to do speaking of denial of service and for crimes a buddy of mine was a sysadmin in North Dakota and when the students would do a fork bomb on a

shared system he would lock up their account and make them write a written apology to get their account unlocked fork bombs are old-school but they're still kind of neat ok give some examples Ben of stride cool spoofing if also came in to be sect DSM org you could potentially do that it'd be hard to certificates but you could spoof sect DSM org if you get a homo glyph of the domain and make it look like sec TSM gorg that's spoofing tampering changing manipulating a data store ok repudiation we talked about a Tesla I really like one somebody nice information disclosure a good example sniffing packets if they're not encrypted then you have information so it's an internal trusted

never you can significance a problem back in the day and I don't know what it is now but s ap authentication over the wire was just encoded it wasn't encrypted or SR hashed that's a problem we talked about denial of service I'll just do the hundred percent CPU but I know a big DDoS is another example on an elevation of privilege can you get authorization to do more stuff than what you should be doing as a regular user ok we are done with definitions and acronyms if you said distill stride down into the steps we have to go through as a group here they are we gotta identify assets so you are now helping me write a threat model a very

simple one for sec DSN org so we have to identify assets we have to scope this thing we cannot threat model everything you have to scope and down so updating website static content we're not going to go through that sending a payment we use stripe they know what they're doing they're very good at that stuff we're not gonna go through that you make assumptions - these are examples of assumptions docker uses Alpine you got to refresh your images the Update channels are trusted so someone's talking about bits and hijacking enough that's an hour later but this is an update channel I assume the update channels are trusted for today's discussion HTTPS is good and abled by default the PKI it's not self

signed stuff like that alright so if we're to identify assets they're gonna float it to an application decomposition so let's touch on these again I guess we have more definitions external entities are users or actions outside of a trust boundary and we're gonna show trust boundaries in this diagram coming up trust boundaries is very similar to an attack surface it's any area where Trust can change most commonly would be like your hosting provider or a data center or me to cluster of servers entry/exit points point which data flows across a trust boundary and that's a key point weird 8 across the trust boundary that's where an adversary is likely gonna do something naughty so that's where the

threats in my opinion need to be really looked at key tact that's important the threats against a Microsoft stack are different than the threats against a wordpress stack running on ancient linux they're just different Java dcara these serialization attacks are not going to work on down that stack so that's important stuff data stores this is databases data at rest and it's not just at rest on a disk it could be like Redis or ElastiCache it could be memory based data that's interesting too not just if it's resident on a disk data flow this data in transit web sockets are is interesting by the way and then asset stuff that's of value I'm gonna keep going here now the basics are

out of the way so let's begin in a very abbreviated threat model for sec dsm so here are the assets SEC DSM has and I sculpt it down so we've got a server it's over in Germany we have some domain those are the ones that are most interesting in my opinion for today there's other domains but those are the three that are interesting yeah that's what people are playing right now that's C T FD running on there anyone know what Jenkins is CI service so it's a server that's kind of powerful that does automation build stuff like that pilot is the test sites and we upgrade stuff the pilot branch is committed and then you can see it on pilot that's public

you can see that stuff we use bitbucket org so that's where source code is to run the eject gets to do stuff we do some stuff in Azure for some cryptocurrency stuff some hosting some of the CTF assets might be there so some Azure stuff our money is at Veridian credit union we like them but that's an asset probably we use stripe to move that money over debit debit and credit rails and then the ACH so any into verdiant's that's important we use G suite so if you were to fish us or try and screw out the main fronting Google is an interesting way to do that we have an ATM it's actually set up in the CTF

room to screw around with we're not going to talk about the ATM today but it's an asset and then credentials database API log files etc so these are the assets that I think are in scope for a pretty decent threat model alright now I have to create an overview I start to get ready to decompose this thing so let's walk through this so this is pretty simple the dotted lines I hope you can see them are the trust boundaries so it's my interpretation ASEC TSM so let's start in the upper right at Veridian and kind of go counterclockwise so reading has checking and savings inside our checking account is where money sets we're very transparent organization at SEC TSM is

about seven thousand seven hundred dollars in there not much in savings gee sweet we have some drying out same stuff you'd have in your drive some Docs presentations the ability of email accounts in Azure there's some servers and hosts that do some cryptocurrency stuff some CTF assets are there and then mist we're working on standing that up so some hosting stuff in Azure stripe has an API that the SEC DSM website in post to to issue a token and then eventually a payment against a debit or credit card which then at the end of the day clears and then when it finally settles back at the EC hsn.if routine we'll talk about that people on the Internet are

importance of there in green browsers and SSH clients in particular and then Atlassian so bitbucket is hosted at Atlassian on the right the second is an application server so it's actually at least web this is one machine that hosts multiple things and this could be dangerous or could not be dangerous but we don't have a lot of assets that are super interesting so main website sec DSM's org pile of websites there CTF websites there there's more but let's just stick with those three there's some website data little data store and Jenkins also runs in the same box that's technically dangerous but we're security nonprofit we're here to test things and make fun and have a good time so Jenkins

runs there so our CI pipes in purple main host instance isn't that kind of like light orange and you've seen the other providers if you will so that's the simple decomposition where there's interesting data that I think could be considered a valuable asset there is some cryptocurrency and Azure there's real money fiat currency sitting over at Veridian and Jenkins might have some powerful stuff to like credentials so we have a very simple architectural over here now let's go ahead and decompose this sucker so what I said just before let's just look at it visually and you're not gonna see tell me you're not gonna see ntlm this is mostly a Linux stack and maybe some windows in here so

when we interact with bitbucket let's say we check code and for example I said show the SSH for that webhooks take over until Jenkins to do stuff so that's HTTP that's a post Internet clients meaning any of us that need to do work if you're authorized in green you're gonna go ahead and ssh into the instances themselves that are running in that kind of light yellow an application server or you could be going into the azure stuff no big deal there is there any RDP up there maybe no no RDP okay cool then my diagrams accurate lots HTTP you're seeing that browser connect to everything over HTTP if you saw HTTP like that'd be a really easy threat to

say what are you doing striped is a simple ACH sweep over into Verdean so I'm not gonna strike too much that'd be a fun threat model but they're they're good at what they do I think we should focus on second TSM G suite HTTP reading HTTPS pretty simple any questions on this about the technologies the stack it's pretty much a lamp stack over here for the lease web server there's some Ruby there's some PHP Apache Linux probably some Python natively I don't remove that no questions you're right this so far Internet

so we certainly could in this case we're looking at data flows we'll see I've got examples I want to kind of do threats together but if not I'll throw them up there and you'll see we could also scope it out to say listen we understand that if we're running ancient PHP that's a problem so the threat would be either availability year we'll go through that but I kind of scoped it up because if the threads were not updating then we're just doing a bad job let's actually go to like some more interesting stuff but it's accounted for either in your scope or you can make it a threat itself so let's identify some threats so I mentioned threat agents I'm not

gonna go into depth on those but what are some threat agents for sec TSM I get unauthorised internal or external users if there's authorized users maybe my authorizations are good what my intentions are bad it could be a sec kc member we're friends with sec kc but we don't want them screwing around so i put him here as a threat actor but these are potential threat actors that might help us with this threat analysis sec IC is not yet okay but they're on their own notice i'm glad you brought that up so let's go through some that i identified and then i want to stop I'll put the diagram back up and let's even get a

couple in the room make it interactive we'll try so if we look at stri last or spoofing up top so where could spoofing happen and I'll show that I should have I could do a screen for this in the diagram so I looked at this and I said well Jenkins is important Jenkins scares me that's a server I'd go after and I'm not necessarily a very good terrible pen tester actually so webhook sent the Jenkins with false build instructions that could happen so how would we prevent how we prevent that well you could sign your web hooks if you sign your web hooks then if Jenkins is smarter validate some if they're unsigned then we can go ahead and ignore

those so that's one example of a threat screw around sending bad web hooks to Jenkins I mean go ahead and sign those things and that's pretty common with an API so cool brute-forcing so this is more of a simple one Antoinette's vulnerability management but can you brute force stuff if you put a webform in the internet it's gonna get hammered all day like we know that so could you brute force Jenkins Viridian or Azure where we think assets live well sure you could do that there's way to prevent against it you could throttle them you could throw a CAPTCHA you can do lock lock outs over a threshold there's a bunch of techniques device fingerprinting on certificate

authentication let's just say multi-factor off solves that problem to a certain extent pretty good mitigation by the way I'm a fan of UB keys and duo I'm not a fan of like SMS texts and stuff like that or like email that's a terrible one like we're gonna email you a second factor like an adversary wouldn already have your email tampering and we can go back to this I'm gonna list these so you kind of get your mind in the mode where I am well what can I do with well I could tamper with some of the network traffic back here so all that traffic is protected with cryptography so that makes it kind of hard why is it

protected well we're using strong TLS so it's better than version 1.1 1.1 it's 1.2 with appropriate cipher suites almost 1/3 can't wait for that to be out there downgrade protection HSTs so it's hard at a man-in-the-middle although not that hard nikki showed me how to do that thank you repudiation could a rogue website update happen well maybe but we have forensic vlogging the place so we could find out if it did happen how to recover detective control but it's fine information disclosure what if one of the services failed open like we configured it wrong and just pukes something to the website so you as a user can see like oh that's the stack oh there Java's old and then from there

gain information do bad stuff so these are examples of threats that I identified there's probably a ton more this is how I did really quick I've got more but I want to kind of pause and go back to the diagram and see if everyone in the room can find like spoofing tampering information disclosure denial of service or elevation approval anyone see one of those threats in this diagram and the areas to maybe look for is where a trust boundaries being crossed or where assets live

so spoofing to Viridian let's look at that two ways so if you want to spoof okay let's look at that a couple ways one could be you know who the treasure is so in the SEC DSM website Erin tkip is the treasurer I used to be really glad it's hard job earrings the treasure and so Erin has the ability to authenticate to Viridian so if we can spoof Viridian - Erin we can capture his credentials and potentially stop him from getting in let's look at it that way well talk about ACH in a second - so how do we counter that we have multi-factor enabled at Veridian and we have device whitelisting or fingerprinting also enabled at Veridian

however the second factor at Veridian is SMS so the threat of spoofing Verdean to Erin would mean you'd have to fish Erin and is walking through this is a kind of an attack tree we'll get to that in a second fish erin or present a bad website to him have him login and they were using credits Nightbird something in the middle and we have the ability to capture his SMS text that's very fishable and then login as him so that is a threat how do we counter off limited access multi-factor to Veridian that's okay but sure that would scare me on the ACH side of the house was stripe it's kinda out of scope but ACH you typically uses

SMS FTP IP whitelisting in the minimum so you kind of hard let me not have possible pretty difficult to back-end that was spoofing any up any information disclosure any tampering if not I've got some warming come back to this later but what I find when we do this all of a sudden one person says one when a person says another and all of a sudden you've got a bunch of evil geniuses helping you go through this thing so I'm gonna keep going the interest of time we can come back into more of these later all right so information disclosure how about inappropriate use of crypto this this pisses me off there's one thing that makes me angry is installing crypto

poorly either rolling yourself but you never do choosing really like talking to primitives directly choosing ancient things but pasting off Stack Overflow this makes me angry so now that I said that how do you implement cryptography properly well it's very hard you need good people and standards to do it but here's the things that I would say are good countermeasures appropriate cryptographically secure pseudo-random number generation so you're in dev you random you're not using just a random call on your in your framework that you need to talk to a kernel mode source of entropy period require authentication encryption so we are not using old-school AES with CBC we're using a sent acute encryption that's GCM you have to use

authentication encryption 2018 proper generation rotation and storage of cryptographic keys so if you have the keys committed to github that's a bad thing don't do that if you can't rotate your keys that's something you should think about doing you've an event you have to rotate your key bits keys well that's a problem implementation of forward secrecy which i think is super important so like right now if you don't forward secrecy enable in this TLS protected like an adversary isn't probably not gonna crack into that but if they've been recording it for the last ten years you know forward secrecy enabled and they're able to factor a big RSA key in the next 5-10 years all that

data is potentially view so fort secrecy is important password hashing this one pisses me off - if I see md5 or I see a munch or some self rolled like this is just terrible you have to use a key derivation function based password hashing algorithm are going to ask CREP bcrypt from pbkdf2 or the for I would use constant time functions most of the stuff is fixed but if you have certain functions and they're not returning constant time like it takes longer to decrypt a string than it should if you're going character by character like what you can figure that out so these are things you should just I'll stop talking about crypto just gives me angry

service exhaustion well you could have performance tests so seen a resources for scale you can handle demand or if someone's naughty you could capture them do a bunch of stuff DDoS - a TCP listener we use a cloud CDN harden your IP stack so Akamai CloudFlare etc elevation of privilege so this is a vulnerability internet if there's a software vulnerability via memory corruption that's a problem and then you could go ahead and hop from running as Apache to route potentially say that that's a bad deal so implements offering a memory safe language so using go would be maybe a potential mitigation if you want to program and deal with memory safely what's another one Oh

committing stuff so in this case what if we accidentally mark something in bit bucket as public and we're committing key material or something to be terrible so how would you handle that well rotate your credentials and have tests and monitoring for that it's also information disclosure so we'll come back to this but this give you a feel for where you look at an application decomposition you look at the data flows and granted this one's very simple how you can look for spoofing tampering or pewdie ation information disclosure elevation of privileged denial service absolutely because we require that so like Jenkins is the only way to update the website the next point so if Jenkins is

unavailable website stuck I can't do anything we have to put a pink sombrero on that's from earlier talk pink sombrero is going into Prague what you shouldn't do is root to fix something but yeah it would make it unavailable so it happened today actually really piss everyone off because then the CTF what next door would be probably been running really poorly

see see how this gift go this could be fun so we could probably do this for an hour or two and if we had a really like much more robust application decomposition and data flow I think we'd come out of here with a list of threats and potential countermeasures so thank you Bill [Music]

like the answer is I don't know I'm not involved with that I just know it lives there maybe I should a good amount of that is actually mining sexy coin they have their own Fork of light coin and we screw around with them a lot so technically that's worth nothing but lulz but it's possible I don't administer the system so I can't give you a good answer but like we can do this for a long time but I also got to get through the slides here so awesome that is exactly the one that happen let's go through a little bit more and we'll kind of wrap it up I think so attack trees we kind of talked

a little bit about how would we go ahead and mess with Aaron who's the treasurer well we could we could fish them we could do this so everyone know Bruce Schneier is pretty well known cryptographer he's the first one that talked about attack trees for all method of describing security systems I think it's complimentary to stride on that gets different start of the root node what's the adversaries goal and then work your way down how to achieve that goal with different steps you've duplicate Z prune the tree and the ACF e fraud tree is really neat it's huge I'm not gonna go through it but it's how to commit fraud at a company it's very interesting so let's say I

want to steal data from SEC TSM how could I do it so I made this up the other night okay I can intercept email well how would you intercept email my game gee sweet access how would you gain G sweet access I do a password reset well how'd you do a password reset well I do a phone number port for SMS of that when I forced a reset and I got my second factor I had Nick Nixon number port it's easy I don't know a telco that didn't do a good authentic ation of the user or I want to obtain backups how do you obtain backups I do have count taker over at the backup provider well how do

you do that I spear-phishing how do you do that I use cred sniper so these trees can get pretty detailed I'm not gonna go into all the nuances but it's another way if you're stuck on how you could think about what's an objective and how it happened all right this is awesome attack so ever anyone here well first of all you know the CVD database is right okay so mitre is a big reason to why that's around and I have a show stack the guy who started threat modeling and in stride was a good part of that so that's not a conference a couple months ago and the two of the people who are in

charge of attack the adversary tactics techniques in common knowledge project give a talk about what attack is doing and it's fascinating so like this is one of those nuggets if you're like I'm tired I've been at these sides all day I want to go home and eat some coffee like remember to go check out the attack framer from mitre it is full of matrixes or matrices if you will plus also different ways of looking at attacks that can happen they are very they're a very enterprise flavor enterprises flavor tool but there are 437 there we go techniques in there so if you're thinking about like what would I use is in a library of attacks to look at how I

build a threat model attack is a very good one to use they also have other assets at attack they have adversary emulation where they have taken an apt actor apt it's a loan they were count 29 I think it's apt 3 and they say this is how you emulate this adversary so if you're on a red team that should be like required reading and it walks through every step they would do in the kill chain every technique they would use and how you emulate that to that technique with cobalt strike or Metasploit so it actually puts you in the driver's seat of a real adversary and how they would attack something and that can be

factored into what you're using for threats so we talked about process howling we've begun that is in the attack framework browser extensions those are pretty interesting things they're not always clean I kind of cringe I see my parents browser extensions and I gotta clean them up so those are various things you can factor into your threat model so I'm kind of getting towards the end I guess I'm going a little faster than I thought but what is the goal of a robust threat model again this is the elevator pitch to someone in a puffy chair improve security design drive testing reduce cost you do not do it at the end of your project it's probably like

anyone here on a red team know red teamers okay I'm not in the red team either I'm terrible at that stuff but if you build an app and it's going out in two days and they ask you to pen test it like that's just terrible you don't do that you do that earlier same with the threat model this is a design time practice it takes discipline to do it but it's a good process early on and it's pretty open-ended again I walked you through what I think works in stride the book is out of the book here should have brought it there's pasta to look at but if you start with a diagram a data

flow diagram and then look at Stride against it that's a good way to start with this and then publishing threat models there not a lot of these are published I have some really good links I think the references here very good so I'll put those up shortly but publishing your threat model is rarely done I'll name two only one really good 100 off to the oauth2 framework it's actually a it's a framework their threat model is published as as an RFC it's not very visual because RFC's are an ascii but it's a really good example of a threat model that's pretty detailed I just wish I had diagrams the five pillars of a successful threat model by synopsis is

outstanding it's a much bigger version of what we did today but it shows threat actors dataflow assets external entities trust boundaries and what they did is they put their security controls at the bottom so when you see the threat actors and we kind of did it with our countermeasures so a multi-factor well that can be a control that you rely on for a certain threat which is kind of neat the pasta stuff's at the end here I think they're recording this so you can view this stuff later the videos from app set Kali are really gonna recommend you consider watching those they're free and then if you want to learn a lot more about pasta there's two different

resources that are really deep I have here at the end so forty minutes okay I am ready for questions if you have them all do my best to answer there's three that come to mind one is it's hard to explain if you've never seen one what the hell is a threat model so is it just gonna slow me down etc so I think you have to show them the value and if you say well this is gonna reduce paying a pentester like let's get rid of the low-hanging fruit and let's have them really earn what they're doing in a pen test if I get a pen test for a damn cookie that isn't mark secure we're

doing a bad job getting all fired up here so one is to show the value there the second is it is going to become in my opinion the leading practice they're not published you're gonna see more and more of these published to me this is like risk management version 5.0 like this to me is like your risk register is cool and impact and likelihood is cool but it's kind of a back office thing like it doesn't necessarily become a rudder in a project it's how you manage risk you produce one of these I think you're gonna have much more value in your project and the last is people actually get excited when they start doing these like it gets your engineers

excited to work with you on mitigations versus here's a ver code report go deal with it like that's just not the way you do business in 2018 my team for example sits with engineering so we wouldn't wouldn't do that but it gets the two teams playing on the same level same playing field and engineers are problem solvers by default they're the best problem solvers I think I've worked with what you're giving them is a fun problem and you walk away with kind of like a joint effort and how you're gonna remit again that stuff you're not gonna mean to get everything but those are the value things I would share I think eventually it'll be

expected not necessarily a compliance requirement but I think it'll be expected so like I couldn't become useful collateral when you when you want to buy from a company they'll give you a sock to report or they'll give you maybe like a radec version of their pentester maybe something else if a company gives you a threat model no one does that so I want to work on doing actually so I think there's a whole bunch of reasons I can probably think of more but those are the ones I would give in my elevator ride they can unlink we had time to do that today but for sure I mean any kind of example of this so anyone done

segregation of duties like in a big system that's kind of big pain yes super important it could certainly fit that I think if we spent more time as a group threat modeling we'd certainly have a whole section of human risks I sent that we had time to get to that today but when you go back to those threat actors we talked about there's more I'm sure than what I listed here but how could each of these threat actors either be affected come into it think it's on my list still do some research huh Microsoft has a threat modeling tool as well and it's pretty old and it doesn't really work well and you need like all

these dotnet dependencies yeah so short answer is no yeah the other thing that's goofy to like you could use UML to express a lot of this you could use and so like one of the individuals that does a lot of these it's like geez plant UML it's ancient Java kind of scared me like itself as a threat but I think those tools and templates need to become better yeah but short answer is no I'm not played with that but I will okay so like well there's some attacks that are maybe kind of cross the boundaries more so like the man-in-the-middle example we're going down to accessorize all of those all of those categories like you

have information this closer you have a privileged escalation you have right are there some things that kind of fall in that category where I mean it just might get threat um probably I don't have a great answer for that one but like some of them cross what are we talking about the stacktrace failing open and that's information disclosure well it can mean a whole bunch of other ones too a yep yeah for sure so what I've seen and I've done like three or four of these is that typically you get a like a raw list of these and then you actually start combining them and then you do that risk assessment you could use dread or you

can use your own and if they start crossing I would start building them up and then put that thing way up to the top as I've never mediate them yeah it's not like a built-in thing in the framework but it's more of as you normalize the data I would just be like yeah and I think I mean the point of the strike wasn't really - maybe categorize the threat it was to kind of more help you have a process to enumerate the space and necessarily to categorize it post-nominal yeah I think this stuff still new enough that we're gonna figure that out with templates yeah which is why I really wanted to see those templates that Adam

and Tony did at that last app sec meetup that v them theirs to publish them yet sir I think it has to be part of a process like anything else needs to be upkeep capped so for me I'd do it based on new features you're still doing vulnerability management and all the other stuff and pen test that doesn't go away this is on top but I think as you had features to a system you should adapt it that that's my my gut response to you but it usually is based on an initiative and then when the initiatives over well it's it they're sure it'll sit there and you me the discipline to update it usually that's when you do add

features

so

that's a pretty good answer um it takes discipline and they do sit a little bit but like a risk register should not sit that long it shouldn't sit for your once a year sit down what scares this meeting so that takes discipline to update that thing a couple times a month and these will get to the same point in my opinion over time but it takes discipline to get there it's a tough question

I think we are out of time we got five okay we're gonna do a couple more questions but I'm learning from you I don't have all the answers for the stuff so glad we're having this talk so I mean you gotta know the answer but where do you stop the scope of this like you didn't go into DMS you didn't do your certificate authority for your SSL you didn't like yo is it just when I run out of time anybody here well you know what let's look at that other one to show you one that I thought was really well done this is a much bigger one and I guess I should have put this in the presentation

but I didn't so let me see if I can zoom in here they start going into much more depth I knew if it was too big we would just stop they should be bigger and you shouldn't I guess you have to figure out what scope you're gonna pick and how much stuff you trust but in this case they don't trust browser plugins so like I don't trust apply ashley flash scares the hell out even JavaScript doesn't cover off so the different threat actors are in yellow and the actual controls are in green but this one goes a fair amount deeper and I kind of like this one because you have the browser the service broken of the reports they don't

say to the company that's poor but they did a really nice job of this one and then I mentioned the controls at the bottom it gets kind of noisy but they have those listed out I take the ticket back yellows assets I think deeper Cody VC was that's interesting but they say TCP they don't report between the widget and app server so organization but had we a lot more time I would have probably broken it down to additional protocols I do worry about DNS people forget about it let us down versions of stuff so I wanted to have my template ready put it on github and release and I didn't do that but essentially overview up top

what the scope is what if something's you've made you level set then after that you go through that diagram you overlaid the data flows and the diagram should be as big as it has to be but no bigger and then after that a table with at least stride and it's the reduced stride after you've done it and got your raw notes you know sticky notes there you want to do then reduce that thing down to the ones that matter the most and then how you're gonna have a counter measure rank those and then after that revision history who was there and then how they're ranked and what you do with them goes into your separate system for

prioritization that's at a minimum the question then becomes that's cool it's an internal document how do you then publish that thing how do you give it away I don't have a great answer yet but they oh the oauth 2.0 RFC related to that threat model is the best i've seen so getting these things published I'm really excited to maybe try doing that but also watch others that do it this one's normalized I don't know which customer it is but it's their example well we got to close it up but I'll catch up with you later thanks for coming after a lunch I appreciate it have a good one [Applause]