Threat Modeling: Intro for Security Architecture

is it great thousands of people like my last YouTube video I think I had 30 people watch it people were like yeah next right start okay so this is BR doing well all right all right so my day job a little bit about me uh my day job I'm a senior security architect at a large Bank uh for my spare time and for the ability of not having to go through approvals for my primary employer I'm also an adjunct professor at Colin College in their cyber security program all right so today I'm a lot of you are probably new on thread modeling I hope or have you heard of it you've heard of it good how many of

you have actually implemented it okay I know somebody's given a talk on it later so the thing is though with threat modeling most of you think about doing it subconsciously all right most of you just have no idea about you know what it is but they've created this formalized process I would say you know give you a structured approach to identify and prioritize threats so for my ladies in audience this is something my wife made me aware of when you have your purse and you go shopping do you always have it like wrapped around somewhere or or concealed or have your thing there or always aware of your surroundings when you walk out into a parking

lot okay like whenever I've been in some situations that were hairy before and like whenever I walk into a room I always look for my exits all right so these are some things I look to see what am I going to do if there is a threat where the vulnerabilities going to be at where can't what's my ESS route if I need one so threat modeling it's basically the structured approach to identify and prioritize prioritize these security threats out there so how many of you identify what can you identify as a threat out there we have all read about it in our training stuff it's something that can do harm pretty much right so mosquito

could be a threat all right how many millions of people end up dead because mosquitoes throughout the world Millions now you know more about a threat higher priority or lower priority okay these are kind of things you always think about now one of the things you can do is anything let me State this anything can be threat modeled okay anything you look at in the world from your perspective can be threat modeled okay and what you have to do is you have to assess your threats all right you're at an ATM machine you see a bunch of bearded guys with a bunch of tattoos just hanging around little bit outside of that how would you assess

that threat could it be a threat maybe all right what what's my usual mitigation for if I have to go to an ATM at night I do open carry I'll take out my concealed carry put it on my belt and go you know make sure they are aware that I have a mitigation for any threat right it sounds like a good plan I'm not advocating any kind of thing but you in in essence you know in a cyber security world you don't have a firewall you're connected straight out to the internet and it's a pretty easy target low hanging fruit right so these are kind of things you want to do I don't run antivirus no low hanging fruit so

what you're going to look at is identifying those vulnerabilities and ways to mitigate those threats I should say antivirus anymore it shows my age sorry I have Gen X all right so we see these things out there so now it's antimalware and other devices like that so I encourage you to go out there here and if you want to read more about threat modeling you have the threat modeling manifesto. org which is a short thing that identifies a lot of different ways to do it uh a lot of which I'm going to cover here today so the first thing you have to do is when you're threat modeling is identify your assets and this is one

thing most people whether you're in it or anywhere else you have to identify what do I have all right consider your own house okay or where you reside all your worldly possessions out there all right something a threat could happen to that lightning strike fire something like that oh yeah I got insurance that's a mitigation but is everything covered under that insurance is it I heard a uhuh right there yeah these are things that we have to look at so you have to identify all your assets keep an inventory uh how many of you work at an IT shop where you don't know what you have in there or been involved in one yeah I've worked in one like I got

asked to go fix a firewall one time and nobody knew anything about it and like oh yeah that thing uh it said it was scheduled for retirement back in 20 2008 I go is it still running oh yeah yeah people are still using it I'm like but it just we just took it off the books huh so we didn't know what we had this thing had not been patched since 2008 this is back in 2014 seven years I'm like I'm like okay let me see if I can find documentation for this thing so you have to understand your systems your networks out there what applications are you running how many of you know what all applications are running in your own

network how many of you know all applications are running on your own personal laptops all right or your own personal devices or on your phones I mean how many of you have any idea of what you have all right and then you have to identify where your data is at because that's that's what everyone wants to protect is the data correct not much of the equipment but your intellectual property that's your most valuable asset to most everybody right everybody's IP so we have that and you're all your information out there uh it's also important to identify your co-workers all the Personnel that work in your company because people are an asset to your company all right they're there to be

you also have to provide that protection that security protection it's good to know where they're at you know like Havey good directory phone number address kind of information in case something happens or they need to be contacted uh we had that uh big storm came through Dallas I got an email from our soak and says hey we hope you're safe if you need anything click here and it'll bring up the form so they knew where I reside and how something close to my area got hit by a tornado luckily didn't get any damage I had some people shingles laying in my yard but that was about it so we had that and then you also need to know

where your infrastructure is many of you work in offices how many of you know actually where your data centers are located all right so you know where your data centers loc how many of you know how to get there and their address and your contact information I see one hand very good sir do you work in the data center okay okay all right so a lot of people don't have that handy and it's like oh where's that data center at oh it's in Louisville or it's in uh itasa or IA or someplace like that so we get all that kind of stuff so there so we have what we have to understand and click after

that we have to go in there and we have to identify our asset we're identifying our Assets Now what are their importance okay how many of you taken the ISP all right what's the first thing they tell you to protect what's the most important thing life human life okay so people assets protecting that top priority then what comes next after that that's when it gets convoluted all right that was an easy question so what comes next after that what is the most important securing your data centers securing you know pii data your personal identifiable information data your financial data all these different things your marketing your research and development data all these things based on their data

classifications need to be identified and determined what they could take then next your equipment uh you know your equipment your uh facilities and all those can have different priorization rates based on the perspective of who utilizes it the most okay one thing I did forget to say is threat modeling is not a single person's activity it's a group activity okay this is where you take a group of people and everyone contributes and they all pitch their perspectives so whenever you see somebody go no you have to do a threat model and they assign it to one person that is doomed for you know for mediocrity okay unless you have the one person one man shop who's a whiz but

it's good to have buyin from a number of people a number of perspectives on a number of different things it's really important to do that so after that you got to understand the potential threats so where where can somebody you know what is a threat that attacks us okay so you know this is where you guys come into play name a threat APS okay so what's a good threat is an AP threat advanced persistent Threat all right what else what particular APS could be out there Chinese Russian hacking okay what else enger huh social engineering social engineering fishing links teen incompetent users you're you know your your front end users who don't you know you know

the lady who's been here for like 38 years you know and she has you know everything she goes in her types in and out of stuff you know uh the Newbie that comes in who wants to show off look how sharp I am you're yeah that's kind of the intern all right what else come on think outside the box here lightning strike lightning strike natural disasters okay uh I happened to work during 911 when I was at Microsoft I'll give you a quick story on that uh the credit union for the City of New York was located one of those buildings that was leaning next to the World Trade Center that eventually did collapse one guy on uh September 12th

went up they wouldn't let anybody in there but he got in there he w walked up seven flights of steps with a couple of uh bags uh I think they were pillowcase bags and took all the hard drives out of all the systems all right because that's where they had all their stuff without that none of those firefighters nurses police city workers in the city of New York that's where all their pay came from and that's where they put all their money in that credit union so it affected a lot large amount of people uh and he had to go in there and he was just opening up those raid five boxes pulling out those hard drives and

dropping them in um they set up a thing across the river in Jersey City for them to rebuild it we spent 14 hours playing roulette trying to figure out which one because he forgot to label all right but that was a threat that he that they were vulnerable to because of that a lot of people have business continuity plans off-site locations and things like that to where it was you know they have them pre-labeled before they go in there because this is back in the wild west days y'all like I said I'm Gen X I'm old school all right so you got to understand all these different types of threats that can be there so you're

seeing all these different threats that can come in then you got to prioritize these threats okay you know which one is most likely to be executed on me which one is the most likelihood to happen you got these thoughts which one would be most devastating out there so we look at that and then at that point you got to figure out how do I create countermeasures and mitigations for this so you develop them so network security I Implement you know firewalls DLP uh inline antivirus other things like that for a number of networking threats for system threats Implement business continuity plans you know redundancy off-site storage cloud storage move to the cloud there's a lot of different type of

mitigations you can have for on-site stuff all right so then you have to look at what is the attack Vector okay so the attack Vector is how are how are they going to attack me you know what's the what are is it a network attack is it a uh physical attack you know what where am I vulnerable at okay so like the there's one story I remember reading when I was at Microsoft where they were uh pointing a microphone at the systems and they're able to copy clacking of keyboards you know and they were able to interpret which keys were being pressed you know from a remote location you know there's a parabolic uh they've also had it where

it can have the frequency data off a computer without actually being on there to remotely hack it you know there's different ways how they can do it so you know do you implement you know Faraday cage on your windows you know something like that

huh yeah you know certain sofware can listen to the yeah what I'm good point what happens if you got a guy who comes in and drops a uh a Pony Express or a an metlo device like a teslo yeah even their airgap kind of stuff can do that they can get

they right we're dialing like can go out there how many of you got in that Pringle Canon WRA with wire and driven around how many of you Ed Google to find out whatever one in your neighborhood as this idea is you know these are things out there you can do so these are different attack vectors so you have to understand the different mechanisms where somebody could come at you all right all right and these can be you know a lot of common ones are fishing malware network based attacks um and then you have to evaluate you know your tax service what are this is like a cumulative look at all the vulnerabilities within your system out

there all right and you got to identify you know the entry points so these could be your open ports something you're publishing something out there like that uh and then what are your weak spots you know do I have any any roll on my firewall you know these are kind of things you have to evaluate look at for those things do you have an open SSID do you allow BYOD in your environment are you allowing your user to connect in there okay bring your own device bring your own laptop what happens if those laptops are infected or those phones are or they're proxying off of it or hey you got a disgruntled employee who decides

to copy everything onto his personal device quit and walk out the door all right after you get all that information and you kind of brainstorm together to determine what those are uh you set it up like an attack tree which is kind of a graphical representation of the attacker path uh a lot of the modeling software out there does this for you uh but I've seen threat modeling done on napkins uh so over in Chicago uh I think her name is uh cat uh I can't remember her last name she always presents at bside San Antonio but she leads up a lot of threat modeling at Google and she goes and they work on it on they go to a

bar do their threat modeling there they do it on napkins and put it up on like boards and stuff like that when they get back to the office and they prioritize it and then they work on their software how that way but the idea is to get them to relax in a relaxed environment and have that fle free flow of ideas we don't want to talk about fleas I have dogs all right so then you can create your models and uh you're prioritize your mitigations okay and then you have your attack life cycle which talks about you know your reconnaissance okay that's how they're going to look at you they're going to do your exploitation and then your post

exploitation and what you're going to do for that and you're going to develop mitigations for all three of those stages okay now we're going to talk about thread modeling tools now we're going to get some nitty-gritty great knowledge great Concepts what do I do to apply this well there's a number of ways to do this there's three really main ways how I see how threat modeling can be applied to any of your situations okay the first one is from a blue team perspective the defender perspective all right and the most common one you used is called stride and that's spoofing tampering repudiation uh information disclosure and then denial service and elevation of privilege all right my old

I have to threw desist in there even though hardly anybody uses it because my old boss gun Peterson developed this and hopefully he watches it and gives me Kudos but he was a great influence on me so that one is dispute elevation of privilege spoofing information disclosure denial of service tampering spoofing uh uh there's a typo in here and uh repudiation so tambourine in there shouldn't been in there twice sorry I had to go fix that and then how many of you have heard of miter okay miter is a great resource and a lot of this stuff is out there so we have the miter threat model to defend and it's D3 fend okay so that's not a typo but

they break it down until Harden detect uh isolate deceive evict and restore so these are different things you can do from a Defender perspective but how many of you guys are on red team or purple team anybody all right so how if you want to go and attack somebody you got to kind of think about thread mine there too if you want to attack them huh you got to look at it from an attacker's perspective all right and for that you have two different things out there that can outline that framework and that's miter kek and miter attack and that goes through all different types of vulnerabilities that you can move to exploit out there and what you can do

and they break it down there and finally how many of you are Business Leaders in here all right well this one method or how many of you are Consultants all right so we have Consultants out here and Business Leaders what they like to do is a risk-based method okay and this is called pasta and that's the process for attack simulation and thread analysis all right so pasta is out there and it's kind of like a holistic movement and we're going to break down these in a second here so the stride method ology as I said is you know identify the cat categories and threats spoofing how many of y'all know what spoofing is I'm pretending to be somebody else

you know so you got that man INE middle attack kind of thing right there all that tampering uh is when you modify the data and you can mess with all this kind of stuff it is where you know you mess with their stuff like that repudiation that's where you you have to you know you can't deny who did it so this is like I can't erase the log files I can't deny it was me making that [Music] change all that kind of fun stuff information disclosure this is the big baddy this is when uh the stuff gets out this is the breach notification where information gets exposed this is where you know those hackers take that stuff

and they put on the dark web whatever denial service these are your dos attacks your denial service attacks where it could be out there and then uh you have the elevation of privilege and this is like where somebody can go in there grab that thing and become root and what happens when you become rout game over so you don't want to allow that elevation of privilege for them to come in as you know they break out the authorization and although they may be authenticated they just Elevate what they can do at that level okay now to cyst uh is similar nobody ever really uses this very much but uh covers some of the same topics but the thing is to dispute is

one of the key things out there which it means you kind of um try and cause that interruption in their servers so it's similar to kind of how you can break it up and caus that H it's the hardest one to explain too so he laughs he's like yeah it is but it's where you go in there and it just kind of is something where it's like I can impersonate a website like in fishing or something like that all right you of course we talked about elevation privilege information disclosure uh service denial is basically denial of service and tampering there too now the miter defend model they have a number of topics so have you ever gone to MIT or

defend I encourage you to go to that and they break it down into hardening your system you know how to harden your systems or your mobile devices uh how to establish that detection out there what can be detected so how many you said you do some pen testing what's you do some fingerprinting and you do some open source Intelligence on these things so these are things that you know what you would like to look for to minimize that out there uh talks about isolating at the time where you would just if you did get a breach how are you going to isolate them how are you going to get that quarantined out there uh you talk

about the deceive and like this kind of like where you could throw out a honey pot or something like that or hunting netting uh out there and or create something where they are not attacking the main target you get them off to something else and then you restore your environment with higher levels of mitigations and protections patching stuff like that okay so next uh on the attacker method you have the miter kek and that's pronounced kek if you ever want to go into this uh they have a uh free training for merer kek on mit's website it's through CBR and they'll teach you on that but you go to K.M miter.org it's publicly available common

attacks and patterning I think it's cybrary or something like that that offers it you just have to register and you get the free course uh but it helps you understand how adversaries exploit those weaknesses and then if you're really heavy duty and you're like into full red teaming go to miter attack I mean they break it down to a lot of different cool stuff there uh it's knowledge base uh with tactics and techniques based on real world observations okay so yeah this is like basically metas sploit and all that broken out on a web page telling me how to do it it's a great resource for those wanting to learn what tee me now comes

my favorite one this is what all of them should be this is the deli technique okay how many of you ever heard of Deli technique it's where some of you guys somebody brought up to me that they did table talks you know how is this different from table talking it's really not this is where the whole group takes place and it's a group-based uh idea thing where everybody can throw out ideas and Concepts and all that so group based brainstorming so everybody sits at a table like that group from Google who do that softare where they go out there have a few beers a lot of times people bring in you know book a conference room

flying together or have a conference you know something like here's credit for Uber Eats you know create a situation where it's open open welcoming and ideas can be shared and during this time you come up with threats and all the mitigations and stuff and you prioritize that and this is where you would try incorporate as many different levels from your organization as possible from your application teams and finally we get into pasta okay so for that you have the uh process for attack simulation threat analysis this is basically risk-based threat modeling okay this is where you're going to get stakeholders from upper management down to your application Engineers out there all right and they're going to tell you

you know what is there important a lot of times this breaks down into the cost based analysis of it so you have your risk-based analysis you have all those nice formulas for risk for those who have taken those uh risk classes out there so you know the cost of that that times likelihood of occurrence all those kind of different formulas you've heard of those some of you are nody some of are yawning but that's basically how that goes so it is that it's a framework designed to elevate to management to understand the threat modeling uh where they can understand how like the cost of replacement or the cost of what happens reputationally if we have a

breach okay it helps build that understanding understanding of that because the previous techniques really kind of only focus on the technical thing this is where it focuses on a lot of things of what is you know what is this going to cost us in the long run the way I look at it so you do the vulnerability checks the weakness analysis your attack modeling and uh you go through all that and it's expressed through whatever you want to scope so one of the common mistakes you do in threat modeling is you ignore assets so how many of you heard of when I think one of the MGM casinos got hacked okay they had pretty good stuff

there they had pretty good security didn't they how'd they get hacked fish tank automatic fish feeder in their fish tanks somebody connected iot device connected their Network they pivoted through that and exploited them through that way yeah the fish

tank that's the worst dad joke I've ever heard and I've told that story many times and you're the first one to give me that fishing joke a man I can't believe I missed that one that's awesome all right so yeah you forget something out there and whatever you forget that's what some somebody is going to find okay uh not considering the tax service considering something insignificant you know like that uh 18-year-old firewall that's hasn't been patched since 2004 you know hey we we're still running you know windows nt4 on our servers they're fine you know oh come on how who doesn't have an nt4 server in their environment still going I so yeah I mean you got that out there

uh also failing prioritize threats uh you know that's going to be real hard to fix and suspensive let's make that lower priority so if you don't really make that kind of stuff happen that's where you're going to see stuff where it's going to be like maybe that was more important and that's where somebody always gets in trouble why didn't you make that more important I don't know maybe also overlooking that human factor you know mild that old the old lady who works you know there forever you know and she she walks around talks to everybody makes sure everybody has the coffee complains about the weather and the corns in her feet you know we've all had some of those in

our our life one time or another she still types like this a lot of times these new fangle computers I just love downloading well my mom was kind of like a mild you know she's been dead six years I still have her computer I would go over and look at this thing it had so many games of solitire on there she would download from the internet they're free and I would just put a sniffer on there and I would watch all this stuff I'm like how is this you know and then like I opened up a browser and there's like eight of those free toolbars and then this popup started flashing at you you know I'm like holy cud I kept that

computer for posterity in my garage one day I'm in a front Al analyze it for just the grins of it you know ancient malware I maybe I'll just give it to Darren over there yeah but I mean h you know that's going to happen and then I always see the guys over where I work at they're always on their phones playing games might be me sometimes but uh I at least look at the game you know I was like but yeah so what you got to do is you got to make those threats and kind of Overlook that human factor especially you have a BYOD environment uh then you got to sometimes you got to

stop focusing on the Technical Solutions all right some of these Technical Solutions out there are probably not what it takes sometimes it just creates creating that environment of security is really more important out there to get it done okay so involving the people Factor getting that buy in from everybody for all that stuff all right and so remember we have the correct questions we have to ask dur in throughout modeling where's my crap and what where is it and what's it labeled all right what are my potential threats what's the likelihood of this threat actually happening all right and what's the impact that's important impact what would happen if it did get popped okay then you look at your entry

points and your your weak spots I only got about five minutes left all right and all that so you got to look at where where they going to come in my Ingress points got to consider all different tax scenarios so you who brought in the fish tank feeder into our environment what about our vendors Target breach do you think they consider their air conditioner vendor who remotely control their systems SK it wasn't even a skada attack they at it through a different mechanism but yeah I I I worked it with I yeah this one of the things I did when I was at Microsoft I worked with Target on that one and uh then you got to

like understand your mitigations your prioritization Effectiveness okay so are my mitigations my countermeasures are they going to be effective enough to to reduce that threat or to control it all right is enough enough am I going to spend a million dollars to protect a $10 asset no no all right you know am I going to buy that $3 million firewall solution to protect you know the stuff you know yeah yeah build something with pfSense or something so yeah um and then you have to look at your implementation and your maintenance patching all that stuff that also comes to play with threat M am I patching quick enough OD days come out how soon should I patch

you know do I have to wait a full month for the testing cycle or something prioritized where it needs to be expedited and then you can have uh multi-level threat modeling where you have you can go out there it's different from multi-level marketing we'll talk about that stuff later about not kidy Tupperware or something or Mary K I don't know uh multi you know you connect at various levels of abstract you can like break it down because sometimes I got to threat model everything that is way too overwhelming and break it down threat model one aspect of a Time break down your networks break down uh your systems all right break down your applications break

down your compliance stuff you know we have a threat model where I work where we only focus on items that are for compliance and regulation for that throughout modeling for that type of review so we break it down for that because it meets fin RS and a lot of other RS like that all right and then uh you have to have I you have to be able to create a highlevel modeling uh that has that detailed analysis but you have to also create that summarization of where those vulnerabilities are that you can present to anyone who might be interested as a player for that and then from that you get that comprehensive view of your

security posture and that'll either keep you up at night or help you rest easy at night knowing what you're vulnerable for you know I know what I'm vulnerable at I've done what I can I can sleep at night all right so you have different threat here's something you can take photos of but you have your threat mitigation cataloges um nist sp800 your cyber security framework has a great section on there where it talks about you know security and privacy controls out there you have ISO 2701 I have yet to ever find anyone who's actually read that I'm not going to spend 498 Swiss Franks to buy a copy of that but I everyone always quotes it don't

they huh how many how many of you always heard somebody quote Isa 2701 yeah ask them if they actually read it I I just refer to it because I know it's there all right but another great resource you can use is Ana and they have the threat landscape report and the 2023 one is out you go to europa.eu and they they're basically the eu's version of nist out there and they have some really good stuff out there so if you're looking to get into threat modeling or you want to adopt it and you want to see how it is um you're on a budget or nobody wants to sponsor you uh nist 800.1 154 yes I have

read this all right and it has the guidelines for threat modeling out there okay so this is a great place to go out there and start and then we have our common mitigations you know Access Control uh authentication authorization data encryption firewalls IDs training uh instance suron planning business continuity patching uh vulnerability assessments and uh Disaster Recovery with that I open up the floor to questions maybe you'll get answers huh oh well I didn't want to mention dread because I haven't seen anybody really use dread in a long time uh but it is uh I do have it in my blog if you ever find any of my blogs I do mention dread in that you

say mod no actually I it goes the other way C controls uhhuh that yeah because if you don't know what your threats are how can you create a risk so threat modeling becomes before you do your risk assessment because that feeds into say okay here are my vulnerabilities and what my threats are to those vulnerabilities from that you can determine what your risk level is and what kind of countermeasures to reduce that risk uh structure on that I would go the opposite you know on that but if you already have predetermined risk assessments they can be they're very complimentary in that aspect so then your threat model

really exactly

correct yeah so a lot of times when you're doing risk analysis you have your just a general concept of this here you're actually looking at am I actually vulnerable to this so is there actually risk there you know am I still running W I go I have all these risks for running Windows 200000 systems but I don't run any Windows 2000 systems there's no risk there but you have maybe have risk policy and risk you know stuff on that so you would look to see you know since you eliminated that as a threat would you really need that have a risk on that for that so what we do where I work is we use a threat model to

determine if there's a vulnerability or if there's a policy violation and there implementation from that we then have them open a risk based on that and then it goes to risk and they determine uh what the severity is of that risk and uh they give them the timeline for possible mitigations for that vulnerability or for that violation uh our risk team our risk and their uh business information security officers associated with them they're more right so yeah so I work in financial institution and we have our own risk agen we have our own risk organization that comes into play and they focus on that only thir uh no they are internal yeah like I said I work for

a very large Bank all right yeah I philosoph

question I believe that is the case CU we identify a lot of our threats that way they come across as spoofing and repudiation because if they're faking who they're coming from uh you also have that deniability of it was me so if I said you know I'm up here and I say you know I am uh I'm Brad Pit all right and I want you to come see my new movies coming out on Apple TV or whatever you know you can obviously tell I don't look anything like Brad Pit but I said I am so I have no repudiation there you know and I am spoofing it so you know you can deep fake me doing it

you can put deep fake of me doing Brad Pit I could look the part and that' still be spoofing it but there would be no repudiation on that still all right anybody else I got to stop I've been told to stop thank [Applause] you an they all places at UC are open