I use my Anxiety to PWN Companies, and you can too!

all right everyone so we're going to start I will say this is a little bit weird uh not being able to hear how loud I am so if you want me to be louder you can tell me to go louder okay awesome so today I want to talk about how I can use my anxiety disorder and how you guys can use Whatever anxiety you have in your lives to better improve your penetration testing abilities and basically get crits uh on pen tests and Bug bounties if uh my computer wants to listen to me okay so although we are going to be focusing on informal threat modeling I want to review what formal threat modeling looks like so that we

can have a basis to to to know where we're coming from and then we're going to look at case studies to see how we can actually leverage informal threat modeling to actively benefit benefit penetration tests and then review some high level guidance so a quick about me um I am an offensive security consultant at Bishop Fox uh basically I do pent tests specifically on web applications um my passion is in threat modeling and architecture security assessments my past experience is in GRC and inent response so blue team staff um and in high school I was focused mainly on quantum physics and radio astronomy um I am currently a sitting member of the oasp asbs working group so that's the

application security verification standard oasp is a vendor uh sponsor this year say hi to them they're awesome it's the open I think they changed their name from open web app to open worldwide um application security project they're an open- source project highly recommend they're awesome um and I am based in New Jersey which means I have to pay $5 to leave the state and come over here um my favorite bridge is the Ben Franklin um I will slander the Walt women Bridge although I do have to take it to get to the airport and my superpower though I've been getting better about it is worrying um it it might be like cultural it might be genetic um both my parents

have anxiety uh but that makes me particularly skilled at identifying threats so to start with formal threat modeling uh we're going to look at the four questions framework this was developed by Adam Shak um during his time at Microsoft and he is also one of the leading authors of the threat modeling Manifesto another project released by oasp and these four questions kind of talk about the formal threat modeling process so we start off with what are we working on which we want to establish the scope and have us understand what it is that we're actually looking at so we do this by creating a data flow diagram this is just a diagram that shows all of the

components in a web application or depending on what your target is it might be a piece of Hardware or whatever and you're G to see how data flows through each of those components and importantly you're going to draw the trust zones and the trust boundaries within those the trust zones is an area where you have one level of trust um that's going to be an internal Network for example and the trust boundary is where you are shifting from trust zones right so if you're going from the public internet to uh a web server there's a trust boundary there and when you're doing traditional threat modeling your threats are really going to be focused in that trust Zone where I'm going from

one trust Zone to the other at that trust boundary that's where my threats are going to be my next step is what can go wrong and this is my favorite part where we enumerate all the threats against the application or at each trust boundary now traditionally we use the stride framework to be able to identify these threats uh where stride is an acronym for spoofing t tampering repudiation information disclosure denial of service and elevation of privilege however there are other Frameworks for identifying these threats uh there's lynen which is privacy oriented um there are other Frameworks but stride is the most popular and was also developed at Microsoft in the 9s um by Shack Brook shonfeld um so that's

that's the most popular one that you'll hear associated with with formal threat modeling our next step is what are we going to do about it basically how do we fix it this is our threat how do we prevent it from happening so here it's for each threat we're going to identify the mitigations what are the controls that we put in place to prevent this threat from happening and finally did we do a good enough job so this step is kind of weird um and may not make sense initially but when we consider in today's agile environment that we're constantly developing an application we want to make sure that our work the first time is good and useful enough

such that we will do it again during the next rotation because the threat model should never be a formal threat model should never be one time you want to be maintaining it as you're developing the application because if you only do it at the start it's not going to grow with you and you're not going to address any threats that may uh start to come up as you're adding functionality to your application or to your system now as I mentioned I work for a consulting company so when I do threat modeling our four steps become seven and that's because we're coming from outside we don't have the same knowledge as the developers themselves who would

traditionally be the ones participating in a threat model which we also call whiteboard hacking because usually you know everyone sits in a room and they're talking about the system on the whiteboard we don't have that knowledge we are not the developers of the application we are not the engineers we are not the stakeholders and so we come in and we spend a lot of time interviewing the developers talking to them understanding what are the business's concerns what you know are their trophy targets what are the attacks and threats that they are concerned about or have already faced um and so this takes a little bit more time in the what are we working on side

so now that we have a decent understanding of what formal threat modeling looks like uh we can talk about informal threat modeling now whether or not we realize it most of us threat model every day we may not consciously know that we're doing it or we may not know there's a name for it um seasoned penetration testers and other offensive security folks will threat Model A Target whether consciously or unconsciously at the beginning of an assessment and I want to show you how to consciously make it part of your practice um as someone who is perpetually anxious I threat model all sorts of situations in my life but without placing reasonable limitations these situations can

snowball very quickly and so really informal threat modeling is based based on a single question what could go wrong but if you ask just what can go wrong you will be listing I will be listing situations forever so we have an asterisk because the question comes with this caveat what could go wrong that I or someone else like a client actually cares about so in short context is everything with without context we can end up with an infinite list of all of the ways something can go wrong a lot of which aren't really a huge deal in a formal threat model we explore a lot of the possible threats but we really only Deep dive and propose mitigations for

the credible and top threats so what does it mean for something to be credible it's feasible for the situation and that's going to change from Scenario to scenario because feasibility is really linked to effort and expertise required when we're talking about threats being exploited right and so if I'm Etsy let's say I assume most people are familiar with online craft marketplace really awesome or they most of my holiday gifts from there um if I'm Etsy I'm not super worried about um you know nation state actors right like yeah I have credit card information but like not really much other sensitive information right but if I'm a platform like solar winds that offers services to government

organizations I should be concerned about threat actors and within formal threat modeling this is actually something we can we can take into account because when we're doing risk severity calculations we actually assess what are the threat actors that we're concerned about what is their level of expertise what is their level of access and we also look at what is the impact so not only impact to your CIA Triad to you know confidentiality Integrity integrity and accessibility but also to the business what is the impact to the reputation of the business what is a financial impact for if they need to stop operations so these top incredible threats are typically determined by the client's primary concern or you know if

you're a pentester you might talk about a trophy Target um so for example if I'm working on a medical application I know it probably has Phi uh you know the person personal health information which is protected by hipop uh so I want to figure out all the ways that I can get Phi that might be through SQL injection that might be through you know escalating my account privileges to that of a doctor right what I'm focusing on is dependent on the application of what it is that it's protecting and any finding has to be taken within the context of that client situation because those use cases can differ for example I was recently doing a pen test on a web application that was

using a really weak algorithm to generate this like pseudo random string that it was using to title documents that were externally available and had like Risk assessments for a bunch of companies and so we found the documents and we're like oh this is really weak we can break it and we generated a list of like here's a bunch of other documents that using the algorithm that you used exist and we showed them hey we got all of this and they're like okay cool but like we don't really care um and it was true they didn't really care like they used that algorithm because they could and there was really no reason for it to be a pseudo random string um and so so

what we could otherwise report as like weak cryptographic algorithm didn't really matter to this client so for the rest of the talk I want to discuss specific case studies um specifically how we can level up pentest skills using threat modeling to prioritize your test cases know which rabbit holes are actually worth diving into um identifying pivot or escalation points and understanding the true impact of a finding depending how we are with time I also want to discuss a case study where we can use threat modeling to identify effective controls so our first case study who here with a show of hands thinks that it's a problem if I can figure out if a given person is

registered on a website okay so about half in my own methodology for pen testing and that of my organization one of the things we test for is user enumeration basically can I tell if a given user is you know if a given email or given person is a user of this website and typically this is something that is pretty low priority on our list it's also really easy to test for usually um the first place to go is like reset password functionality like I forgot my password and usually it'll there will be a difference in what it tells you it'll be like oh hey we sent you an email or like you don't have an account here um sometimes the the

difference will maybe be time based and how long it tell it sends you an error anyway this is typically low priority right everyone has a Gmail account it's not sensitive if I have a Gmail account but what if it's a different website that's more sensitive if I have an account let's say and I don't on Ashley Madison what does that say about me that I have an account on this website now if someone can figure out that I Shen need PRI right because with user enumeration we're not necessarily dumping the database of all the users we are saying can I find out if an individual person has an account on this site if you can say I Shen PRI have an

account on Ashley Madison that could be an issue you can blackmail me and that becomes a security problem right because hey if you don't do this thing if you don't give me creds at your company if you don't you know open a shelf for me somewhere I will tell your spouse I will tell your employer about this now this can even get into legal issues because in some states you know when I have to make an appointment with my doctor I can log in and make an appointment for my OBGYN let's say I have an online account with a provider that is known for providing uh abortion Services if I'm in Texas maybe the fact that I even have an

account on that site could be used against me in the court of law now I don't know this to don't take this for me as legal advice but obviously there are cases where something that is typically a low priority test case automatically becomes one of the top concerns in my list so we can see that this test case that usually isn't a cause for concern is now going to be a big deal my next case study is when we have a really big application or something with some really deep functionality and we want to know which rabbit holes are worth exploring because during a test you'll jump down some rabbit rabbit holes and I frequently after about 3

hours down a rabbit hole I start to ask myself okay like am I just wasting time at this point or like do I dig a little bit deeper to to find to find something or like am I just should I cut my losses and here this is where you can really use this to figure out like where can I spend my rabbit whole time so in this case I was looking at uh an endpoint detection and response tool that has like host that has endpoints like agents on hosts but like everything in the cloud to manage it um you can talk directly to the hosts you can investigate alerts and keep notes on it and you can also look at historical data

so like a ton of functionality that's really interesting like maybe see if I can do something on my endpoints that have agents on it so now I have to think about what are the underlying inform infastructure right because every application is not just some code hanging out right there's stuff that actually supports it there's a web server it's storing data there's a database um think about what other infrastructure may exist behind that so here I have my agent that I can get live data I have a server running this Cloud app and I have a database that is storing the historical data because it doesn't want to query the hosts every time you're pulling historical data and

so in this case I said well there's a database to store the data and I can like directly send it queries I wonder if I can get not just historical data because databases have schema and I wonder if that schema can tell me stuff about other tenants of this Cloud because we know that SQL databases have have an information schema table that is by default and look at that we can see the other customers and so this is something that you wouldn't necessarily think to do if you're not thinking about the infrastructure right and so you want to see you you want to take a second to step aside and once you're in that rabbit hole where you are

you know looking for SQL injection or looking for cross-site scripting or code injection you want to know is this worth it like am I attacking something that is there and the way that you can get this information is through the stuff that we normally don't put a lot of weight into right Banner information disclosure error messages love a good error message like a a stack Trace perfect because if I get if I know that like hey I'm using a serialization library perfect the more information about what's going on in the background the better our third case knowing when to Pivot or when to escalate this is going to happen where you may have a lot wider of a

scope uh or you may need to ask about extending your scope uh in the case of of web applications um and here I want to talk about some internal tooling um Believe It or Not companies sometimes do care about the security of their internal tooling um I like it when do um but usually the internal tooling does not have as many security controls as otherwise because they're viewing their employees as more trusted than an external user and when everyone is a trusted actor there's going to be fewer protections and so that's already an awesome place to begin with the next thing I want you to ask is where might these resources be shared because companies want want to be

resourceful and the fewer new Services we need to spin up the better can the credentials or tokens that are used for my internal tool are they used somewhere else if my internal tool is generating tokens to access a database are those tokens used for another database maybe they might be we also want to consider uh privilege escalation because scope creep privilege creep is going to happen a user's there for 10 years an employee is there for 10 years their positions change and people are really bad at controlling privileges making sure you have leas privilege but also if you get new privileges that whatever old privileges you have that are no longer necessary have been removed and of course Legacy systems are

your friend while a lot of companies may make sure that they their external facing systems are up toate are patched internal is not as much of a concern it's not as a high priority and our last is looking at uh calculating the severity and this is one of the case studies that I actually find most interesting as you can tell I have feelings about nfts um I have this bumper sticker on my car and I have gotten beeps a few times I've started giving them the finger because I was like why are they honking at me and then I remembered that I I had but I'm also a Jersey driver so like take that as you will um here I was looking at a

series of Integrations that you can build into your SSO platform that basically you have a user logs in through your SSO platform and automatically takes that login information and that token and sends it to some third party that you've sent set up with and in this case it was an nft platform that keeps track of the nfts that you misguidedly purchased and it returns a list these are the nfts that you own and they had two Integrations the first was just return a list and like present it on your profile the second was limit who can access the application based on nft ownership and so both of them are pulling the same information from the

third party API they're both sending your user ID number your email to this third party and just saying send me back a list of the nfts they own sending the same information getting the same information back and I'm able in theory to ask add a new nft to the list that's returning as the authenticating user how bad is that well it matters in the first case where I'm just LIF listing the nfts on my profile it's not that big of a deal right like okay maybe I get more or in my mind less clout for owning another nft but in the second case where that's being used for access control that very same finding is now a critical right like I

can bypass functionality and so in this case we want to say like at the start is what is the worst thing that can happen right um quickly gonna I have like five minutes awesome perfect so now I can go to the last uh use Cas the last case study because this is one that I used in my personal life um I recently bought a home but prior to that I was living in an apartment and uh I had to set up an alarm system and uh you know my parents has house had one of those like hardwired ADT systems from like the '90s uh but we have you know ones now that you can set

up yourself and so I had to decide how am I going to go about protecting myself and my house and so I had to first ask what am I protecting right here I actually started with what like what are we looking at I had to make an attack map and say okay I live in a second floor apartment and so I have doors that I want to be aware of but I also have Windows but I'm on the second floor on one side of my apartment there is a Tall Tree I could Pro I couldn't but someone more athletic and you know with with greater agility than I could could climb and get into my bedroom window

Meanwhile my kitchen has a second floor window but there's nothing there like there's there's nothing to climb on and it faces the other apartments and so folks would notice if there's suddenly a ladder let say to my kitchen and so with this case I can say okay I know what are the entry points I need to protect but also what am I worried about going wrong am I worried about my things being stolen while I'm away yes but also I work from home am I worried about someone breaking in at night I at the time was a woman living alone for the few women in the crowd that is terrifying especially at night I may

have called the police once when a really in reality my bathroom toothpaste holder fell and clattered I thought someone was breaking in that was a really embarrassing 3:00 a.m. call anyway um you know at that point that's where I can set my policies if a door is opened at 3:00 in the morning that's not me right and if someone's breaking into my house in the middle of the night they're not there for my items they are there for me that's going to immediately call the police whereas if I'm not home and someone breaks in or there's movement detected I'd like to get a call first take a look at what's going on and then I'll call the

police myself I also had to consider who am I actually worried about breaking in I fortunately am not a target of uh professionals I do not make nearly enough money for that to be the case uh and I am not nearly well known enough for anyone to put significant resources into attacking my person um if I were I'd probably want to replace my locks um not have like a quick set lock that that the apartment provided um but that I can by saying what are the threats I'm actually concerned about I can prevent from going off the deep end and putting up steel walls because I know that that's not going to be as likely for me

as it is for you know someone who makes 10 times my net worth uh and you know is is much more famous let's say so if you take anything away from this talk other than the fact that I am usually an anxious Mass take these tips remember your scope map your attx surface and make sure you know what's in there at the same time don't worry about the threats outside of that scope at least not unless you have gotten permission to start worrying about those threats then ask what do I care about what do I or my client care about is it a trophy Target is it a hunch that I say hm I think they

may have this data or this may be shared with something else this is going to change on a caseby casee basis this is not going to be standard even where you're talking to the same API the use case may be different and finally what can go wrong how can I achieve my end goal if I want to exfiltrate Phi what are the ways I can do it there are going to be tons like I said if there's a database that's being stored I can get SQL injection but also if if a doctor can input that Phi I can probably read it too priv ask to a doctor there's going to be several ways that you can do

that think about what it is that you want to achieve and so with these steps plus add the context to guide us we don't just want to ask what can go wrong we want to ask what can go wrong that is realistic and important otherwise we're just going to start listing every horrible or not so horrible thing that could happen that might just be me uh but I hope it's also some of you if you have any questions uh feel free to come up to me afterwards um I'm happy to answer like I said uh most of the time I do threat modeling formally but I always make sure to do an informal threat model

at the beginning of a pent test and I found it really helpful uh you may already do this unconsciously so hopefully by making it a conscious effort you can just step up your game a little bit uh and thank you to you guys and to the awesome volunteers and organizers of the con and I hope you enjoy the rest of your [Applause]

event