Threat Modeling Intro for Security Architecture - Brennan Crowe

sector company uh you've all heard of it but I'm not allowed to say what it is um he's got multiple master's degrees years of experience doing this so we're fortunate to have him want to say thanks to Brennon for being here today want to say thanks to our sponsors and we give you the floor thank you uh so thanks everybody for coming out uh I hope you make this entertaining most of you're look and board already come on or who had the turkey at lunch is that what it is are you feeling sleepy do you have a couple beers too yeah all right so I'm going to kind of talk to you about thron little

bit about me uh I have been known to be a notk security guy I have been doing this since 1997 so years I'm not great math but uh I'm also adj Professor so I'm going to talk to you guys about adding threat modeling into your reviews all right how many of you have th bottles before all right what are you Incorporated in are you guys developers was was developing all right what else can you th all right huh system all rightor system networ yeah that's where I started with all right so what I like six have you ever taken a hard look at yourself think about it this is exactly what fing is you're going to take that interspective look

out whatever you're objectifying to thrat all right this is where you're going to say I'm going to be critical and I'm going to see what you know what doesn't need to be SE all right what should not be out there okay it's a structured approach where we identify and priority and create prioritization of security threats out there okay what does that mean so we're going to just sit there and identify what could go wrong what's our worst case scenario where is something going to go boom in the middle of the night and I'm thankful I don't have to do on call anymore because there's no such thing as an architecture emergency but a lot of you I've had to

do on call for decades so I know what it is but this allows us to take those proactive measures that we use for you know assessing our own system security okay we're going to take a hard look at that and we're going to identify those vulnerabilities so earlier you may have been at Philip wy's or some of these others we were talking about threat hunting and all that well we're going to take a look at how those might be able to be exploited and what compensating controls and what mitigations we can apply to that to make these you know have a less of a risk exposure out there what can we do to reduce our

exposure okay so I don't represent any vendor so I'm not going to give you anything like that we're just going to go over on what it takes to do this so what's the first thing we have to do when we do an assessment or we do this we have to identify all of our assets you know what do we have okay what is out there how many of you knew everything all the devices in your own [Music] house all right you have to listen everything how many of you like recently they're talking about advice about all the storms that came through and all the insurance people got hit by tornadoes I they like what have I had because you

know what you can threat model anything anything can really be threat model I even read a case study of somebody threat modeling a courtesy pool bar at bides or blackout one year at a pool party you know so how many of you understand like have pictures of all of your stuff your house in case you need make an insurance f one person two people three all right you have all the serial numbers all that kind of stuff very good you're better than me I know I need to do this crap I just moved here okay and the movers have all of my stuff right now and so I documented everything before I handed it over so that's the only I just not my

wife I'm just OCD you're OCD okay all right so we got that going for us but if we're looking at our businesses our systems and networks there's so many times when I've been around a business or company I used to work for a different Financial organization that does a lot of transactions that we all use uh and uh it's a manage service kind of provider for a lot of financial institutions uh it was you know one day I got a call and says hey could you go look at this junifer box I'm like where's it at I don't have it in a list of amator oh well it's at this data center like okay I thought I'm showing that

data center is Big B Commission on paper it has but we're still using it I'm like yikes so systems networks we need to understand have a good inventory of that we need have application and services that are running on these things the data how many of you consider data an asset exactly thank you a lot of people who are starting out don't really understand it they think they're protecting the you know the network the servers the only thing value out there is really your data all the rest of that can be replaced but your data that's what we're all here to protect all right uh personnel and user do you have a list of all your current

ass you know the assets we you know unless you see how you call an asset uh your people where they're at or contact good directory of people infrastructure facilities your building locations your there are addresses available in case if something happens these are all things you need to understand so our Basics are we need to identify those assets that's why I start out by stressing that uh the next step is you determine your potential threats what is my exposure what can happen when I am exposed all right uh then comes the risk kind of stuff you evaluate the likelihood of it happening you have all those risk management numbers that we can go through and the

impact of it so it's usually these matrixes there's different ways to determine risk we're not going to get into that and then the I like this a prioritize of threats you know which one's the most important to which one is least likely to happen you know like was it uh the in 2029 there's supposed to be an asteroid that comes within 18,000 mies of Earth and it could hit us and if it comes to a certain window according to Neil degr Tyson that uh it could then hit us on the next rotation round it would definitely hit us and you know 20 36 well you know what's the likelihood of that really happen it's a one and 300

million shot of it hitting that one precise point in orbit to where it's going to alter its orbit to hit us you know so likelihood of that happening I'm not going to lose any sleep over that all right and then the last part is the fun part we we develop those uh mitigations those compensating controls all right so what we have is an attack Vector out there uh this is the path or method you know as you've all heard most these pentesting guys talk about that use they're going to use to attack us all right the you know fishing malware network based attacks those guys talking about how they use you know nesses or quas or something to check us out or

even end map for these things they have all those things our tax Serv surface is the total vulnerabilities in the system your system could be anything from a targeted Point okay like I like to do is I get everyone who's doing this for their permit to operate we have to do their applications and stuff and we haven't looked at that as that system we th model it that way and we kind of get them to have that perspective which is great to give them perspective on how to shift left which is you know that old marketing term whe here now and right you know the vendors calling you we're going to help you shift left yeah right

all right so we're going to help identify that for the weak spots for the attacker now you have the attack tree which is the graphic representation of the attacker pass and then they can have those different models and scenarios that prioritize mitigations based on that and set up those little funny tree little graphs and models that you're uh that you can present up to your C so he can present that to the board a civil executive summary those are all the fun little reports that I end up having to help with uh then you talk about the attack life cycle you know we've already talked about that uh the stages reconnaissance exploitation and post exploitation in a

nutshell you were in Philip wy's one right you saw that so we saw some of Y were there he talked about that I don't need to rehash all that uh and then we talked about those who developed as targeted you know mitigations so what can we do specifically out there that's where your Dev guys come in how are they going to fix it all right you're going to risk it and F fix it right risk it and fix it so that's how we get through that now when you're doing threat modeling three philosophies you can take the first one is the defender okay these are stride toist he he sits and the miter defend so how many you got

on Miner's website heard of merer yeah Miner's got a great thing out they called Miner defend has a great Matrix out there we have the stride model we have the assist model and then from an attacker perspective how would I attack this in the mindset like I like to describe this the mindset of a pentester or a evildoer who's trying to get in your stuff okay okay and then we have the risk based fact which is you know the counters who want to do this stuff the bean counters all right and that that one's known as pasta for some reason okay it's the process for attack simulation and threat analysis all right so let's break down a

couple of these hey get over there all right so stride spoofing tampering repudiation information disclosure denial service and elevation of privilege that sounds it's like pretty much all encompassing of what could go wrong all right we know spoofy is somebody pretending to be somebody else right so I can be somebody pretending may be I can say I'm full how many of you would know the difference right so I kill me on the flight back um so I somebody pretend to be somebody else tamper this is going we all fig somebody is out there trying to change your stuff around and mess with our configurations you know and open it up install those rats and back doors and

all that kind of stuff so something bad can give in the next one's repudiation how many y know what repudiation means that's always one all right so couple of us so it means that you know we're out there trying to uh there's no deniability there's no plausible you know deniability it's you we know it's you we got you all right it's definitely there uh information disclosure well that's the worst one where you know the stuff gets out all right your information's out it's bad denial service means you know you lose that you know availability which is one of the three Triads of the CIA Triad right you don't want to lose that availability and elevation of privilege

well that's a game over so that means they have got root now the cist is pretty much the same thing except they add that dispute part of it all right in there so we have the same thing a stride but the dispute is the concept of you know it's not really who you who it is and it causes that fuzz out there so it was a thing by my old boss gunar Peterson uh he helped develop this when he was at Carnegie melon and uh so they developed this if if you want to read about it uh they have it in this one but it's the Lesser used of any of the Dr modeling Parts

other than pasta click all right now miter defend is a great tool so if you ever get a chance to go out there and you create your frame model framework you can use a lot of these components out there for Miner so it's Harden detect isolate deceive evict and restore and they break down all of their threats in this long Matrix if you want to do a mobile you can click on the mobile column uh if you want to do on containers or even they've even come up uh with some different ones for the iot stuff now so we have that one out there and so miter kek and miter attack are my two favorite ones and

those if you ever trying to do some kind of a rapid threat assessment or any kind of where you're focusing and looking to show an attacker perspective these show the attack vectors out there and you could I like would say I would use M kek as the front end to help you know show what the attack vectors are and how they can be mitigated and kind of incorporate miter defend in my threat model when I'm looking at different things so for you doing your systems these are great resources for you to learn and utilize now miter attack is also very good it's a very in-depth knowledge base out there so it helps you like adversarial Tech

techniques um I think they came up with what didn't they just come up with Atlas on this one too how many of you heard the atlas where that helps sh you how to attack AI all right so I think it's called Atlas think that's right yeah so they were announcing that at RSA last month so they talked about how that's going to come up where it's going to incorporate AI into your attack vectors for the miter attack all right now the deli technique how many of you ever heard of this when you're were in school you know let's all gather around the conference table order some pizzas we did this at Microsoft a lot so we would sit around

and we like this would be like our bu bash or something how can we do this how can we break this how how can we attack this in security and we would sit around and we would start with the dumbest ideas like throw a hammer on to you know may some like well let's see if it's sequel injection would work you know and we would talk about different things and it's where you share ideas and perspectives now it's really important now when you're doing more roou thing you want to incorporate more users in there but you want to incorporate you know different perspectives uh from you know I would say get Management in there upper

management who has perspective from the board you know if you're in a corporation you can look at getting HR uh a couple of users and just get a little sampling of different people from your company get that you know they variance perspectives to see what they can do you'll get somebody here like I have no idea what I'm doing here but it's kind of funny after a while that perspective they start listening they had something and they were like everywh in the room was like engineer mindset it was like where did that come from and that's an excellent thing nobody thought about doing something like that we've had so many of these ideas where that has come through

I'd recommend you know have that diversity out there of those perspectives from different areas within your company all right and then again you're sitting there okay which one's more important to you like if the unit managers of the applic or the products they might be saying well we can't afford to have this down we you're thinking yeah we can patch it and reboot it once a day or something if necessary or now they they can say we have we can't have Zer down time because of the business loss you get all these kind of things going out there with that and here comes finally we're going to talk about a little bit past and this

is the process for attack simulations and threat analysis again it's risk based and it's a framework and it's kind of more uh at a strategic level rather than a technical level this is where they are sitting there discussing more about what is a reputational risk if something happens how do you remember the target reach all right all right what happened with Target right after that nobody wanted to use cards in Target anymore all right reputation every did any went to carget after that they were paying cash Home Depot was like that too every already want to pay cash all right now that was reputational RIS how many you consider reputational risk in a breach or in a

threat okay I'm not teaching youall anything am I but there are some out there yeah so you have to consider that reputational what about uh what other risks do you consider I want to hear different perspectives this is a group I like Socratic learning reput your box as well okay what else what else can youall think of RIS perspective strategic risk Financial Risk operational risk those are all we also looked at regulator regulat say that likeing healthare you Mobility it's exploited consequences that are very long term and Regulatory how many of you consider Regulators a threat I'm baby nydfs if I have somebody come in and say my largest financial institution can no longer operate in the state of New York

that includes a New York sty exchange uhoh so yeah these are things we have to take into all that consideration okay so we got to use that framework to consider all these different risks of where it could so it sounds like you guys are starting to use pasta have you actually adopted pasta not knowingly right but now you're thinking yeah we should read on it and actually use some of their techniques which would be good to do it's a great New Perspective I want you to be out there and be open to New Perspectives all right so common mistakes when you're doing threat modeling uh Philip Wy gave a perfect example earlier in well that's not in

scope how many of you heard that term that's not in scope all right uh what's the healthcare agency that just got uh hit huh is that the one that they Citrix change change maybe I don't remember one of the guys who I work who one of my students works there and he was working it and he was telling me that they uh what when they said their citric system that they use to manage everything uh that was considered to be out of scope for everything and that was the only thing that did not you have to use multiactor authentication and guess what it got popped and they they went through everything and took took them

out all right uh so that's that out of scope thing so ignoring those assets is bad all right uh not considering the TCH Service uh I work for Microsoft for a long time uh when B got attacked I called some of my friends my old colleagues uh when laxis attacked them what happened was that they paid a contractor who was like being you know let go two weeks contract was up they gave the guy $10,000 and he like hey we connect in using Microsoft team your credentials on your multiactor just say yes boom and they were in there and they grabbed check code of being okay they were able to connect in go to the

repository grab the debug test code and download all that to use it for their analysis is that fun or not I mean that's a threat that nobody consider would happen oh well he signed his NDA you know these are things that are threats so that's an attack surface right people Insider threat wow I people have been preaching that since I've been of these conferences so I'm going to get off that horse uh failing to prioritize those threats how many of you had some energer going no no no that's too hard to do right now we're going to look at something else all right we want you to go the L hanging through and that way we

can show that we've made a lot of process we made our patches but you know these things that don't even have a firewall in front of them that are exposed directly on the internet that are Legacy we can ignore those nothing's happened to them yet you know those are the things out there the human factors we're overlooking that we already mentioned that and then focusing too much on those Technical Solutions how many of you have those people who think you can just buy a technical solution we'll put another firewall in front of it uh we got a proxy server all right we're using uh crowd strike out there or was Cloud flare or we have a CBN

uh you know these are the things out there uh we have uh we're using foret we're using checkpoint we're using P2 we should be good uh are all your rule sets just uh from anywhere to this you know on Port 80 and 443 all open still yeah do you have any of the application layer stuff no all right so stop focus on the technical solution let's actually look at you know what we can do to get those fixed out there and it's an art to ask the correct questions is it not have you ever had this people it's like why guess is not with chat GP if you can ask it the right way you saw the last

presentation it's how you ask the question it's an art so it's like when you ever talk to a regulator you know what's you you talk to regular is like it's just like yes no or you go to court how many of you ever got pulled over by a cop for speeding I have you don't want to say too much right where are you going that way where you coming from that way you being a smartass no sir I'm just answering your exact questions you know that works don't answer too many questions man your vehicle no sir yeah so always ask the right kind of questions it's an art all right that helps in determin what assets they have I mean

oh we yeah we have a virtualization server you know it's running ESX we have uh the emotion there you know okay uh we have the other internal clouds okay great we have that what's running in them you know they're not going to tell you this unless you ask them so you have to Le those ask questions then you have to ask what are actually the potential threats like all these are different things you're going to want to ask and get that in that framework all right then you got the threat mitigation cataloges you know nist 853 has a great list of different threats and out there ISO 270001 2002 uh insa have yall looked at

the insa one from Europe all right so if any of you doing business in Europe but even if you're not it's a great comprehensive list of stuff to utilize for just to gra learning and get those threats out there and my slides are on the uh on the website for these sorry I don't make them too fancy with all the graphs I apologize I just want to to focus on the talking not the information uh n800 154 guidelines for threat modeling has a great deal of information out there for that and uh we have the different threat modeling mitigations you know these are Access Control authentication and authorization you know what the difference is I hope

all right it's like who am I and where am I allowed to go a lot of people just kind of go over that uh data encryption is your confidentiality of your Triad AUD your firewalls nwork security intrusion detection intrusion response good IR you know policy and procedures that everyone has access to all right security awareness training that everybody just clicks through as fast as they can how many of yall have done that I do that all the time I see how fast I can get through them this will take you an hour got it done in six minutes all right uh incident response planning all right uh what happens when blank hits the fan you know all right and then we

have our make sure we do our regular updates patch and please patch everything all right uh your vulnerability assessment penetration testing well there's all those fancy guys who give you those deep talks about how they can do all those deep analyzations and stuff and then the Golden Rule back up back up back up and have test your back up in case you ever have a disaster all right I'm going to open up to Q&A we're going to make this quick fun and and I think I we should go get beer after this is the beer all gone yes it is I got the last son of what [Applause] three all right uh oh I forgot the joke I promise J I

would say all right uh cow jokes still like cow jokes all right uh what did the Rancher why was the Rancher not upset when he went bankrupt he had no beef y for what did the elephant say to the naked man how do you breathe through that

thing all right any questions well he actually doesn't BR to that thing yeah yeah um so working with clients as a third party consultant that's the Contex uh how do you deal with using um just using threat modeling as your your weapon your way of proving to them how do you convince them to spend an investment to protect themselves when they are being OB what is your strategy so it's a third party part you're saying okay well you don't want to say it's a weapon that's the word thing you want to use it as collaboration all right we need to collaborate to make sure our mutual interest surv that's how I would approach it with any of our third party

Partners so we asked them to do this uh mainly it has to be written in any contractual obligations so there has to be that worry in the contract for them if for them be compliant it's not going to be a breach they could be a potential breach a client I'm not an attorney representing you I'm not doing any legal advice here but I'm saying there's a potential for a breach of contract if they do not want to do uh now if you have a lot of agencies there's legal regulations out there that provide for the necessity to occur which is like nydfs 500 PCI uh I believe the gbh for fin regulations has a lot of

that stuff uh I'm financially Focus um what's the one for energy ner uh nerk yeah nerk has a lot of those things um especially do many of you since we're in a military town here a lot of the military third party Pro have those things in their do defense contracts so it depends on like you know if they're going to make them perform some kind of in there so it all comes down to a compliance regulation for that and you have to convince them it's in their best entrance or else you may have to terminate that uh relationship with but you want to say look we want to be protected we want you to be protected

you can point out the target reach as an example and say look Target had their stuff cover their contractor who is controlling all their AC back connections into all of their things they were not that's how they got in and they were able to penetrate hard you do not want to be the one responsible for that we want to help you and you want to collaborate with you and share best practices on how you protect yourself so you want to offer it up as that investment that's how I usually go to there we have a lot of our colleagues going to reinforce we meeting with AWS Executives to help them understand how certain parts of their C graphic

mechanisms for security are actually insecure that we so yeah well they improperly protected private keys in certain situations Key Management m key man is a big vulnerability for a lot of things especially when if you can dump a container for something out there that and where you can extract private key from instead of utilizing uh NH or something like that for that purpose whoa I got technical I'm not a manager I promise I'm actually long time yank but okay uh any other questions yeah what about future proofing um so for instance if you think there's a good possibility that your company may do business Europe doesn't currently is it worthwh to go ahead and try

all right so as you know does your company do business in California yes all right so you have the cpca for stuff like that all right so you have gdpr light already maybe the framework for gdpr light they call cpca so as that framework for that it's always a good practice to adop now the year regulations have the new one out there called Dora okay so Dora coming out if you go look on my blog I wrote a paper about this a couple years ago which breaks down how to find it so I don't know if you have my blog just Google me you might find it you might not nobody ever reads it I think I had

15 hits on it uh now companies are trying to sell the same information I wrote that for law school and I just went ahead and published it out there uh so yeah if you want a future proof and you want to use that Dora infrastructure uh that framework is very extensible and it would apply to the United States the one thing about Europe is you may not be doing business in Europe Europeans may be doing business with you and which then would make you in the eyes of European Court uh under their domain I would say Loosely stated they feel that they might come after you for them you know so it's like when you're dealing with different

court systems you know your base in Tex is their base in Kentucky uh they file a motion against you in say a court in California wait where's that relationship they can put it in any jurisdiction or federal district same with the EU they can take Court of international trade you just because it's a European citizen Who's Live residing in the United States they feel that they may have that domain over so it's always good to be aware of all those type of legal reference legal aspects in that case but that's not leg advice that's just you know General being awareness of the law anybody else yeah where's it's not spot it's something I started years ago but

it's not running Pro well I found you I find my LinkedIn I haven't been my Linkin you can have me on LinkedIn I'm sorry I don't give lot I'm not a guy who does a lot of publishing stuff um you know my first time been a presentation since 2004 so but I do teach cybering cyber terrorism at Colin College in Frisco Texas north of Dallas and now security and Fireballs there too and in the fall I'll be teaching privacy so all right anything else all right good oh we're done at least I hope I was somewhat entertaining I wouldn't have guessed 20 years good I'm old no I meant that you had [Music] I've been doing this years oh okay well

just you were saying you didn't have practice and I said good job thanks not anything to do your AG