Threat modeling Flashcards
What is threat modeling?
Looking at the vulnerability landscape of a system, and ways to attacks it.
Look at a system from an adversary’s perspective to anticipate attack goals.
Why do we use threat modeling? (4)
Understand and document a system’s threat environment
Discover weaknesses
How to spend the security budget
To retrospect - How was my system attacked
Name a principle in threat modeling?
The outcomes of threat modeling are meaningful when they are of value to stakeholders
When in the trustworthy computing security development lifecycle does threat modelling happen?
Security training
Security kickoff & register with SWI
Security design best practices
Security architecture & attack surface review
[Threat modeling]
What is the flow of agile threat modeling?
Project inception: Look at high level threats
Requirements planning: Threats with highest impact
Sprint planning: Where are the threats
Sprint execution: Develop, update and complete
Final release planning: Complete models
What are important principles in agile threat modeling?
Continuous refinement over a single delivery
Early and frequent analysis
Must align with an organization’s development practices
What 4 key questions are asked when doing threat modeling?
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
What is the output of threat modeling?
Known threats to a system
What do we use the result of threat modeling to?
The result informs decisions that you might make in subsequent design, development, testing and post-deployment phases.
What two guidelines does the threat model manifesto identify?
Values
Principles
What are a value in threat modeling?
Something that has relative worth or importance.
What are principles in threat modeling?
Describes the fundamental truths of threat modeling.
What are the 3 types of principles in threat modeling?
- Fundamental, primary, or general truths that enable successful threat modeling
- Patterns that are highly recommended
- Anti-patterns that should be voided
Name 5 values in threat modeling
A culture of finding and fixing design issues over checkbox compliance
People and collaboration over processes, methodologies and tools
A journey of understanding over a security or privacy snapshot
Doing threat modeling over talking about it
Continuous refinement over a single delivery
Name 4 principles of threat modeling
Frequent and early analysis to Improve the security and privacy of a system
Align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system
Outcomes are meaningful when they are of value to stakeholders
Dialog is key to establishing the common understandings, while documents record those understandings and enable measurement
Name 5 patterns that benefit threat modeling
Systematic approach
Informed creativity
Varied viewpoints
Useful toolkit
Theory into practice
Describe the pattern: Systematic approach
Apply security and privacy knowledge in a structured manner
Describe the pattern: Informed creativity
Allow for creativity by including both craft and science
Describe the pattern: Varied viewpoints
Diverse team with appropriate subject matter experts
Cross-functional collaboration
Describe the pattern: Useful toolkit
Use tools that:
- increase productivity
- enhance workflows
- enable repeatability
- provide measurability
Describe the pattern: Theory into practice
Use field-tested techniques and be informed of the benefits and limits of these
Name 4 anti-patterns that inhibit threat modeling
Hero threat modeller
Admiration for the problem
Tendency to overfocus
Perfect representation
What is the anti-pattern: Hero threat modeller
Threat modeling does not depend on one’s innate ability or unique mindset; everyone can and should do it
What is the anti-pattern: Admiration for the problem
Go beyond just analyzing the problem; reach for practical and relevant solutions
What is the anti-pattern: Tendency to overfocus
Do not lose sight of the big picture, as parts of a model may be interdependent. Avoid exaggerating attention on adversaries, assets or teachniques
What is the anti-pattern: Perfect representation
Better to create multiple threat modeling representations. Additional representations may illuminate different problems
What are attacker-centric threat models?
Focus on identifying likely opponents, what capabilities they have and what motivation.
What are some attributes of threat agents?
Skillset
Motivation
Resources (in regards to costs of computation and such)
Name types of threat agents (8)
Spooks: Undercover, intelligence officer
Crooks: Cyber criminals
Government cyber warriors: Engaged in real-world missions protecting army networks, data, weapon systems,etc.
Geeks
Terrorists
CEO criminals
The swamps
Insiders
What information is documented about threat agents during threat modelling? (4)
The actor
Opportunity
Means assessment (what resources, knowledge do they have)
Motivation (intent)
Each category gets a weight-value, that is then taken the average of.
What are software centric threat models?
Focus on the software being built or deployed
What pattern is used in software centric models?
Systematic approach
Name the 6 steps of software centric modeling
- Identify critical assets
- Decompose the system to be assessed
- Identify possible points of attack
- Identify threats
- Categorise and prioritise the threats
- Mitigate
What is STRIDE
Mnemonic for things that go wrong in security:
Spoofing
Tampering
Repudiation
Information disclosure
DoS
Elevation of privilege
What is spoofing?
Pretending to be someone you’re not
Examples: fake websites, emails, csrf, GPS, IP, DNS, deep fake
What is tampering?
Unauthorized modification of:
forms, URLs, Files, Databases, Memory, Network data
What is repudiation?
Claiming you didn’t do something, regardless of whether or not you did
Examples:
Claimed not received/sent, use someone else’s account, attacking the logs
What is information disclosure?
Unauthorized exposure of information
Examples:
data theft, eavesdropping, System/API info
What is DoS?
Attacks preventing a system from providing the service
Examples:
Network flooding, crashing software, making systems slow, filing storage
What is elevation of privileges?
A user gets access to information or actions they are not supposed to do
Examples:
xss, buffer overflow, injection attacks, modify access control, social engineering
Name 4 levels of threat details from abstract to detailed
STRIDE
OWASP top 10
CAPEC
Checklists
What are misuse cases?
Extends UML use cases
High level negative scenarios
Easy to grasp by different stakeholders
Give an example of a misuse case diagram?
Actors:
- User
- Developer
Malicious actor:
- Attacker
Use case: Post blog
- Actor: user
- «extend»: Improper input validation
Usecase: Sanitize input
- Actor: Dev
- «Mitigate»: Inject malicious content
Misuse case: Inject malicious content
- Actor: Attacker
- «threaten»: Post blog
-«exploit»: Improper input validation
What are attack trees?
Possible ways of achieving an attack goal
Tree structure with AND/OR nodes
Nodes are the ways/actions needing to be done to achieve goal
Root node: Goal
What are attack-defense trees?
Add additional Defense-nodes
Name examples of attack tree attributes
Cost
Detectability
Difficulty
Impact
Penalty
Profit
Probability
Special skill
Time
What is a bow tie diagram?
Model a single unwanted event at a time
Shows different causes/threats to unwanted events
Shows the different consequences once the event has happend
Picture preventitive/reactive controls
In the shape of a bow tie:
Left side: Before event
Middle: Event
Right side: After event
What can controls be in a bow tie diagram?
Exam example:
Preventitive controls:
- Lock cabinet
- Use guards
Reactive controls:
- Switch to paper
What can the hazard be in a bow tie diagram?
Exam example:
Digital exam
What can the unwanted event be in a bow tie diagram?
Exam example:
Disrupt exam,
Cheating during exam
What can the assets be in a bow tie diagram?
Exam example:
Software
Network
Premises
Answers
What can the consequences be in a bow tie digram?
Exam example:
Computers not working
You’re expelled
What is a data flow diagram?
Shows how data flows between subsystems
Used to find attack surface and critical components
Shows trust/privilege boundaries
Give an example of a data flow diagram
External entity -> (data flow) -> process-> [— trust boundary —] -> data store
