Threat modeling

Question 1

What is threat modeling?

Answer 1

Looking at the vulnerability landscape of a system, and ways to attacks it.

Look at a system from an adversary’s perspective to anticipate attack goals.

Question 2

Why do we use threat modeling? (4)

Answer 2

Understand and document a system’s threat environment

Discover weaknesses

How to spend the security budget

To retrospect - How was my system attacked

Question 3

Name a principle in threat modeling?

Answer 3

The outcomes of threat modeling are meaningful when they are of value to stakeholders

Question 4

When in the trustworthy computing security development lifecycle does threat modelling happen?

Answer 4

Security training
Security kickoff & register with SWI
Security design best practices
Security architecture & attack surface review
[Threat modeling]

Question 5

What is the flow of agile threat modeling?

Answer 5

Project inception: Look at high level threats

Requirements planning: Threats with highest impact

Sprint planning: Where are the threats

Sprint execution: Develop, update and complete

Final release planning: Complete models

Question 6

What are important principles in agile threat modeling?

Answer 6

Continuous refinement over a single delivery

Early and frequent analysis

Must align with an organization’s development practices

Question 7

What 4 key questions are asked when doing threat modeling?

Answer 7

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good enough job?

Question 8

What is the output of threat modeling?

Answer 8

Known threats to a system

Question 9

What do we use the result of threat modeling to?

Answer 9

The result informs decisions that you might make in subsequent design, development, testing and post-deployment phases.

Question 10

What two guidelines does the threat model manifesto identify?

Answer 10

Values
Principles

Question 11

What are a value in threat modeling?

Answer 11

Something that has relative worth or importance.

Question 12

What are principles in threat modeling?

Answer 12

Describes the fundamental truths of threat modeling.

Question 13

What are the 3 types of principles in threat modeling?

Answer 13

1. Fundamental, primary, or general truths that enable successful threat modeling
2. Patterns that are highly recommended
3. Anti-patterns that should be voided

Question 14

Name 5 values in threat modeling

Answer 14

A culture of finding and fixing design issues over checkbox compliance

People and collaboration over processes, methodologies and tools

A journey of understanding over a security or privacy snapshot

Doing threat modeling over talking about it

Continuous refinement over a single delivery

Question 15

Name 4 principles of threat modeling

Answer 15

Frequent and early analysis to Improve the security and privacy of a system

Align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system

Outcomes are meaningful when they are of value to stakeholders

Dialog is key to establishing the common understandings, while documents record those understandings and enable measurement

Question 16

Name 5 patterns that benefit threat modeling

Answer 16

Systematic approach

Informed creativity

Varied viewpoints

Useful toolkit

Theory into practice

Question 17

Describe the pattern: Systematic approach

Answer 17

Apply security and privacy knowledge in a structured manner

Question 18

Describe the pattern: Informed creativity

Answer 18

Allow for creativity by including both craft and science

Question 19

Describe the pattern: Varied viewpoints

Answer 19

Diverse team with appropriate subject matter experts

Cross-functional collaboration

Question 20

Describe the pattern: Useful toolkit

Answer 20

Use tools that:
- increase productivity
- enhance workflows
- enable repeatability
- provide measurability

Question 21

Describe the pattern: Theory into practice

Answer 21

Use field-tested techniques and be informed of the benefits and limits of these

Question 22

Name 4 anti-patterns that inhibit threat modeling

Answer 22

Hero threat modeller

Admiration for the problem

Tendency to overfocus

Perfect representation

Question 23

What is the anti-pattern: Hero threat modeller

Answer 23

Threat modeling does not depend on one’s innate ability or unique mindset; everyone can and should do it

Question 24

What is the anti-pattern: Admiration for the problem

Answer 24

Go beyond just analyzing the problem; reach for practical and relevant solutions

Question 25

What is the anti-pattern: Tendency to overfocus

Answer 25

Do not lose sight of the big picture, as parts of a model may be interdependent. Avoid exaggerating attention on adversaries, assets or teachniques

Question 26

What is the anti-pattern: Perfect representation

Answer 26

Better to create multiple threat modeling representations. Additional representations may illuminate different problems

Question 27

What are attacker-centric threat models?

Answer 27

Focus on identifying likely opponents, what capabilities they have and what motivation.

Question 28

What are some attributes of threat agents?

Answer 28

Skillset

Motivation

Resources (in regards to costs of computation and such)

Question 29

Name types of threat agents (8)

Answer 29

Spooks: Undercover, intelligence officer

Crooks: Cyber criminals

Government cyber warriors: Engaged in real-world missions protecting army networks, data, weapon systems,etc.

Geeks

Terrorists

CEO criminals

The swamps

Insiders

Question 30

What information is documented about threat agents during threat modelling? (4)

Answer 30

The actor

Opportunity

Means assessment (what resources, knowledge do they have)

Motivation (intent)

Each category gets a weight-value, that is then taken the average of.

Question 31

What are software centric threat models?

Answer 31

Focus on the software being built or deployed

Question 32

What pattern is used in software centric models?

Answer 32

Systematic approach

Question 33

Name the 6 steps of software centric modeling

Answer 33

1. Identify critical assets
2. Decompose the system to be assessed
3. Identify possible points of attack
4. Identify threats
5. Categorise and prioritise the threats
6. Mitigate

Question 34

What is STRIDE

Answer 34

Mnemonic for things that go wrong in security:

Spoofing
Tampering
Repudiation
Information disclosure
DoS
Elevation of privilege

Question 35

What is spoofing?

Answer 35

Pretending to be someone you’re not

Examples: fake websites, emails, csrf, GPS, IP, DNS, deep fake

Question 36

What is tampering?

Answer 36

Unauthorized modification of:

forms, URLs, Files, Databases, Memory, Network data

Question 37

What is repudiation?

Answer 37

Claiming you didn’t do something, regardless of whether or not you did

Examples:
Claimed not received/sent, use someone else’s account, attacking the logs

Question 38

What is information disclosure?

Answer 38

Unauthorized exposure of information

Examples:
data theft, eavesdropping, System/API info

Question 39

What is DoS?

Answer 39

Attacks preventing a system from providing the service

Examples:
Network flooding, crashing software, making systems slow, filing storage

Question 40

What is elevation of privileges?

Answer 40

A user gets access to information or actions they are not supposed to do

Examples:
xss, buffer overflow, injection attacks, modify access control, social engineering

Question 41

Name 4 levels of threat details from abstract to detailed

Answer 41

STRIDE

OWASP top 10

CAPEC

Checklists

Question 42

What are misuse cases?

Answer 42

Extends UML use cases

High level negative scenarios

Easy to grasp by different stakeholders

Question 43

Give an example of a misuse case diagram?

Answer 43

Actors:
- User
- Developer

Malicious actor:
- Attacker

Use case: Post blog
- Actor: user
- «extend»: Improper input validation

Usecase: Sanitize input
- Actor: Dev
- «Mitigate»: Inject malicious content

Misuse case: Inject malicious content
- Actor: Attacker
- «threaten»: Post blog
-«exploit»: Improper input validation

Question 44

What are attack trees?

Answer 44

Possible ways of achieving an attack goal

Tree structure with AND/OR nodes

Nodes are the ways/actions needing to be done to achieve goal

Root node: Goal

Question 45

What are attack-defense trees?

Answer 45

Add additional Defense-nodes

Question 46

Name examples of attack tree attributes

Answer 46

Cost
Detectability
Difficulty
Impact
Penalty
Profit
Probability
Special skill
Time

Question 47

What is a bow tie diagram?

Answer 47

Model a single unwanted event at a time

Shows different causes/threats to unwanted events

Shows the different consequences once the event has happend

Picture preventitive/reactive controls

In the shape of a bow tie:
Left side: Before event
Middle: Event
Right side: After event

Question 48

What can controls be in a bow tie diagram?

Answer 48

Exam example:

Preventitive controls:
- Lock cabinet
- Use guards

Reactive controls:
- Switch to paper

Question 49

What can the hazard be in a bow tie diagram?

Answer 49

Exam example:

Digital exam

Question 50

What can the unwanted event be in a bow tie diagram?

Answer 50

Exam example:
Disrupt exam,

Cheating during exam

Question 51

What can the assets be in a bow tie diagram?

Answer 51

Exam example:

Software
Network
Premises

Answers

Question 52

What can the consequences be in a bow tie digram?

Answer 52

Exam example:

Computers not working

You’re expelled

Question 53

What is a data flow diagram?

Answer 53

Shows how data flows between subsystems

Used to find attack surface and critical components

Shows trust/privilege boundaries

Question 54

Give an example of a data flow diagram

Answer 54

External entity -> (data flow) -> process-> [— trust boundary —] -> data store