Week 8 - Threat Modelling

Question 1

What is threat Modelling?

Answer 1

A systematic and structured
approach to determining the
threat landscape for a given
context

Question 2

Why is threat modelling important?

Answer 2

helps to identify potential threats, assess their impact, and implement mitigation techniques

Question 3

What four questions does threat modelling help to answer?

Answer 3

1) What are we building? - explain and explore
2) What can go wrong? - Brainstorm threats (STRIDE, cyber kill chains)
3) What will we do about it? - prioritize and fix
4) How did we do (reflection)? -

Question 4

What is STRIDE?

Answer 4

A framework for identifying common types of attacks

Question 5

What does STRIDE stand for?

Answer 5

-Spoofing
- Tampering
- Repudiation
- Information
- Disclosure
- Denial of Service
- Elevation of privilege

Question 6

What is “Spoofing”?

Answer 6

it is about authentication and occurs when an attacker pretends to be as someone else

e.g
Phishing emails or websites.

Question 7

What is “Tampering”?

Answer 7

it is about integrity and involves unauthorized modification of data.

e.g
Unauthorized modification of a salary in an HR database.

Question 8

What is Repudiation?

Answer 8

the rejection of responsibility for an action

e.g
Claiming an email wasn’t sent by the owner of the address.

Question 9

What is Information Disclosure?

Answer 9

it is about confidentiality and involves
unauthorized release of confidential information.

e.g
Password leaks.

Question 10

What is Denial of Service?

Answer 10

it is about availability and occurs when legitimate users cannot access a service due to attacks like request floods.

e.g
HTTP floods to take down a website.

Question 11

What is Escalation of Privilege?

Answer 11

it is about authorisation and occurs when an individual gains unauthorized elevated privileges.

e.g
A user with read-only permissions for a document being able to write to it.

Question 12

How can devs apply STRIDE?

Answer 12

• assess how these threats might apply to the system
• record details of threats as you progress
• record any assumptions

Question 13

Mitigation techniques for STRIDE

Answer 13

• Spoofing - Authentication (MFauth)
• Tampering - Data protection (encryption)
• Repudiation - Non-repudiation (digital signatures)
• Information disclosure - Confidentiality (encryption/ hashes)
• Denial of Service - Availability (firewalls)
• Elevation of privileges - Authorisation (appropriate authorization mechanisms)

Question 14

What is a limitation of the STRIDE framework?

Answer 14

may not cover novel or day-to-day vulnerabilities

and

attacks that occur in large-scale campaigns.

Question 15

What is a Cyber Kill Chain?

Answer 15

A framework to identify and prevent cyber intrusions

designed with APT in mind

Question 16

What are the cyber kill chain stages?

Answer 16

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command and control
• actions on objective

Question 17

What is Reconnaissance?

Answer 17

Identifying information about the system and its security

Question 18

What is Weaponisation?

Answer 18

attackers create malware or other exploit tools to take advantage of the vulnerabilities identified

Question 19

What is Delivery?

Answer 19

sending the weaponized malware to the target through methods like phishing emails, social engineering, open ports, or SQL injection.

Question 20

What is Exploitation?

Answer 20

attacker executes the malicious code to gain unauthorized access.

Question 21

What is installation?

Answer 21

attacker installs additional malware in the system

Question 22

What is command and control?

Answer 22

attacker establishes remote access to the target system, often through a backdoor or remote access Trojan,

Question 23

What is Actions on Objectives?

Answer 23

attacker achieves their goal, such as stealing data,

Question 24

How can the Cyber Kill Chain be used in defense?

Answer 24

an be used to identify and prevent attacks by monitoring each stage

Question 25

What are the five (Ds) actions to break the Cyber Kill Chain?

Answer 25

• Detect (identify the attack)
• Deny (prevent unauthorized access), - Disrupt (interrupt attacker’s communications or data flow)
• Degrade (slow down the attack),
• Deceive (mislead the attacker with false information).

Question 26

What are some methods used to break the Cyber Kill Chain?

Answer 26

• intrusion detection and prevention systems
• firewalls
• strong authentication and authorization protocols
• encryption
• employee training to mitigate phishing attacks.