Upload
brandon-morrison
View
225
Download
2
Tags:
Embed Size (px)
Citation preview
Copyright © Microsoft Corp 2006
Introduction to Threat ModelingIntroduction to Threat Modeling
Michael Howard, CISSPMichael Howard, CISSPSenior Security Program ManagerSenior Security Program ManagerSecurity Engineering and Security Engineering and CommunicationCommunication
22
Copyright © Microsoft Corp 2006
Threat AnalysisThreat Analysis
The goal of threat modeling is to:The goal of threat modeling is to:
Find security design flawsFind security design flaws
Mitigate the threatsMitigate the threats
Reduce riskReduce risk
33
Copyright © Microsoft Corp 2006
The Updated The Updated Threat Modeling ProcessThreat Modeling Process
Plan Plan MitigationsMitigations
DefineDefineScenariosScenarios
CreateCreateDFDDFD
ManualManual
RoteRote
DetermineDetermineThreatThreatTypesTypes
Leverage Leverage Threat TreesThreat Trees
DetermineDetermineRiskRisk
44
Copyright © Microsoft Corp 2006
Define Scenarios & Define Scenarios & Background InfoBackground Info
Define the most common and realistic use Define the most common and realistic use scenarios for the applicationscenarios for the application
Example from Windows Server 2003 and Example from Windows Server 2003 and Internet ExplorerInternet Explorer
““Admin browsing the Internet from a Domain Admin browsing the Internet from a Domain Controller”Controller”
Example from Windows CEExample from Windows CE““The stolen device”The stolen device”
Define your usersDefine your users
55
Copyright © Microsoft Corp 2006
Data Flow Diagrams (DFDs)Data Flow Diagrams (DFDs)
A DFD is a graphical representation of how A DFD is a graphical representation of how data enters, leaves, and traverses your data enters, leaves, and traverses your componentcomponent
It is not a Class Diagram or Flow Chart!It is not a Class Diagram or Flow Chart!
Shows all data sources and destinationsShows all data sources and destinations
Shows all relevant processes that data goes Shows all relevant processes that data goes throughthrough
Good DFDs are critical to the processGood DFDs are critical to the processThis point can’t be emphasised enough!This point can’t be emphasised enough!
Building DFDs == understanding the systemBuilding DFDs == understanding the system
Analysing DFDs == understanding the threatsAnalysing DFDs == understanding the threats
66
Copyright © Microsoft Corp 2006
Context Diagram:Context Diagram:An Integrity CheckerAn Integrity Checker
Administrator
AnalysisInstructions
Resourceintegrity
Information
iNTegrityApplication
iNTegrityApplication
77
Copyright © Microsoft Corp 2006
Level-0 DFD: Level-0 DFD: An Integrity CheckerAn Integrity Checker
File System6.0
iNTegrityHost
Software3.0
Admin1.0
iNTegrityAdmin
Console2.0
RawFS
Data
Config Data4.0
Integrity Files5.0
ReadSettings
ReadUpdate
Registry7.0
RawRegistry
Data
Commands
ResourceIntegrity
Data
Instructions
IntegrityChange
Information
88
Copyright © Microsoft Corp 2006
Level-0 DFD: Level-0 DFD: An Integrity CheckerAn Integrity Checker
File System6.0
iNTegrityHost
Software3.0
Admin1.0
iNTegrityAdmin
Console2.0
RawFS
Data
Config Data4.0
Integrity Files5.0
ReadSettings
ReadUpdate
Registry7.0
RawRegistry
Data
Commands
ResourceIntegrity
Data
Instructions
IntegrityChange
Information
Each element in Each element in the DFD is the DFD is susceptible to susceptible to one or moreone or morethreat typesthreat types
SRSR
TIDTID
TIDTID
TIDTID
TIDTID
TIDTID
TIDTID
TIDTID
STRISTRIDEDE
STRISTRIDEDE
TIDTID
TIDTID
TIDTID TRIDTRID
99
Copyright © Microsoft Corp 2006
STRIDESTRIDEA Taxonomy of Threat TypesA Taxonomy of Threat Types
A more fine-grained version of CIA, but A more fine-grained version of CIA, but from an attacker’s perspectivefrom an attacker’s perspective
SpoofingSpoofing
TamperingTampering
RepudiationRepudiation
Information DisclosureInformation Disclosure
Denial of ServiceDenial of Service
Elevation of PrivilegeElevation of Privilege
1010
Copyright © Microsoft Corp 2006
DFD Elements are TargetsDFD Elements are TargetsA “Work list”A “Work list”
Each threat isEach threat isgoverned by the governed by the conditionsconditionswhich make thewhich make thethreat possiblethreat possible
Each Each is a is a potential threatpotential threatto the system.to the system.
1111
Copyright © Microsoft Corp 2006
Threat Tree Pattern ExamplesThreat Tree Pattern ExamplesSpoofingSpoofing
Obtain legitimate credentials Falsify CredentialsLeverage insufficient
authentication
Weak storage
Weak transit
Guessed Equivalence
Predictable Credentials
ServerClient
Downgrade authentication
Weak change management
Secure ChannelNon-secure
channel
No Authentication System
Null Credentials
Spoofing Interactoror Process
Tampering ThreatsAgainst Auth Process
Tampering/Information
Disclosure Threats against data flows
1212
Copyright © Microsoft Corp 2006
A Special Note about A Special Note about Information Disclosure ThreatsInformation Disclosure Threats
All information disclosure All information disclosure threats are potential threats are potential
privacy issues.privacy issues.Raising the Risk.Raising the Risk.
Is the data sensitive or PII?Is the data sensitive or PII?
1313
Copyright © Microsoft Corp 2006
Calculating Risk with NumbersCalculating Risk with Numbers
DREAD etc.DREAD etc.
Very subjectiveVery subjective
Often requires the analyst be a security Often requires the analyst be a security expertexpert
On a scale of 0.0 to 1.0, just how likely is it that On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key?an attacker could access a private key?
Where do you draw the line?Where do you draw the line?
Do you fix everything above 0.4 risk and leave Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?everything below as “Won’t Fix”?
1414
Copyright © Microsoft Corp 2006
Calculating Risk with HeuristicsCalculating Risk with Heuristics
Simple rules of thumbSimple rules of thumb
Real-world dataReal-world data
Similar heuristics as the MSRC bulletin Similar heuristics as the MSRC bulletin rankingsrankings
1515
Copyright © Microsoft Corp 2006
Mitigation TechniquesMitigation Techniques
ThreatThreat Mitigation FeatureMitigation FeatureSpoofingSpoofing AuthenticationAuthentication
TamperingTampering IntegrityIntegrityRepudiationRepudiation NonrepudiatonNonrepudiatonInformation DisclosureInformation Disclosure ConfidentialityConfidentialityDenial of ServiceDenial of Service AvailabilityAvailabilityElevation of PrivilegeElevation of Privilege AuthorizationAuthorization
1616
Copyright © Microsoft Corp 2006
Code Review and the DFDCode Review and the DFDReview code and data on the anonymous data flows, the threat path – this is where the bad guys go – they follow the line of least-resistance.
AnonymousAnonymousPrivPriv
UserUserPrivPriv
Remove anonymous data pathswith authentication
1717
Copyright © Microsoft Corp 2006
How to testHow to test
What needs testingWhat needs testing
Testing ThreatsTesting Threats
1818
Copyright © Microsoft Corp 2006
No design is complete
No design is complete without a threat model!
without a threat model! Follow anonymous data
Follow anonymous data pathspaths
Every threat needs a
Every threat needs a security test plan
security test plan Check all information
Check all information disclosure threats – are they
disclosure threats – are they
privacy issues?privacy issues? Be wary of elevated
Be wary of elevated processesprocesses Use the threat modeling tool
Use the threat modeling tool
(http://msdn.microsoft.com)
(http://msdn.microsoft.com)
Threat Model Checklist