Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication

Copyright © Microsoft Corp 2006

Introduction to Threat ModelingIntroduction to Threat Modeling

Michael Howard, CISSPMichael Howard, CISSPSenior Security Program ManagerSenior Security Program ManagerSecurity Engineering and Security Engineering and CommunicationCommunication

22


Threat AnalysisThreat Analysis

The goal of threat modeling is to:The goal of threat modeling is to:

Find security design flawsFind security design flaws

Mitigate the threatsMitigate the threats

Reduce riskReduce risk

33


The Updated The Updated Threat Modeling ProcessThreat Modeling Process

Plan Plan MitigationsMitigations

DefineDefineScenariosScenarios

CreateCreateDFDDFD

ManualManual

RoteRote

DetermineDetermineThreatThreatTypesTypes

Leverage Leverage Threat TreesThreat Trees

DetermineDetermineRiskRisk

44


Define Scenarios & Define Scenarios & Background InfoBackground Info

Define the most common and realistic use Define the most common and realistic use scenarios for the applicationscenarios for the application

Example from Windows Server 2003 and Example from Windows Server 2003 and Internet ExplorerInternet Explorer

““Admin browsing the Internet from a Domain Admin browsing the Internet from a Domain Controller”Controller”

Example from Windows CEExample from Windows CE““The stolen device”The stolen device”

Define your usersDefine your users

55


Data Flow Diagrams (DFDs)Data Flow Diagrams (DFDs)

A DFD is a graphical representation of how A DFD is a graphical representation of how data enters, leaves, and traverses your data enters, leaves, and traverses your componentcomponent

It is not a Class Diagram or Flow Chart!It is not a Class Diagram or Flow Chart!

Shows all data sources and destinationsShows all data sources and destinations

Shows all relevant processes that data goes Shows all relevant processes that data goes throughthrough

Good DFDs are critical to the processGood DFDs are critical to the processThis point can’t be emphasised enough!This point can’t be emphasised enough!

Building DFDs == understanding the systemBuilding DFDs == understanding the system

Analysing DFDs == understanding the threatsAnalysing DFDs == understanding the threats

66


Context Diagram:Context Diagram:An Integrity CheckerAn Integrity Checker

Administrator

AnalysisInstructions

Resourceintegrity

Information

iNTegrityApplication

iNTegrityApplication

77


Level-0 DFD: Level-0 DFD: An Integrity CheckerAn Integrity Checker

File System6.0

iNTegrityHost

Software3.0

Admin1.0

iNTegrityAdmin

Console2.0

RawFS

Data

Config Data4.0

Integrity Files5.0

ReadSettings

ReadUpdate

Registry7.0

RawRegistry

Data

Commands

ResourceIntegrity

Data

Instructions

IntegrityChange

Information

88


Level-0 DFD: Level-0 DFD: An Integrity CheckerAn Integrity Checker

File System6.0

iNTegrityHost

Software3.0

Admin1.0

iNTegrityAdmin

Console2.0

RawFS

Data

Config Data4.0

Integrity Files5.0

ReadSettings

ReadUpdate

Registry7.0

RawRegistry

Data

Commands

ResourceIntegrity

Data

Instructions

IntegrityChange

Information

Each element in Each element in the DFD is the DFD is susceptible to susceptible to one or moreone or morethreat typesthreat types

SRSR

TIDTID

TIDTID

TIDTID

TIDTID

TIDTID

TIDTID

TIDTID

STRISTRIDEDE

STRISTRIDEDE

TIDTID

TIDTID

TIDTID TRIDTRID

99


STRIDESTRIDEA Taxonomy of Threat TypesA Taxonomy of Threat Types

A more fine-grained version of CIA, but A more fine-grained version of CIA, but from an attacker’s perspectivefrom an attacker’s perspective

SpoofingSpoofing

TamperingTampering

RepudiationRepudiation

Information DisclosureInformation Disclosure

Denial of ServiceDenial of Service

Elevation of PrivilegeElevation of Privilege

1010


DFD Elements are TargetsDFD Elements are TargetsA “Work list”A “Work list”

Each threat isEach threat isgoverned by the governed by the conditionsconditionswhich make thewhich make thethreat possiblethreat possible

Each Each is a is a potential threatpotential threatto the system.to the system.

1111


Threat Tree Pattern ExamplesThreat Tree Pattern ExamplesSpoofingSpoofing

Obtain legitimate credentials Falsify CredentialsLeverage insufficient

authentication

Weak storage

Weak transit

Guessed Equivalence

Predictable Credentials

ServerClient

Downgrade authentication

Weak change management

Secure ChannelNon-secure

channel

No Authentication System

Null Credentials

Spoofing Interactoror Process

Tampering ThreatsAgainst Auth Process

Tampering/Information

Disclosure Threats against data flows

1212


A Special Note about A Special Note about Information Disclosure ThreatsInformation Disclosure Threats

All information disclosure All information disclosure threats are potential threats are potential

privacy issues.privacy issues.Raising the Risk.Raising the Risk.

Is the data sensitive or PII?Is the data sensitive or PII?

1313


Calculating Risk with NumbersCalculating Risk with Numbers

DREAD etc.DREAD etc.

Very subjectiveVery subjective

Often requires the analyst be a security Often requires the analyst be a security expertexpert

On a scale of 0.0 to 1.0, just how likely is it that On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key?an attacker could access a private key?

Where do you draw the line?Where do you draw the line?

Do you fix everything above 0.4 risk and leave Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?everything below as “Won’t Fix”?

1414


Calculating Risk with HeuristicsCalculating Risk with Heuristics

Simple rules of thumbSimple rules of thumb

Real-world dataReal-world data

Similar heuristics as the MSRC bulletin Similar heuristics as the MSRC bulletin rankingsrankings

1515


Mitigation TechniquesMitigation Techniques

ThreatThreat Mitigation FeatureMitigation FeatureSpoofingSpoofing AuthenticationAuthentication

TamperingTampering IntegrityIntegrityRepudiationRepudiation NonrepudiatonNonrepudiatonInformation DisclosureInformation Disclosure ConfidentialityConfidentialityDenial of ServiceDenial of Service AvailabilityAvailabilityElevation of PrivilegeElevation of Privilege AuthorizationAuthorization

1616


Code Review and the DFDCode Review and the DFDReview code and data on the anonymous data flows, the threat path – this is where the bad guys go – they follow the line of least-resistance.

AnonymousAnonymousPrivPriv

UserUserPrivPriv

Remove anonymous data pathswith authentication

1717


How to testHow to test

What needs testingWhat needs testing

Testing ThreatsTesting Threats

1818


No design is complete

No design is complete without a threat model!

without a threat model! Follow anonymous data

Follow anonymous data pathspaths

Every threat needs a

Every threat needs a security test plan

security test plan Check all information

Check all information disclosure threats – are they

disclosure threats – are they

privacy issues?privacy issues? Be wary of elevated

Be wary of elevated processesprocesses Use the threat modeling tool

Use the threat modeling tool

(http://msdn.microsoft.com)

(http://msdn.microsoft.com)

Threat Model Checklist

Documents

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication