1 / 22

Threat Modeling

Threat Modeling. James Walden. Topics. Threat Generation. Data Flow Diagrams. Attack Trees. Risk Modeling. Threat Modeling Exercise. Requirements. Actors People (roles) who interact with system. Assets Specific pieces of data attacker wants. Actions What Actors do to Assets.

Download Presentation

Threat Modeling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Threat Modeling James Walden

  2. Topics • Threat Generation. • Data Flow Diagrams. • Attack Trees. • Risk Modeling. • Threat Modeling Exercise.

  3. Requirements • Actors • People (roles) who interact with system. • Assets • Specific pieces of data attacker wants. • Actions • What Actors do to Assets. • Ex: Create, Read, Update, Delete.

  4. Trike7: Actors

  5. Trike7: Actor-Asset-Action Matrix

  6. Rules • Rules apply to each Action. • Limit circumstances in which Actions can occur. • Boolean tree of conditionals. • Actors are represented as rule: • User is in Role

  7. Trike7: Part of Rules Tree

  8. Threat Generation • Use Actor-Asset-Action matrix. • Two types of threats via Rules: • Denial of Service: Actor prevented from performing allowed Action. • Elevation of Privilege: Actor performs an action which is prohibited by matrix.

  9. Data Flow Diagrams • Visual model of system data flow. • Rectangles: External actors. • Circles: Processes. • Double Lines: Data stores. • Lines: Data flows. • Dotted Lines: Trust boundaries. • Hierarchical decomposition • Until no process crosses trust boundaries.

  10. Trike3 Example: Data Flow Context Diagram

  11. Trike3 Example: Data Flow Diagram Level 0

  12. Trike3 Example: Data Flow Diagram Level 1

  13. Attack Trees • Root node is a threat. • Subnodes are attacks to realize threat. • Attacks may be re-used in other trees. • Hierarchical decomposition • Until determine risk is acceptable or not.

  14. Trike7 Attack Tree Example

  15. Attack Graph • Encompasses all attacks vs system. • Set of interlinked attack trees. • Auto-generation • High-level attack skeleton. • Attack libraries • Many sub-trees re-appear. • Attached to tagged technologies in DFD. • Need security expertise for full tree.

  16. Risk Modeling • Business assigns values($) to Assets. • Rate Actions on each Asset. • 1-5 relative scale, with 5 being worst. • Ranked twice: denial, elevation • Assign each Actor a risk level 1-5. Risk = Value of Asset * Action risk.

  17. Trike7 Threat Risk Grid

  18. Threat Modeling Process • Preparation. • Develop requirements, DFDs. • Brainstorming. • Brainstorm possible threats. • Drafting. • Review. • Verification. • QA team develops tests. • Closure.

  19. Exercise: Online news site. • Actors • Authors, Editors, Readers. • Data Stores • Database: articles, comments, users. • Logs • Processes • Web server

  20. Exercise: Rules. • Authors can submit Articles for publish. • Editors can publish Articles. • Editors can C, R, U, D Articles, Comments. • Readers can read Articles, Comments. • Readers can C, R, U, D their own Comments to Articles. • Anonymous can create Reader accounts. • Editors can C, R, U, D accounts.

  21. Exercise: Deliverables • Actor-Asset-Action Matrix • Rules Tree • DFDs • Attack Tree • Risk Model

  22. References • Ben Hickman, “Application Security and Threat Modeling,” http://cpd.ogi.edu/seminars04/hickmanthreatmodeling.pdf, 2004. • Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003. • Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” http://dymaxion.org/trike/, 2005. • Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004. • Peter Torr, “Demystifying the Threat-Modeling Process,” IEEE Security & Privacy, Oct/Nov 2005. • Peter Torr, “Guerilla Threat Modeling,” http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx, 2005. • Trike Threat Modeling Tool, http://www.octotrike.org/, 2005.

More Related