Leveraging Risk Centric Threat Models for Integrated Risk Management

Speaker Bio § CEO, VerSprite – Global Security Consulting Firm (www.versprite.com) § Chapter Leader – OWASP Atlanta (past 9 years) (www.owasp.org) § Author, “Risk Centric Threat Modeling – Process for Attack Simulation & Threat Analysis”, Wiley June 2015 § Former Sr. Security Director | DHS, HHS| Fortune 50 | Symantec | Dell- SecureWorks § +20 years of Security Risk Management Experience

Terminology • Asset. An asset is a resource of value. It varies by perspective. To your business, an asset might be the availability of information, or the information itself, such as customer data. It might be intangible, such as your company's reputation. • Threat. A threat is an undesired event. A potential occurrence, often best described as an effect that might damage or compromise an asset or objective. • Vulnerability. A vulnerability is a weakness in some aspect or feature of a system that makes an exploit possible. Vulnerabilities can exist at the network, host, or application levels and include operational practices. • Attack (or exploit). An attack is an action taken that utilizes one or more vulnerabilities to realize a threat. • Countermeasure. Countermeasures address vulnerabilities to reduce the probability of attacks or the impacts of threats. They do not directly address threats; instead, they address the factors that define the threats. • Use Case. Functional, as designed features of an application. • Abuse Case. Deliberate abuse of functional use cases in order to yield unintended results • Attack Vector. Point & channel for which attacks travel over (card reader, form fields, network proxy) • Attack Surface. Logical area (browser stack) or physical area (hotel kiosk ) • Actor. Legit or adverse caller of use or abuse cases. • Impact. Value of [financial] damage possibly sustained via attack. • Attack Tree. Diagram of relationship amongst asset-actor-use case-abuse case-vuln-exploit-countermeasure

Rationale to Risk based Threat Modeling An overview to PASTA – risk centric threat modeling methodology

Threat Threat. A threat is an undesired event. A potential occurrence, often best described as causal factors that may manifest into attacks that compromise an asset or objective. Relative to each site, industry, company; more difficult to uniformly define.

Cyber-Threat Risk Mitigation Questions 1. Who are the cyber-threat agents? 2. What are the cyber-threat targets? 3. What are the cyber-threat motivations? 4. What are the cyber-threat capabilities ? 5. Which are the assets that cyber-threat attack? 6. Which attacking tools and techniques are used? 7. Which vulnerabilities do they exploit? 8. What is the business impact of these attacks ? 9. What is the probability of these attacks targeting my financial institution? 10. Which security measures protect and detect my bank from these attacks which ones do not?

Process for Attack Simulation & Threat Analysis What is it? • Risk centric threat modeling methodology • Contextual – ultimate relates back to business context • Only methodology that considers business impact • Still retains traditional threat modeling exercises • Attack trees, defining kill chain, data flow diagrams Value? • Collaborative process to think like adversarial groups • Integrates into risk management functions & process • Integrates into governance • Fosters greater security awareness • Elevates security risk to more operational risk areas

PASTA Stages

Security Convergence via PASTA Source: Risk Centric Threat Modeling, UcedaVelez, Morana 2015, Chapter V, Threat Modeling & Risk Management ,Wiley

Attack Trees Attack Tree. Helpful diagram of relationship amongst asset- actor-use case- abuse case- vuln-exploit- countermeasur e

No content

12 Users Request Responses DMZ (User/Web Server Boundary) Message Call Account/ Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) alert(“Cookie”+ document.cookie) Injection flaws CSRF, Insecure Direct Obj. Ref, Insecure Remote File Inclusion ESAPI/ ISAPI Filter Custom errors OR ‘1’=’1—‘, Prepared Statements/ Parameterized Queries, Store Procedures ESAPI Filtering, Server RBAC Form Tokenization XSS, SQL Injection, Information Disclosure Via errors Broken Authentication, Connection DB PWD in clear Hashed/ Salted Pwds in Storage and Transit Trusted Server To Server Authentication, SSO Trusted Authentication, Federation, Mutual Authentication Broken Authentication/ Impersonation, Lack of Synch Session Logout Encrypt Confidential PII in Storage/Transit Insecure Crypto Storage Insecure Crypto Storage "../../../../etc/passwd %00" Cmd=%3B+mkdir+ha ckerDirectory http://www.abc.com? RoleID Phishing, Privacy Violations, Financial Loss Identity Theft System Compromise, Data Alteration, Destruction

Achieving Risk Assessments via Integrated Practices Inherent challenges, New Approaches – A more detailed look at building a credible approach to evaluating what’s at stake.

Risk Reduction is Not Happening - Independent Paths Compliance Still check-box driven • Passing the audit and avoiding fines is the goal • Compliance driven organizations forego security Framework/controls/audit oriented • Existence of controls against a standard • Not a true risk analysis Assessing security weakness • Many vulnerabilities found, less remediated “Threat Hunting” • Allowing a focus on threats to drive security focus Security Risk Management

Risk’s Incomplete Picture Accepting More Risk Then You Think Compliance Security Risk Management Educate the business on possible damage from vulnerability Only do what is necessary to pass the audit Missing controls lead to “high risk” Assets • Applications • Technology • Data – PII/PHI • Workers - CSRs Vulnerabilities and Controls • SQLi • Strong encryption • Call center authentication

Incomplete Picture of Risk Uninformed Decisions Compliance Security Risk Management Must fall back to FUD arguments “traffic cop” “I don’t think this vuln will be exploited” “I have to get this release done, I’ll accept the risk” Assets • Applications • Technology • Data – PII/PHI • Workers - CSRs Vulnerabilities and Controls • SQLi • Strong encryption • Call center authentication

Building Credibility Adding Context to Characterize Risk Compliance Security Risk Management Threat • Threat: undesired event on an asset • Attack: manifestation of threat Impact • Value of damage as a result of attack - legal, operational, IP, reputation Vulnerabilities and Controls • SQLi • Strong encryption • Call center authentication Assets • Applications • Technology • Data – PII/PHI • Workers - CSRs

Building Credibility Adding Context Characterize Risk (2) Compliance Security Risk Management Threat Impact Vulnerabilities and Controls Assets

Security & Controls Asset Threat Impact Pulling it All Together - Risk Based Threat Modeling Security Compliance Risk Management RISK Threat Modeling • Identifies security countermeasures based on likelihood and impact • Threat focused – mitigation as a business problem • Collaboration among stakeholders PASTA – Process for Attack Simulation and Threat Analysis

Benefits - Threat Modeling to Manage Risk § Translates security risk into business risk § Promotes greater risk understanding by all stakeholders § Focuses security program on areas of greatest business impact Security & Controls Asset Threat Impact RISK Threat Modeling § Predictive – anticipates attack/response § Measures security program effectiveness from a business impact perspective § Adds credibility to risk assessments

Security Countermeasures Define Manage Optimize Security Operations • Focused threat intel Integrated risk management Risk based threat modeling Risk Based Threat Modeling Drives Security Reducing Risk Security architecture • Address design weakness early Performance • Dev training • Establish metrics Assessments and Testing • Focused pen-testing • Red teaming Remediation • Prioritization • Business/threat based • Source code review Managed Security Services • Managed CISO • Managed Threat Modeling • Managed Assessments • Managed SOC

Risk and Resilience Define Manage Optimize Continuity • Disaster recovery • Incident response Integrated risk management Risk based threat modeling Risk Based Threat Modeling Drives GRC Requirements Compliance • Readiness assessments – HIPAA, FINRA, etc. Policies • Training • Establish metrics Risk Management • BIA • PIA • Vendor Risk Assessment Managed Risk Services • Managed compliance

Use Cases for Risk Based Threat Modeling • Overcoming remediation resistance – FUD no longer works • Incorporate security into SDLC • Substantiating security budgets • Threat intelligence integration Security & Controls Asset Threat Impact RISK Threat Modeling

Traditional Threat Modeling vs. Risk Based Threat Modeling Software centric PASTA SDLC x x Threat - attacks x x Technical weakness x x Threat - attacks x x Threat - motives x Assets x Business impact x Countermeasures x Possibility Probability Risk questions - How big? How likely? What are the options?

Characterize the threat Identify attack scenarios Understand Your Assets and Business Impact What? Business Bus. objectives and impact • Organization • Cost of damage • Security requirements Assets • Applications • Technology • Data • People Adversary 1. Business objective - increase on-line transactions by 4% in 2015 2. Impact from breach – OpEx notification, PR, legal/write offs/non-compliance 3. High level security requirements 1. Prevent malware attacks – network hardening 2. Retain confidentiality of PII – encrypted PII storage

Sample Artifact – Business Profile of Asset Application Profile: Online Banking Application Organization North America Retail Banking General Description The online banking application allows customers to perform banking activities such as financial transactions over the internet. The type of transactions supported by the application includes bill payments, wires, funds transfers between customer’s own accounts and other bank institutions, account balance-inquires, transaction inquires, bank statements, new bank accounts loan and credit card applications. New online customers can register an online account using existing debit card, PIN and account information. Customers authenticate to the application using username and password and different types of Multi Factor Authentication (MFA) and Risk Based Authentication (RBA) Application Type Internet Facing Data Classification Public, Non Confidential, Sensitive and Confidential PII Inherent Risk HIGH (Infrastructure , Limited Trust Boundary, Platform Risks, Accessibility) High Risk Transactions YES User roles Visitor, customer, administrator, customer support representative Number of users 3 million registered customers

Characterize the threat Identify attack scenarios Understand Your Assets and Business Impact What? Business Bus. Objectives and impact • Organization • Cost of damage • Security requirements Digital assets • Applications • Technology • Data • People 1. Decompose technology and application tiers 2. Map application use cases – user roles/data/technology 3. Security architecture risk analysis - Extract security exposure of the assets

Sample Artifact – Technology/Application User/ Browser HTTPs Request HTTPs Responses DMZ (User/Web Server Boundary) Message XML/JMS Web Server Application Server Application Calls (.do) Messaging Bus Authentication Credential Store Restricted Network (App & DB Server/Financial Server Boundary) Application Responses Auth Data Service Message Response SQL Query Call/ JDBC Internal (Web Server/ App & DB Server Boundary) Financial Transaction Processing MainFrame Financial Transactions (ACH, wires external transfer) MFA RBA/ Fraud Detection XML/HTTPS XML/HTTPS

Characterize the Threat with Research/Intelligence What? Who? Business Adversary Bus. Objectives • Business value • Operations • Compliance Digital assets • PII/PHI • Credentials • Trade secrets Threat patterns • Tools • Techniques • Procedures Threat agents • Damage type • Motivations • Capabilities Identify attack scenarios 1. Characterize threat agents and patterns – synthesize intelligence, logs, SIRT, prior assessments – data theft, ransom, sabotage 2. Correlate to targeted assets – based on “fit” with threat 3. Develop a prioritized threat list based on impact 4. Establish and maintain threat library (describe with CAPEC or WASC)

Threat Analysis Components Targeted Assets Capabilities • R-CISC Threat Sources • Subscription • US Cert Motivations • Evidence Past Activities • Apache logs • Tomcat logs Attacks • SIEM/log tool • Splunk • Sumologic Threat

Derive Attacks From Threats Defining the rationale for risk mitigation to defined threat patterns What? Who? How? Bus. Objectives • Business value • Operations • Compliance Digital assets • PII/PHI • Credentials • Trade secrets Threat patterns • Tools • Techniques • Procedure Attacks • Phishing • Click jacking • SQL injection Threat actor • Damage type • Motivations • Capabilities Business Adversary 1. Mapping attacks to threats • PII theft – SQLi, XSS, MITM • Sabotage – iFrame injection attacks 2. Prioritize likely attacks and vectors • Address entire application footprint (email, client app, etc) • Web forms/fields

Attack Tree of CC Compromise

Identify/Prioritize Weaknesses Mapping weakness to in-scope information assets What? Who? How? Bus. Objectives • Business value • Operations • Compliance Digital assets • PII/PHI • Credentials • Trade secrets Vulnerabilities + controls • Authentication • Anti-malware • Training Threat patterns • Attack vectors • Tools • Techniques Attacks • Phishing • Click jacking • SQL injection Threat actor • Motivations • Capabilities • Persistence Business Adversary 1. Analyze weakness – vulnerabilities and control gaps 2. Map vulnerabilities to assets 3. Prioritize vulnerabilities to assess exposure

34 Credit Card Data Compromise Man In The Middle/Browser Attack Automated SQL Injection Attack To upload malware Serve malicious IFRAME to victim visiting the web site Phishing Email/ Social Engineering SQL Injection Exploit Alter Query To Get CC data Exploit Weak Session Management Insecure Cryptographic Storage/ Transit Impersonate user to get access to CC data Upload Sniffer To Get CC data Session Fixation to get access to CC data Attack User/ Browser Attack Web Application Clickjacking Serve Invisible Frame that runs malware Take Credentials and CC data from user Capture Non- Encrypted CC Data #2 Test for SQL injection and code injection (Frames) vulnerabilities #4 Test for session fixation and hijacking #3 Test encryption of sensitive CC data in storage and transit #1 Test web application assuming browser compromise and/or automation attacks Risk Identification via Attack Trees

Attack Simulation Prioritized Weakness vs. Prioritized Attacks What? Who? How? Bus. Objectives • Business value • Operations • Compliance Digital assets • PII/PHI • Credentials • Trade secrets Vulnerabilities + controls • Authentication • Anti-malware • Training Threat patterns • Attack vectors • Tools • Techniques Attacks • Phishing • Click jacking • SQL injection Threat actor • Motivations • Capabilities • Persistence Business Adversary 1. Analyze attack surface – examine exploits to gaps in security controls or vulnerabilities 2. Simulate attack via attack trees, use/abuse cases 3. Determine the realization of threat without counter-measure - probability Attack simulation

Risk Mitigation Via Weakness & Probabilistic Analysis What? Who? How? Bus. Objectives • Business value • Operations • Compliance Digital assets • PII/PHI • Credentials • Trade secrets Vulnerabilities + controls • Authentication • Anti-malware • Training Threat patterns • Attack vectors • Tools • Techniques Attacks • Phishing • Click jacking • SQL injection Threat actor • Motivations • Capabilities • Persistence Business Adversary 1. Quantify and qualify the risk of threats/attacks and business impact 2. Identify control gaps and security weakness most likely utilized by threat actors 3. Apply risk mitigation – countermeasures 4. Measure residual-risk How bad? How likely? Attack simulation

Final Thoughts Takeaways for risk management integrations via threat modeling

Summary • Risk based threat modeling provides focus and priority for security programs • Simulated attacks provide evidence to support threat claims • Expression of risk in technical and business terms promotes common understanding of risk • Business oriented measurements to make remediation decisions Security & Controls Asset Threat Impact RISK Threat Modeling

Best Practices in Security Risk Management GOVERNANCE ASSESS RISK REMEDIATE & MEASURE VISIBILITY AROUND RISK ISSUES NEED TO HAPPEN VERTICALLY & HORIZONTALLY RISK ISSUES NEED TO CORRELATE TO BUSINESS IMPACT AREAS & THREATS TO THE ORGANIZATION REMEDIATION EFFORTS SHOULD BE MEASURED & MEASURED AGAINST KEY RISK INDICATORS TO SHOW PROGRESS THREAT ANALYSIS KNOWING TODAY’S THREATS & HOW THEY RELATE TO A COMPANY’S HIGHEST TARGET AREAS IS KEY ATTACK SURFACE MANAGE RISK COMPANIES NEED TO KNOW THEIR IT FOOTPRINT AND OFTEN DID NOT KNOW THE EXTENT OF THEIR IT, PHYSICAL, OR VENDOR FOOTPRINT RISK ISSUES NEED ONGOING MANAGEMENT WHERE ASSESSMENTS FEED A RISK REGISTER

§ Model based testing § Rationalize security portfolio resource allocation § ROSI analysis on proposed countermeasures Threat Model ERM/ORM Security Business Use Cases for Threat Modeling § Remediation prioritization based on operational risk § Drive security into SDLC § Exception handling Improve reporting include cyber into operational risk register Rationalize cyber insurance coverage

Thank you! @t0nyuv www.linkedin.com/in/tonyuv Book Discount Code "C2508". (https://www.wiley.com/en-us/) https://versprite.com/security-resources/blog/