(risk centric) (Wiley Life Sciences) Nearly 20 years of IT/Security experience (Developer, Security Arch, Dir of RM, CISO roles) Founder of VerSprite, global consulting security firm based in Atlanta OWASP ATL Chapter/ Project Leader for past 6 years VerSprite works across Retail, Hospitality, Financial, Gov’t, Higher Ed, Healthcare, Info Svc Co-organizer to BSides Atlanta grassroots security conference B.S from Cornell in International Finance Contact Info: [email protected] @t0nyuv / @VerSprite
modeling & relevance to cyber security Understand key benefits over more traditional assessment models Learn how to incorporate other security disciplines into threat modeling Theme of talk: Risk is Relative; Model Threats that Translate to Real Risk
are other organizations seeing? What are other organizations in my industry seeing? What do Cybercrime reports say I should worry about? Managed security threat intelligence from service providers (F)rameworks (NIST Cyber security Framework)
Learn from public cyber-crime reports: IC3, Symantec, McAfee AVERT Labs, Finjan software Analyze the attacks: industry, geographic, local market, overall business, branch Become your enemy: derive the attack scenarios, analyze the attack vectors and vulnerabilities exploited by cybercriminals. Probe your defenses: Try to exploit vulnerabilities using attack vectors 6
security program management – “check boxing” (TI) – Focus is not specific to your organization (TI) – Threat intelligence remains largely non- actionable (Attacks) (TD) – Size. Too many non-normalized data points. (TD) – Accuracy. How are you reducing false positives? (F) – More control gap exercises
Contextual – ultimate relates back to business context Only methodology that considers business impact Still retains traditional threat modeling exercises Attack trees, defining kill chain, data flow diagrams Value? Collaborative process to think like adversarial groups Less adversarial than other InfoSec practices Provides on the job security awareness training Elevates security risk to more operational risk areas
It varies by perspec5ve. To your business, an asset might be the availability of informa5on, or the informa5on itself, such as customer data. It might be intangible, such as your company's reputa5on. Threat. A threat is an undesired event. A poten5al occurrence, o=en best described as an effect that might damage or compromise an asset or objec5ve. Vulnerability. A vulnerability is a weakness in some aspect or feature of a system that makes an exploit possible. Vulnerabili5es can exist at the network, host, or applica5on levels and include opera5onal prac5ces. A5ack (or exploit). An aDack is an ac5on taken that u5lizes one or more vulnerabili5es to realize a threat. Countermeasure. Countermeasures address vulnerabili5es to reduce the probability of aDacks or the impacts of threats. They do not directly address threats; instead, they address the factors that define the threats. Use Case. Func5onal, as designed features of an applica5on. Abuse Case. Deliberate abuse of func5onal use cases in order to yield unintended results A5ack Vector. Point & channel for which aDacks travel over (card reader, form fields, network proxy) A5ack Surface. Logical area (browser stack) or physical area (hotel kiosk ) Actor. Legit or adverse caller of use or abuse cases. Impact. Value of [financial] damage possibly sustained via aDack. A5ack Tree. Diagram of rela5onship amongst asset-‐actor-‐use case-‐abuse case-‐vuln-‐exploit-‐ countermeasure
of application What is the deployment model? Who are the users? What is the data? Revenue affecting? Affects customer SLAs? Branding/ Reputational sensitivity of service? What is the impact of cybercrime to the organization/ business?
of What is the IP footprint? What are the external facing technologies? What is the deployment model? What is the hosting model? Can you enumerate the technology components? Platform, server software, proxies, services, infrastructure, etc. Collectively represents technical Attack Surface
at what you find q Nmap – GUI & CLI port scanner q Multiple options to customize and automate into scripts q Nmap –O (OS Detection) – sV (probe open ports) –p T:1-‐65535 (port option, TCP, all ports) –T 3 (timing option) q Ideally run beyond FW boundaries q Fosters port (service), platform, and even rogue software detection.
Flows/ Service Calls/ Define Trust Boundaries Do you have a good understanding of data flow from the application use cases? How do these data flows/ service calls support the business objectives of the application/ infrastructure? What protocols are being used? ms-bin, json, ajax, soap, xml-rpc Do you know the nature of calls being made? POST requests (implications to backend applications/ DBs) GET requests (implications on authorization of READs) What does your infrastructure do in terms of the data flow? Passes/ logs, passes/ no-logs, strict auth model?
q Focuses on Data Flow q Maps out use of applica5on components q Visualizes communica5on q Universal ar5fact q Under-‐u5lized Misconceptions q Too complicated q Takes too much 5me q Too technical q Too many defini5ons to learn q Only focuses on data flow
Do you have a good understanding of the threat motives from a cybercriminal perspective? Have you define who the threat agent(s)/ actors could be? Human vs. non-human What level of threat intelligence have you considered to be most relevant? Can you build threat claims to support the threat model? How does the threat intel serve to make assertions that would undermine business objectives/ use cases of application? How does your threat data around the app scope support threat claims?
Healthcare Related Statistics q 94% of hospitals had at least one breach in the last two years q 87% of attacks were by external actors q 93% of these external actors in 2012 came from Romania q Work stations and POS terminals were targeted q A popular attacks are enumerating applications riding on the target systems for weak and common credentials (brute force)
forced for weak and common credentials: Apache Access logs: /var/log/httpd-access-log Tomcat logs: Access Log Valve - Access Log Valve creates log files in the same format as those created by standard log servers ISS logs: c:\inetpub\logs\LogFiles If the application is using AD to authenticate, check the windows security logs for failed authentication attempts Internal Threat Sources to Consider
risks (for aDacker) • Difficult to achieve, not essen5al but helpful Perceived Mo5ve • Data extrac5on • DoS • ADacking data integrity • STRIDE/ DREAD men5on Understood Threats • High Level Data • More Detail Data Asset Enumera5on • Leads into next phase: vulnerability analysis Asset Mapping
How can Cyber criminals Get In What is weak/ vulnerable in the application scope? Leverage authenticated vuln scans post false positive analysis Have trust boundaries been identified in architectural reviews / data flows? Leverage existing vulnerability tools/ service providers to execute on this stage Value is in the integration to support threat viability Scope of vulnerability assessment is important
– Attacking the Attack Surface Attacks substantiate threat claims Attack Trees are very helpful to visualize what the attack is targeting, vulnerability exploited, inherent mitigation, and seeing residual risk. Attack Trees should depict that attack vector of an attack. Attacks should emulate likely cybercriminal activity that was identified from the threat analysis Probability values should be aligned to attack branches in the attack tree
Email, FaceBook Social Engineering Upload Malware on Vulnerable Site Attack Victim’s Vulnerable Browser Steals Keystrokes with Key-logger Modifies UI Rendered By The Browser Phish User To Click Link With Malware Upload Banking Malware on Customer’s Pc Harvest Confidential Data/ Credentials From Victim Steal Digital Certificates For Authentication Sends Stolen Data to Fraudster’s Collection Server Money Transferred From Mule to Fraudster Use Stolen Banking Credentials/ Challenge C/Q Remote Access To Compromised PC Through Proxy Logs into Victim’s Online Bank Account Fraudster Perform Un- authorized Money Transfer to Mule Redirect Users To Malicious Sites Delete Cookies Forcing to Login To Steal Logins Attack Tree Examples
Automated SQL Injection Attack To upload malware Serve malicious IFRAME to victim visiting the web site Phishing Email/ Social Engineering SQL Injection Exploit Alter Query To Get CC data Exploit Weak Session Management Insecure Cryptographic Storage/ Transit Impersonate user to get access to CC data Upload Sniffer To Get CC data Session Fixation to get access to CC data Attack User/ Browser Attack Web Application Clickjacking Serve Invisible Frame that runs malware Take Credentials and CC data from user Capture Non- Encrypted CC Data #2 Test for SQL injec5on and code injec5on (Frames) vulnerabili5es #4 Test for session fixa5on and hijacking #3 Test encryp5on of sensi5ve CC data in storage and transit #1 Test web applica5on assuming browser compromise and/or automa5on aDacks Cybercriminal Activity Around Card Data
Validate Password Minimum Length and Complexity Application/Server Includes Mitigates User Authentication Includes Includes Includes Mitigates Threatens Show Generic Error Message Includes Includes Lock Account After N. Failed Login Attempts Harverst (e.g. guess) Valid User Accounts Dictionary Attack Mitigates Mitigates Enumerating Attacks & Mapping to Use Cases
MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM TEST CASES AGAINST THIS THREAT: 1. Test xp_cmdshell is disabled 2. Test extended URLs are denied 3. Test escape for special characters “”, comma 4. Test store procedures run with minimum privileges 5. Test SQL Server and IIS run under non-privilege 6. Test appserver not use “sa” hardcoded 7. Test account locking on mainframes against brute force 8. Test access to DB server is internally restricted by IP 9. Test a proxy server is used for internet access 10. Test firewall rules are updated 11. Test HSM not use commands with PIN in the clear
Business Impact & Threat Analysis Countermeasures are developed commensurate to the threat, likelihood and most importantly the value of the data/ service {regulation | branding | SLAs | privacy} Collaborative, less adversarial than traditional remediation efforts Focuses on remediation activity based upon likely threats, clear attack paths, existing weaknesses/ vulns, with clear business impact values.
Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) 44 Access Level External Access Level Internal Access Level Restricted I. Spoofing II. RepudiaIon I. Tampering II. RepudiaIon III. Info Disclosure IV. Denial OF service AuthN, EncrypIon Digital, signatures, HMAC, TS I. AuthN, EncrypIon II. Digital signatures, HMAC, TS,AuthZ Audit III. EncrypIon, AuthZ IV. Filtering, AuthN Mapping Countermeasures to Attacks
security requirements that impact business ! Architects understand security/design flaws and how countermeasure protect data assets ! Developers understand how so=ware is vulnerable and exposed ! Testers can use abuse cases to security tests of the applica5on ! Project managers can manage security defects more efficiently ! CISOs can make informed risk management decisions
versprite
takakiyo
thomasvitale
bobtani
bun913
foursue
yuhta28
oracle4engineer
yamahiro
smt7174
kenichirokimura
ohbarye
maimyyym
jrom
eileencodes
myddelton
revolveconf
akosma
shlominoach
brettharned
chriscoyier
jennybc
skipperchong
zakiwarfel
mraible
