Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Addressing Cybercrime via PASTA Threat Modeling

VerSprite, Inc
December 06, 2014

Addressing Cybercrime via PASTA Threat Modeling

Risk centric threat modeling methodology against cybercrime related attacks.

VerSprite, Inc

December 06, 2014
Tweet

More Decks by VerSprite, Inc

Other Decks in Technology

Transcript

  1. About Me 2   Author of P.A.S.T.A threat modeling methodology

    (risk centric) (Wiley Life Sciences)   Nearly 20 years of IT/Security experience (Developer, Security Arch, Dir of RM, CISO roles)   Founder of VerSprite, global consulting security firm based in Atlanta   OWASP ATL Chapter/ Project Leader for past 6 years   VerSprite works across Retail, Hospitality, Financial, Gov’t, Higher Ed, Healthcare, Info Svc   Co-organizer to BSides Atlanta grassroots security conference   B.S from Cornell in International Finance   Contact Info:   [email protected]   @t0nyuv / @VerSprite
  2. About This Talk 3   Intro to risk based threat

    modeling & relevance to cyber security   Understand key benefits over more traditional assessment models   Learn how to incorporate other security disciplines into threat modeling   Theme of talk: Risk is Relative; Model Threats that Translate to Real Risk
  3. Threat Intelligence (TI) – Inside Looking Out 5   What

    are other organizations seeing?   What are other organizations in my industry seeing?   What do Cybercrime reports say I should worry about?   Managed security threat intelligence from service providers   (F)rameworks (NIST Cyber security Framework)
  4. Intelligent Driven Security Tests   Gather information from cybercrime intelligence:

      Learn from public cyber-crime reports: IC3, Symantec, McAfee AVERT Labs, Finjan software   Analyze the attacks: industry, geographic, local market, overall business, branch   Become your enemy: derive the attack scenarios, analyze the attack vectors and vulnerabilities exploited by cybercriminals.   Probe your defenses:   Try to exploit vulnerabilities using attack vectors 6
  5. Threat Data (TD) – Inside Looking In 7   What

    are we logging?   What are we monitoring?   What are we seeing in our alert logs? (Analysis)   What indicators can we derive from our analysis?
  6. 8 Time Threat Severity 2000 1995 2005 2010 Threats: Script

    Kiddies, Viruses, Worms Motives: Notoriety and Fame, Profit from renting Botnet for spamming Attacks: DoS, Buffer Overflow Exploits, Spamming, Sniffing Network Traffic, Phishing emails with viruses Threats: Fraudsters, Malware, Trojans Motives: Identity Theft, Online and Credit/Debit Card Fraud Attacks: SQLi, Sniffing Wireless Traffic, Session Hijacking, Phishing, Vishing, Drive by Download Threats: Hacktivists, Cyber crime, Cyber Espionage, Fraudsters, Malware Motives: Political, Stealing Company Secrets and Clients Confidential and Credit Card Information for Fraud Attacks: DDoS, Defacing, Account Take Over/Session Hijacking, SQLi, Spear Phishing, APT, RAT 2012 Threats: Basic Intrusions and Viruses Motives: Testing and Probing Systems and Data Communications Attacks: Exploiting Absence of Security Controls, Sniffing Data Traffic, Defacing WHAT NEXT ?
  7. False Sense of Security Examples 10   Fosters pragmatism in

    security program management – “check boxing”   (TI) – Focus is not specific to your organization   (TI) – Threat intelligence remains largely non- actionable (Attacks)   (TD) – Size. Too many non-normalized data points.   (TD) – Accuracy. How are you reducing false positives?   (F) – More control gap exercises
  8. PASTA™ What is it?   Risk centric threat modeling methodology

      Contextual – ultimate relates back to business context   Only methodology that considers business impact   Still retains traditional threat modeling exercises   Attack trees, defining kill chain, data flow diagrams Value?   Collaborative process to think like adversarial groups   Less adversarial than other InfoSec practices   Provides on the job security awareness training   Elevates security risk to more operational risk areas
  9. Terminology   Asset.  An  asset  is  a  resource  of  value.

     It  varies  by  perspec5ve.  To  your  business,  an  asset   might  be  the  availability  of  informa5on,  or  the  informa5on  itself,  such  as  customer  data.  It   might  be  intangible,  such  as  your  company's  reputa5on.       Threat.  A  threat  is  an  undesired  event.  A  poten5al  occurrence,  o=en  best  described  as  an   effect  that  might  damage  or  compromise  an  asset  or  objec5ve.     Vulnerability.  A  vulnerability  is  a  weakness  in  some  aspect  or  feature  of  a  system  that  makes   an  exploit  possible.  Vulnerabili5es  can  exist  at  the  network,  host,  or  applica5on  levels  and   include  opera5onal  prac5ces.     A5ack  (or  exploit).  An  aDack  is  an  ac5on  taken  that  u5lizes  one  or  more  vulnerabili5es  to   realize  a  threat.       Countermeasure.  Countermeasures  address  vulnerabili5es  to  reduce  the  probability  of   aDacks  or  the  impacts  of  threats.  They  do  not  directly  address  threats;  instead,  they  address   the  factors  that  define  the  threats.       Use  Case.  Func5onal,  as  designed  features  of  an  applica5on.     Abuse  Case.  Deliberate  abuse  of  func5onal  use  cases  in  order  to  yield  unintended  results     A5ack  Vector.  Point    &  channel  for  which  aDacks  travel  over  (card  reader,  form  fields,   network  proxy)     A5ack  Surface.  Logical  area  (browser  stack)  or  physical  area  (hotel  kiosk  )     Actor.  Legit  or  adverse  caller  of  use  or  abuse  cases.     Impact.  Value  of  [financial]  damage  possibly  sustained  via  aDack.     A5ack  Tree.  Diagram  of  rela5onship  amongst  asset-­‐actor-­‐use  case-­‐abuse  case-­‐vuln-­‐exploit-­‐ countermeasure  
  10. Cyber security Considerations – Stage 1   Define business scope

    of application  What is the deployment model?  Who are the users?  What is the data?  Revenue affecting?  Affects customer SLAs?  Branding/ Reputational sensitivity of service?  What is the impact of cybercrime to the organization/ business?
  11. Cyber security Considerations – Stage 2   Define Technical Scope

    of  What is the IP footprint?  What are the external facing technologies?  What is the deployment model?  What is the hosting model?  Can you enumerate the technology components?  Platform, server software, proxies, services, infrastructure, etc.  Collectively represents technical Attack Surface
  12. 20 Software/ Process Components   Real Time Process / Software

    Enumeration (Windows)   C:\Users\[email protected]>wmic  process  get  name     Name     System  Idle  Process     System     smss.exe     csrss.exe     csrss.exe     wininit.exe     winlogon.exe     services.exe     lsass.exe     lsm.exe     svchost.exe     svchost.exe     LogonUI.exe     svchost.exe     svchost.exe     spoolsv.exe     WVSScheduler.exe     WVSScheduler.exe     Microso=.Ac5veDirectory.WebServices.exe     dfsrs.exe     dns.exe     dsNcService.exe     For5SSLVPNdaemon.exe     IISexpressSVC.exe     ismserv.exe     tomcat7.exe     LansweeperService.exe     pg_ctl.exe     iisexpress.exe     conhost.exe     ruby.exe     postgres.exe     conhost.exe     ruby.exe     capiws.exe     postgres.exe     svchost.exe   q  wmic  command  allows  to  query   local  installed  products  and  ac5ve   processes  on  a  Windows  pla_orm   q  Windows  sysinternals  suite     q  dpkg  –l     q  rpm  –qa  |  grep  –i  <package   name>  
  13. 21 Service Detection   Nmap – You may be surprised

    at what you find q  Nmap  –  GUI  &  CLI  port   scanner   q  Multiple  options  to   customize  and  automate   into  scripts   q  Nmap  –O  (OS  Detection)  – sV  (probe  open  ports)  –p   T:1-­‐65535  (port  option,   TCP,  all  ports)  –T  3   (timing  option)   q  Ideally  run  beyond  FW   boundaries   q  Fosters  port  (service),   platform,  and  even  rogue   software  detection.  
  14. Cyber security Considerations – Stage 3   Map Out Data

    Flows/ Service Calls/ Define Trust Boundaries   Do you have a good understanding of data flow from the application use cases?   How do these data flows/ service calls support the business objectives of the application/ infrastructure?   What protocols are being used?   ms-bin, json, ajax, soap, xml-rpc   Do you know the nature of calls being made?   POST requests (implications to backend applications/ DBs)   GET requests (implications on authorization of READs)   What does your infrastructure do in terms of the data flow?   Passes/ logs, passes/ no-logs, strict auth model?
  15. 24 Enumerating Actors – Tools & Techniques q Actor enumeration is

    critical; privileges easily overlooked q Running as root,  system,  java   q CRUD exercises against applications (local, LDAP, AD) q *nix: cat  /etc/passwd     q Windows: net  user  /domain  (insert app domain) q CRUD exercises against databases q Sysinternals TCPView, netstat  –a  -­‐b
  16.   Picturesque way of showing the movement of data between

    external entities and the processes and data stores within a system DFD Definition   DFDs: Keeping it Simple
  17. Data Flow Diagramming (DFD) Primer General Information q  Engineering  roots

      q  Focuses  on  Data  Flow   q  Maps  out  use  of   applica5on  components     q  Visualizes   communica5on   q  Universal  ar5fact     q  Under-­‐u5lized   Misconceptions q  Too  complicated   q  Takes  too  much  5me   q  Too  technical   q  Too  many  defini5ons  to   learn   q  Only  focuses  on  data   flow  
  18. Cyber security Considerations – Stage 4   Enumerate Threats  

    Do you have a good understanding of the threat motives from a cybercriminal perspective?   Have you define who the threat agent(s)/ actors could be?  Human vs. non-human   What level of threat intelligence have you considered to be most relevant?  Can you build threat claims to support the threat model?  How does the threat intel serve to make assertions that would undermine business objectives/ use cases of application?   How does your threat data around the app scope support threat claims?
  19. 12/5 30 Extracting Meaning Info from Threat Sources   Key

    Healthcare Related Statistics q  94% of hospitals had at least one breach in the last two years q  87% of attacks were by external actors q  93% of these external actors in 2012 came from Romania q  Work stations and POS terminals were targeted q  A popular attacks are enumerating applications riding on the target systems for weak and common credentials (brute force)
  20.   Where to find if you’re application is being brute

    forced for weak and common credentials:   Apache Access logs: /var/log/httpd-access-log   Tomcat logs: Access Log Valve - Access Log Valve creates log files in the same format as those created by standard log servers   ISS logs: c:\inetpub\logs\LogFiles   If the application is using AD to authenticate, check the windows security logs for failed authentication attempts Internal Threat Sources to Consider
  21. Threat Analysis Process • Iden5fied  Targets   • Iden5fied  gains   • Iden5fied

     risks  (for   aDacker)   • Difficult  to  achieve,  not   essen5al  but  helpful   Perceived   Mo5ve   • Data  extrac5on   • DoS   • ADacking  data  integrity   • STRIDE/  DREAD  men5on   Understood   Threats   • High  Level  Data   • More  Detail  Data  Asset   Enumera5on   • Leads  into  next  phase:   vulnerability  analysis   Asset   Mapping  
  22. Cyber security Considerations – Stage 5   Vulnerability Analysis –

    How can Cyber criminals Get In  What is weak/ vulnerable in the application scope?  Leverage authenticated vuln scans post false positive analysis  Have trust boundaries been identified in architectural reviews / data flows?  Leverage existing vulnerability tools/ service providers to execute on this stage  Value is in the integration to support threat viability  Scope of vulnerability assessment is important
  23. Cyber security Considerations – Stage 6   Realizing the Threat

    – Attacking the Attack Surface  Attacks substantiate threat claims  Attack Trees are very helpful to visualize what the attack is targeting, vulnerability exploited, inherent mitigation, and seeing residual risk.  Attack Trees should depict that attack vector of an attack.  Attacks should emulate likely cybercriminal activity that was identified from the threat analysis  Probability values should be aligned to attack branches in the attack tree
  24. Fraudster Drive-by Download/ Malicious Ads Man In The Browser Phishing

    Email, FaceBook Social Engineering Upload Malware on Vulnerable Site Attack Victim’s Vulnerable Browser Steals Keystrokes with Key-logger Modifies UI Rendered By The Browser Phish User To Click Link With Malware Upload Banking Malware on Customer’s Pc Harvest Confidential Data/ Credentials From Victim Steal Digital Certificates For Authentication Sends Stolen Data to Fraudster’s Collection Server Money Transferred From Mule to Fraudster Use Stolen Banking Credentials/ Challenge C/Q Remote Access To Compromised PC Through Proxy Logs into Victim’s Online Bank Account Fraudster Perform Un- authorized Money Transfer to Mule Redirect Users To Malicious Sites Delete Cookies Forcing to Login To Steal Logins Attack Tree Examples
  25. 39 Credit Card Data Compromise Man In The Middle/Browser Attack

    Automated SQL Injection Attack To upload malware Serve malicious IFRAME to victim visiting the web site Phishing Email/ Social Engineering SQL Injection Exploit Alter Query To Get CC data Exploit Weak Session Management Insecure Cryptographic Storage/ Transit Impersonate user to get access to CC data Upload Sniffer To Get CC data Session Fixation to get access to CC data Attack User/ Browser Attack Web Application Clickjacking Serve Invisible Frame that runs malware Take Credentials and CC data from user Capture Non- Encrypted CC Data   #2  Test  for  SQL  injec5on  and  code   injec5on  (Frames)  vulnerabili5es       #4  Test  for  session   fixa5on  and  hijacking       #3  Test   encryp5on  of   sensi5ve  CC  data   in  storage  and   transit       #1  Test  web   applica5on  assuming   browser   compromise    and/or   automa5on  aDacks     Cybercriminal Activity Around Card Data
  26. User Hacker/Malicious User Brure Force Authentication Enter Username and password

    Validate Password Minimum Length and Complexity Application/Server Includes Mitigates User Authentication Includes Includes Includes Mitigates Threatens Show Generic Error Message Includes Includes Lock Account After N. Failed Login Attempts Harverst (e.g. guess) Valid User Accounts Dictionary Attack Mitigates Mitigates Enumerating Attacks & Mapping to Use Cases
  27. Cybercrime Threat Intelligence and Analysis: 41 ATTACK: Attack “xp_cmdshell on

    MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM TEST CASES AGAINST THIS THREAT: 1. Test xp_cmdshell is disabled 2. Test extended URLs are denied 3. Test escape for special characters “”, comma 4. Test store procedures run with minimum privileges 5. Test SQL Server and IIS run under non-privilege 6. Test appserver not use “sa” hardcoded 7. Test account locking on mainframes against brute force 8. Test access to DB server is internally restricted by IP 9. Test a proxy server is used for internet access 10. Test firewall rules are updated 11. Test HSM not use commands with PIN in the clear
  28. Cyber security Considerations – Stage 7   Mitigation driven by

    Business Impact & Threat Analysis   Countermeasures are developed commensurate to the threat, likelihood and most importantly the value of the data/ service {regulation | branding | SLAs | privacy}   Collaborative, less adversarial than traditional remediation efforts   Focuses on remediation activity based upon likely threats, clear attack paths, existing weaknesses/ vulns, with clear business impact values.
  29. Users Request Responses DMZ (User/Web Server Boundary) Message Call Account/

    Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) 44  Access   Level   External   Access  Level   Internal   Access  Level   Restricted   I.  Spoofing   II.  RepudiaIon   I.  Tampering   II.  RepudiaIon   III.  Info  Disclosure   IV.  Denial  OF   service   AuthN,   EncrypIon   Digital,   signatures,   HMAC,  TS   I.  AuthN,   EncrypIon   II.  Digital   signatures,   HMAC,   TS,AuthZ   Audit   III.  EncrypIon,   AuthZ   IV.  Filtering,   AuthN   Mapping Countermeasures to Attacks
  30. The  Beneficiaries  of  PASTA™   ! Business  managers  can  incorporate  which

      security  requirements  that  impact  business   ! Architects  understand  security/design   flaws  and  how  countermeasure  protect   data  assets   ! Developers  understand  how  so=ware  is   vulnerable  and  exposed     ! Testers    can  use  abuse  cases  to  security   tests  of  the  applica5on   ! Project  managers  can  manage  security   defects  more  efficiently   ! CISOs  can  make  informed  risk   management  decisions