IANS Pragmatic Threat Modeling Michael Pinch, IANS Faculty
Agenda What Is Threat Modeling? Who Should Be Considering Threat Modeling? Methodologies for Threat Modeling Common Pitfalls Introduction of IANS Pragmatic Threat Modeling Toolkit Integrating into Your Organization Advanced Threat Modeling Tools IANS 2016 Client and IANS Confidential - 2
What Is Threat Modeling? Threat modeling is the process of reviewing a system from the perspective of a hacker to identify potential weaknesses or areas for improvement Threat models are often confused with risk assessments, which focus more on reviewing a system against a predefined list of controls Threat modeling is an effective complement to risk assessments Risk Assessments Threat Modeling What Controls and Compliance Based System Infrastructure, Service Based Who Audit, Compliance, Security IT Operations, Development, Security IANS 2016 Client and IANS Confidential - 3
Should We Use Threat Modeling? Threat modeling is generally better adopted by organizations with more mature security programs Strong risk assessment process in place Mature security architecture review process Strong risk management process in place Quantified risk review and remediation process Think vulnerability management Progressive organizations with development shops typically push partial ownership on vulnerability identification and remediation to development teams Similar concept is ideal for threat modeling - teach these teams to threat model themselves and get better results! IANS 2016 Client and IANS Confidential - 4
Various Threat Modeling Approaches Methodology Description Publisher/Creator More Info STRIDE Acronym used to represent different categories of exploit or compromise Microsoft STRIDE Octave A large risk management methodology that includes threat modeling as one aspect CERT OCTAVE DREAD A threat risk scoring methodology Microsoft (loosely affiliated) Threat Risk Modeling CVSS The same methodology followed for public rating of vulnerabilities - also provides a framework for risk management at your organization First.org CVSS IANS 2016 Client and IANS Confidential - 5
Threat Modeling Pitfalls Threat modeling can quickly create paralysis by analysis IANS often sees highly complex methodologies that attempt to account for every possible variable, and quickly become untenable This was the genesis for the IANS Pragmatic Threat Modeling Toolkit CISO review: I could spend 10x as much time doing a threat assessment and not get results 5% better IANS 2016 Client and IANS Confidential - 6
IANS Approach - STRIDE & DREAD Every aspect of the tool is designed to be simple, fast and easy Threats are reviewed against two axes: Category and Risk STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges DREAD Damage Reproducibility Exploitability Affected Users Discoverability IANS 2016 Client and IANS Confidential - 7
Overview of IANS Pragmatic Threat Modeling Toolkit Simple, self-documenting Excel spreadsheet Steps: Collect general application information Inventory processes, services, ports and protocols Enumerate possible threats on each port/protocol in use according to STRIDE taxonomy Risk rate each categoric threat across DREAD methodology Generate overall risk inventory and graphical representation IANS 2016 Client and IANS Confidential - 8
System Information IANS 2016 Client and IANS Confidential - 9
Service Inventory IANS 2016 Client and IANS Confidential - 10
Threat Identification and Risk Rating IANS 2016 Client and IANS Confidential - 11
Overall Threat Scoring IANS 2016 Client and IANS Confidential - 12
Integrating Threat Modeling There are many ways to integrate, but ideally it is tightly tied to architecture review and major system changes An ideal development lifecycle is shown below: IANS 2016 Client and IANS Confidential - 13
Advanced Threat Modeling Tools and Resources In early 2016, Microsoft built and published a very robust threat modeling tool Similar underlying methodology Much more detailed process and user interface Significant learning curve For organizations that want more from their threat modeling tool, this should be their first stop: Microsoft Threat Modeling Tool 2016 IANS 2016 Client and IANS Confidential - 14
Questions? info@iansresearch.com IANS 2016 Client and IANS Confidential - 15
Join Us Next Time Building and Staffing a Winning Security Team Sept. 21, 2016 Register: https://attendee.gotowebinar.com/register/2568320998342649857 Using Big Data Techniques to Bolster Information Security Oct. 12, 2016 Register: https://attendee.gotowebinar.com/register/6818092867512332289 IANS 2016 Client and IANS Confidential - 16
Upcoming Forums Chicago Sept. 13-14: Register Philadelphia Oct. 5-6: Register Atlanta Oct. 18-19: Register Boston Nov. 2-3: Register Charlotte Nov. 9-10: Register Los Angeles Nov. 15-16: Register IANS 2016 Client and IANS Confidential - 17