2024: Domino Containers - The Next Step. News from the Domino Container commu...
Rapid Threat Modeling : case study
1. rapid Threat Modeling
identifying threats in a webapp before coding it: the
case study of the innocent (but still nice) Doctor
Antonio Fontes
Length: 45+15 minutes
Securitybyte Conference – Sept 6th – 9th 2011
Bangalore
2. 2
About me
• Antonio Fontes
• Owner L7 Sécurité (Geneva, Switzerland)
• 6+ years experience in information security
• Fields of expertise:
– Online applications defense
– Security integration in the software development lifecycle
– Threat modeling, risk analysis and estimation
• Lecturer at the University of applied sciences, Western Switzerland
• OWASP:
– Chapter leader: Geneva
– Board member: Switzerland
http://L7securite.ch
3. 3
My objectives for today:
1. You understand the concept of threat
modeling and its fast track approach
2. You can build a basic but still actionable
threat model for your web application
3. You know when you should build a threat
model and what you should document in it
4. This new technique helps you feel more
confident about the security of your web
application.
http://L7securite.ch
4. 4
Disclaimer
• Don’t expect “100%” coverage
– Our main goal here is to prioritize the security
effort, not to replace testing activities!
• If full analysis is strictly necessary:
– Use system-centric TM instead (much more
systematic)
– Extend with other SDLC security activities: review,
testing, best practices, secure APIs, etc.
http://L7securite.ch
5. 5
Panic mode?
• Don’t write what you see on the slides!
– They will be freely available on request
– and uploaded to:
http://slideshare.net/starbuck3000
http://L7securite.ch
6. 6
Threat Modeling crash course
A repeatable process, to help
identify and document:
– A system’s characteristics and
security requirements
– Data-flows
– Threats
– Potential responses to
these threats (controls)
http://L7securite.ch
7. 7
Threat Modeling crash course
A threat model is:
– Reusable: it can serve at different
stages of development, like
design, implementation,
deployment and testing
– Editable: it’s an ongoing
threat assessment of your
application. It should be
updated along with the
application
http://L7securite.ch
9. 9
Case study
• A local pediatrician is
constantly receiving phone
calls (and messages on
Facebook!) from desperate
parents, outside cabinet
opening hours.
http://L7securite.ch
10. 10
Case study
• He hired an assistant but
he refuses to answer late evening phone calls
(and apparently, law is on his side…)
• He tried hiding his personal phone number
(and configuring his Facebook profile to hide his phone
number) butparents keep finding ways to
contact him outside regular hours.
http://L7securite.ch
11. 11
Case study
• His patients have a stunning idea: a webapp
for managing his appointments!
http://L7securite.ch
12. 12
Case study
• Basically, he wants his patients to be able, at
any time (night and day):
– to schedule for an appointment at the closest
free slot available
– to describe the symptoms, to help him, if
necessary, reschedule the appointment or even
contact the family back (in case it looks worse than it
appears).
http://L7securite.ch
13. 13
Case study
• He contacts a local web agency
and describes his need.
• The web agency accepts to build the solution.
(easy job, easy money!)
• They start immediately. Actually, they just
started designing the system yesterday!
http://L7securite.ch
14. 14
Case study
• The pediatrician reads news about an infosec
conference ☺
• He hears about guys, who wear black hats,
hack into web applications, seek chaos by
destroying databases, stealing and selling
personal data on the black market to large
corporations that want to control the world!
http://L7securite.ch
15. 15
Case study
• He meets a guy, who tells him about an
obscure technique called threat modeling.
• He says it might help the outsourcing web
agency to avoid doing some major mistakes,
and implement appropriate countermeasures
in the web application while still at design
time.
http://L7securite.ch
16. 16
Case study
The doctor suddenly realises
that the web agency did not
talk about security the other
day...
http://L7securite.ch
17. 17
Case study
• He hires you, for one day.
• Your job is to observe the
project, gather information,
and eventually, issue some
recommendations...
http://L7securite.ch
19. 19
1. Describe (understand) the system
• What is the motive/driver of the client?
– Compliance?
– Intrusion follow-up?
– Awareness / self-determination / corporate
culture ?
– Is someone-thing in particular threatening the
organization?
– Other reasons?
http://L7securite.ch
20. 20
1. Describe (understand) the system
• What is the business requirement?
• What role is the system playing in the
organization?
• Will it be the only/major revenue source?
• Will it bring money?
• Is it processing online transactions?
• Is it feeding other transactional systems?
• Is it storing/collecting sensitive/private information?
• Should it be always online or is it okay if it stops
sometimes?
http://L7securite.ch
21. 21
1. Describe (understand) the system
• Is the business under particular data
processing regulation?
– Privacy?
– Healthcare?
– Food? Chemicals? Drugs?
– Transports? Energy?
– Legal? Financial?
http://L7securite.ch
22. 22
1. Describe (understand) the system
• Is the system protecting or supporting the life
of someone? Or can it endanger someone?
– Water cleaning?
– Transportation?
– Energy?
– Health equipment?
– Interactions with the physical environment?
– Weaponized? Military?
http://L7securite.ch
23. 23
"The system is not built to generate revenue."
"It is not processing orders."
"It allows my clients to schedule for an
appointment. "
"Oh, I forgot, and it also allows them to provide
some basic information on the case
(symptoms)."
http://L7securite.ch
24. 24
“Well, I guess…certainly compliance with some
health information Act?“
“It can be offline.”
“It is not consumed by third-party systems.”
“It is not interacting with people or things.”
“I will be the only one accessing it.”
…”and my assistant, of course!”
http://L7securite.ch
25. 25
1. Describe (understand) the system
Motivator Comment
My employees/clients life/safety is at risk (SCADA systems,
energy, transports, food & drugs, etc.)
I want to stay compliant with laws and regulations
I just want to sleep peacefully and avoid hackers
I never want my systems to be compromised again!
I want to protect my employees/customers privacy
I want to make sure my customers pay for our goods/services
I want to keep the money inside my company
I cannot afford my website going offline
It is connected to our ERP
Threat Modeling really seems awesome! (seen the ad on TV)
http://L7securite.ch
26. 26
1. Describe (understand) the system
Motivator Comment
My employees/clients life/safety is at risk (SCADA systems, not really…
energy, transports, food & drugs, etc.)
I want to stay compliant with laws and regulations Are there any?
I just want to sleep peacefully and avoid hackers Yes!
I never want my systems to be compromised again! not really…
I want to protect my employees/customers privacy Of course!
I want to make sure my customers pay for our goods/services Not applicable
I want to keep the money inside my company Not applicable
I cannot afford my website going offline Yes. They will call me.
It is connected to our ERP Our what??
Threat Modeling really seems awesome! (seen the ad on TV) Definitely!
http://L7securite.ch
27. 27
"I never had a website for my cabinet." (well, I
think…)
"I just don't want a bad thing to happen when
this service comes online.“
"I don't really know of particular regulatory
requirements…"
http://L7securite.ch
30. 30
1. Describe (understand) the system
Motivator Comment
My employees/clients life/safety is at risk (SCADA systems, not really…
energy, transports, food & drugs, etc.)
I want to stay compliant with laws and regulations Are there any? YES
I just want to sleep peacefully and avoid hackers Yes!
I never want my systems to be compromised again! not really…
I want to protect my employees/customers privacy Of course!
I want to make sure my customers pay for our goods/services Not applicable
I want to keep the money inside my company Not applicable
I cannot afford my website going offline Yes. They will call me.
It is connected to our ERP Our what??
Threat Modeling really seems awesome! (seen the ad on TV) Definitely!
http://L7securite.ch
31. 31
1. Describe (understand) the system
Let's add the developer and the architect to the
discussion…
http://L7securite.ch
32. 32
1. Describe (understand) the system
• Please describe the system as you imagine it:
– Technologies?
– Architecture?
– Functionalities? (use cases?)
– Components?
• What will be the major use cases?
http://L7securite.ch
33. 33
"It's a standard webapp, including a frontend
application connected to a backend database."
“Clients will create a profile with basic personal
information (patient name/lastname, parent
name/lastname, address, email address, phone
numbers, username, password."
"Once they have logged in, they can schedule for
an appointment."
http://L7securite.ch
34. 34
1. Describe (understand) the system
• What will be its typical usage scenarios?
– Visitors? Members? Other doctors? Access from
outside?
• Who (where) will host the system?
• How will users be authenticated?
• Where will users connect from?
– and where will the doctor connect from?
http://L7securite.ch
35. 35
"Users can connect and see their appointments,
edit their info or cancel them."
"The cabinet will be using a supervisor access,
who has entire view on the agenda and can
access details of every appointment."
“Users authenticate with username/password."
“Credentials will be stored securely."
"The system will be hosted on our web farm."
http://L7securite.ch
36. 36
"I will connect from work! Of course!"
…"and from home, if I can…"
http://L7securite.ch
45. 45
1. Describe (understand) the system
• What/Where are the assets of highest value?
– Is there private/proprietary/regulated information
anywhere?
– Are user credentials stored? Where? How?
– Are there any financial/transactional flows?
– Is one of these components critical for your
business?
– Is the system connected to other more sensitive
systems? (company ERP? Bank? Machines?)
http://L7securite.ch
46. 46
"The accounts database contains PII about my
patients."
"The accounts database contains credentials."
"Money doesn't flow through the application.“
“The system does not connect to anything else.”
“The system can turn offline. Patients will call
me on my phone, as before!"
http://L7securite.ch
47. 47
“We host several customers on our shared
hosting environment.”
“It is totally secure!”
http://L7securite.ch
48. 48
1. Describe (understand) the system
• How many occurrences of these assets are
you expecting in say…two years from today?
(We are gathering volumetric data here)
http://L7securite.ch
49. 49
"In two years?
I'd say around 300 family accounts.
3’600 appointments (6/family/year)
And 2400 urgent appointments…
(4/family/year)"
http://L7securite.ch
50. 50
End of task 1
• It’s a non-transactional web application
• It is not connected to other systems
• It hosts patient health information + PII
– Data should be protected from unauthorized
access (in-transit + offline)
• It is accessible from the Internet
• It contains usernames + passwords
– Credentials storage should observe best practices
http://L7securite.ch
52. 52
2. Identify potential threat agents
- Given what we know, who might be interested
in compromising your system?
- No one!
- Any competitor recently installed?
- Mmmmh…yes…One, actually. She just
arrived. She’s a pediatrician, too.
- Could she steal your patients?
- Oh!
http://L7securite.ch
53. 53
2. Identify potential threat agents
- Any businesses would be interested in
acquiring health details on 300 geographically-
linked families, including their problems,
illnesses, special situations?
- Any businesses interested in acquiring
personal details of 300 families including
usernames, passwords, contact details?
- Mmmmh…probably
http://L7securite.ch
54. 54
2. Identify potential threat agents
• Would anyone want to steal your data?
• Would anyone be able to sell it?
• Would anyone be interested in corrupting it?
• Would anyone benefit from an interruption of
your application?
http://L7securite.ch
55. 55
“You have a scary way of asking
questions…”
http://L7securite.ch
57. 57
2. Identify potential threat agents
Threat source Motivation Approach (strategy/tactics)
Dumb users Opportunistic Mistakes
Smart users Opportunistic Circumventing complex GUI
Script kiddies / hackers Opportunistic Use of automated exploit/scanning tools,
(low-profile) known vulnerabilities research
Hackers (higher profile) Targeted Vulnerability research
Competitors Targeted Hiring hackers
Other businesses Targeted Hiring hackers
Organized cybercriminals Targeted 0-day research and trade
Government / Military Targeted Long-term ops
APT magic Mixed Continuous + long-term + multilayer ops
http://L7securite.ch
58. 58
2. Identify potential threat sources
Which of these sources might hit or target my
business?
– With a high probability?
• Population size
• Exposure
– With a high impact?
• Personal/health information disclosure (compliance)
– With the incentive of a high reward?
• Users/passwords stealing / health information trading
http://L7securite.ch
59. 59
2. Identify potential threat agents
Don’t forget to ask the customer if she/he has
access to confidential threat information:
– CIOs/CSOs in information critical organizations
may have access to undisclosed threat
information:
• National/international/industry threat analysis reports
– Don’t forget to ask!
http://L7securite.ch
60. 60
2. Identify potential threat agents
Threat source
Threats, which were removed:(strategy/tactics)
Motivation Approach
Dumb users Opportunistic They can do mistakes, but not that critical
Organized cybercriminals Targeted They are not known for targeting small-
sized medical databases
Government / Military Targeted They should not be interested in the data.
-> no high-profile patients!
APT magic Mixed Joker*
http://L7securite.ch
61. 61
2. Identify potential threat agents
Threat source Motivation Comment
Threats, which were prioritized:
Smart users Opportunisti They will try to bypass other patients
c requests
Script kiddies / hackers Opportunisti They will play with their tools
(low-profile) c Several hours investment
Hackers (higher profile) Targeted They will try to hack into the application
during a day
Competitors Targeted Hiring a hacker to try stealing/corrupting
data during a few days
Other businesses Targeted Hiring a hacker to try stealing/corrupting
data during a few days
http://L7securite.ch
62. 62
2. Identify potential threat agents
Script Kiddies and low-profile hackers
Threat agent profile
Prevalence HIGH
Damage potential MEDIUM (repeated disturbances, reputation, data
corruption)
Tactics Automated security scanners, exploits testing, exploitation
of injection flaws, short-term bruteforcing/dictionary
attacks (high HTTP req. freq.)
OWASP Top10 direct attacks (A1, A3, A4, A6, A8, A10)
Business layer attacks No
Countermeasures Request throttling
Strong defense against OWASP T10 direct attacks
Secure configurations (systems, services)
http://L7securite.ch
63. 63
2. Identify potential threat agents
Hacker (high profile)
Threat agent profile
Prevalence LOW
Damage potential MEDIUM to HIGH
(personal reward, contract engagements)
Tactics Combination of automated + manual scanning
Lower HTTP request frequency
Short timespan vulnerability research
Full range OWASP T10 investigation, including A2 and A5
Business layer attacks No
Countermeasures Complete OWASP T10 risk coverage
http://L7securite.ch
65. 65
3. Identify major threat scenarios
• Which threat scenarios would be (really)
bad for the business?
– Which threat source would trigger that
scenario?
– How would she/he/they proceed technically?
– What would be the impact for my business?
• Shameful (bad news)? Bad (financial loss)?
Catastrophic (end of the my world)?
http://L7securite.ch
66. 66
3. Identify major threat scenarios
• Some helpers:
– Think about threats induced naturally, by the
technology itself.
– Think about what the CEO really doesn't want.
• Think AIC:
– Availability, integrity, confidentiality
– Apply on every component
of the DFD!
http://L7securite.ch
67. 67
3. Identify major threats
# Threat scenario Agent Attack description
T1
T2
T3
T4
n
http://L7securite.ch
68. 68
3. Identify major threats
# Threat Source Attack details
T1 Page defacement, hacking for Script - Automated tools
fame kiddies - expl. of injection flaws
T2 Users circumventing the Smart user - Eyesight tampering
appointment lock feature
(already booked)
T3 Corruption of the central Competitor - expl. of injection flaws
agenda - unauthorized
appointment
cancellation
T4 Extraction of the users info DB Competitor, - expl. of injection flaws
other bus. - unsecure direct
references
- expl. of authentication
http://L7securite.ch flaws
69. 69
3. Identify major threats
# Threat Source Attack details
T5 Extraction of the appointment Competitor, - expl. of injection flaws
(med) details other bus. - unsecure direct
references
- expl. of authentication
flaws
T6 User credentials interception Script - traffic interception
kiddies attacks
- XSS
T7 Doctor's credentials Competitor, - same as T6
interception other bus. - trojan bonus… ☺
http://L7securite.ch
70. 70
3. Identify major threats
# Threat Impact
T2 Users circumventing the appointment lock feature Medium (Bus.)
(already booked)
T3 Corruption of the central agenda Medium (Bus.)
T6 Users credentials stealing Medium (bus)
T1 Page defacement, fame hacking High (Tech)
T4 Extraction of the users info DB High (bus.)
T5 Extraction of the appointment (med) details Critical (bus.)
T7 Doctors' credentials stealing Critical (bus.)
-> T5
http://L7securite.ch
71. 71
How would we prevent/detect each scenario?
http://L7securite.ch
72. 72
3. Identify major threats
Th# Attack Scenario prevention controls
T1 Defacement Layered hardening
T1 Defacement Parameter tampering defenses
T4 Privacy data extraction Parameter tampering defenses
T4 Privacy data extraction Unpredictable/unexposed profile/accounts references
T5 Medical data extract. Parameter tampering defenses
T5 Medical data extract. Unpredictable/unexposed appointment references
T5 Medical data extract. Defensive "appointment details" access control
T7 Doctor's account stealing Encrypted data transmission channel
T7 Doctors' account stealing Dynamic authentication (OTP)
T7 Doctors' account stealing Output encoding
… … …
http://L7securite.ch
73. 73
3. Identify major threats
Th# Attack Scenario detection controls
T1 Defacement Homepage integrity checking
T4 Privacy data extraction Injection of honeypot data + usage monitoring
T5 Medical data extract. Injection of honeypot data + usage monitoring
T7 Doctor's account stealing Out-of-band notification of authentication events
… … …
http://L7securite.ch
74. 74
Task 4:
Document your observations
(aka "opportunities for
risk mitigation")
http://L7securite.ch
75. 75
4. Document
• Document:
– The threat agents model you selected for your TM
– The threat scenarios you identified
– The controls to prevent or detect these threat
scenarios
• Recommend and prioritize:
– What should be absolutely done?
– In what order?
http://L7securite.ch
76. 76
4. Document
C# Control(s) Priority Cost type
P1 Layered hardening High Medium
P2 Parameter tampering defense (input validation) High Medium
P3 Parameter tampering defense (parameterized queries) High Low
P4 Unpredictable/unexposed profile/accounts references High Medium
P5 Unpredictable/unexposed appointment references High Medium
P6 Defensive "appointment details" access control High Medium
P7 Encrypted data transmission channel at least during auth. Sequence High Medium
P8 Dynamic authentication model (OTP) for the supervisor account High High
P9 Output encoding on all dynamic data returned to the user High Medium
D1 Homepage integrity checking Low Low
D2 Injection of honeypot data + usage monitoring Low High
D3 Injection of honeypot data + usage monitoring Low High
D4 Out-of-band notification of authentication events Low Low
http://L7securite.ch
77. 77
4. Document
C# Control(s) Priority Action
P1 Layered hardening High Implement
P2 Parameter tampering defense (input validation) High Implement
P3 Parameter tampering defense (parameterized queries) High Implement
P4 Unpredictable/unexposed profile/accounts references High Implement
P5 Unpredictable/unexposed appointment references High Next ver.
P6 Defensive "appointment details" access control High Implement
P7 Encrypted data transmission channel at least during auth. Sequence High Implement
P8 Dynamic authentication model (OTP) for the supervisor account High Next ver.
P9 Output encoding on all dynamic data returned to the user High Implement
D1 Homepage integrity checking Low Implement
D2 Injection of honeypot data + usage monitoring Low Postpone
D3 Injection of honeypot data + usage monitoring Low Postpone
D4 Out-of-band notification of authentication events Low Implement
http://L7securite.ch
78. 78
4. Document
Expected threat coverage for next version:
# Threat Impact Coverage
T1 Page defacement, hacking for fame High Complete (P+D)
T4 Extraction of the users details DB High Complete (P)
T5 Extraction of the appointment (med) details Critical Partial
T7 Doctor's credentials interception Critical Partial
http://L7securite.ch
81. 81
Conclusion
rTM is imprecise, inexact, undefined:
– Requires good understanding
of the business case
– Requires good knowledge of
web application threats
– Requires common sense
– Can be frustrating the
first times
http://L7securite.ch
82. 82
Conclusion
Repeating the basic process a a few times
quickly brings good results:
1. Characterize the system
2. Identify the threat sources
3. Identify the major threats
4. Document the countermeasures
5. Transmit (translate) to the team
http://L7securite.ch
83. 83
Conclusion
"Who should make the TM?"
– Theoretically: the design team
– Practically: an appsec guy with good knowledge of
internet threats, web attack techniques
and the ability to understand what is
important for the business under
assessment will definitely set
the "efficiency" attribute.
http://L7securite.ch
84. 84
Conclusion
• "When should I make a TM?"
– Sometime is good. Early is better.
– If the objective is to avoid implementing poor
code do it at design time.
– After v1 is online: when new data "assets" appear
in the data-flow diagram, it's usually a good sign
to update the TM. yes, it can be updated!
– If you conduct risk-driven vulnerability
assessments or code reviews, the TM will help.
http://L7securite.ch
86. 86
Conclusion
TM can also be performed later (risk-based testing):
Analyze Design Implement Verify Deploy Respond
Security Secure Security Secure Incident
requirements Secure coding testing deployment response
design
Risk Design Threat Code Vulnerability
Risk management
analysis Threat review modeling review assessment
modeling Threat Penetration
modeling testing
Training & awareness
Policy / Compliance
Governance (Strategy , Metrics)
http://L7securite.ch
87. 87
Conclusion
• TM can be performed from an asset
perspective:
– Aka the asset-centric approach (mostly what we
just did)
• It can be performed from an attacker
perspective:
– Aka the attacker-centric approach
• Who would attack the system with what means?
• (remember the “threat agent profile” cards)
http://L7securite.ch
88. 88
Conclusion
• TMing can also be performed systematically:
– Aka the system-centric approach
– Most detailed and rigorous technique
• Use of threat identification tools: STRIDE
– Spoofing, Tampering, Repudiation, Information disclosure,
Denial of service, Elevation of privileges…
• Use of threat classification tools: DREAD
– Damageability, Reproducibility, Exploitability, Affected
population, Discoverability…
• Structured DFD analysis (see next slides)
http://L7securite.ch
89. 89
Conclusion
• "What should be documented in a TM? "
– Basically: what you think is right. There is no rule
(yet). TM'ing is never absolute.
– If you spend days writing a threat model for a
single web app, there might be a problem…
– Remember that threat modeling is often a way of
both formalizing and engaging on the most
important controls, which might be forgotten
later.
http://L7securite.ch
92. 92
Conclusion
• "Your example was really 'basic'.
How can I reach next level?"
1. Practice your DFD drawing skills
2. Stay updated on new web attacks, threats and
intrusion trends
3. Read feedback from field practitioners (some good
references are provided at end of presentation)
4. Standardize your technique:
• ISO 27005 : Information security risk management (§8.2)
• NIST SP-800-30: Risk management guide (§3)
http://L7securite.ch