Hands-On Threat Modeling with Trike v1. Generating Threats.

Hands-On Threat Modeling with

Trike v1

Generating Threats

Copyright 2003-2005 Brenda Larcom and Paul Saitta

Actors

• People who interact directly with the business of the system

• Not actors: Programs Programmers Network Administrators


Assets• Concrete and attackable• Inherently meaningful in the

problem domain• Not assets:

Company reputation System uptime System hardware

• External asset represents other systems this system might affect


Actions

• Actors perform Actions on Assets according to Rules

• Actions are create, read, update, and delete

• Actions can be combined: copy is create plus read

• No actions can be taken on external asset


Rules

• Boolean tree of conditional clauses• Actor is really a rule “User is in

Role”• Repudiation and logging are

handled by rules


Threats

• Generated programmatically from previous information

• Two categories: Denial of service: an intended action

can’t happen Elevation of privilege: action occurs

despite rules, or unintended action occurs

Constructing Attack Graphs


Attack Graph

• Attacks form a semi-hierarchical, directed, cyclic graph

• Graph can be viewed as a set of interlinked trees

• Roots are threats• Leaf nodes are atomic hostile

actions


Attack Stubs• Predefined trees in the attack graph• Rooted on elements of the model as

they are defined• Provide:

Organizing goals for child attack nodes Bridge between low-level attacks and

meaning to the system Structure to minimize gaps in manual

analysis


Data Flow Diagrams• Show data flowing between actors,

processes and data stores• Decomposed until no process

contains an internal trust boundary• Annotations:

Trust boundaries Specific technologies in use Authentication, authorization, and

encryption mechanisms


DFD Attack Stubs

• Stubs defined per element type• Roots of stubs are goals for

abusing an element• DFD annotations allow elaboration

and refinement


State Machine• Describes system state• Shows the implementation of some of

the rules• All intended actions appear as

transitions• Supporting actions make up remaining

transitions• Transitions may have rules in addition

to prerequisite and postrequisite states


State Machine Attack Stubs

• Stubs are defined for states and transitions

• Roots of stubs are goals for violating the normal state progression


Use Flows• Use flows are branching traces through

DFD• Start and end at the user• Map between state machine and DFD• Annotations mark:

When state transitions occur Enforcement points for remaining rules When intended and supporting actions finish Specific data flowing and processes

occurring


Use Flows and Attack Stub Filtering

• Use flows allow filtering so only attacks against relevant DFD elements appear in the attack graphs for threats

• Determine the window of opportunity for attacks

Gathering Data for Risk Computations


Actor and Asset Values

• Actors have a risk level, from 1 to 5

• Assets: Valued in currency amounts (dollars,

etc) Based on their value to the business Value should at least be accurate in

relation to other assets


Relative Risk• Determine a set of relative business

risks for each possible action-actor-asset

• For all intended actions, create a denial of service risk

• For all actions with rules or which should not occur, create an elevation of privilege risk for taking the action in violation of the rules


Attack Leaf Nodes

• Leaf nodes have two risk values: Reproducibility; how easy it is to

reproduce the circumstances under which the attack succeeds

Exploitability; how much expertise is required to succeed with the attack

• Can also map to actual code or configuration in the implementation


Mitigations• Reduce or remove the effectiveness of

attacks• Each mitigation has:

Cost to implement (unless already deployed) New reproducibility and exploitability Scope in the attack graph over which it

applies

• One node may need multiple mitigations with different values if it can be reached by multiple paths


Attacking Mitigations

• Mitigations can be attacked and have their own attack graphs

• New reproducibility and exploitability for a mitigated attack can be calculated by traversing the mitigation attack graph

Answering Interesting Queries


Interesting Queries

• Graph structure of data model allows for complex and interesting queries of the system

• Live, calculated nature allows the system to be used for real time analysis


Threat Exposure• Can be calculated with only the

requirements model and requirements-level risk data

• Gives a clear picture of the overall risk profile of the system with a small time investment

• Can be used to focus further work• Calculated by multiplying the value of the

asset by the risk level for the relevant actor and the asset and action specific risk level


Threat Risk

• Calculated using the full attack graph

• Shows actual risk to the system• Takes into account both business

level values and implementation level likelihoods

• Values propagate up from the leaf nodes to the threats


Vulnerabilities• An unmitigated path from a sufficient

set of leaf attack nodes to a threat• Represents a way in which a threat

can actually occur• Risk calculated by attack graph

traversal• Intermediate result for calculating

threat and weakness risks; not directly used


Weaknesses and Mitigations

• Weaknesses are a unmitigated leaf attack nodes

• Can be ordered by the reduction in overall risk from fixing them

• Unimplemented mitigations can be ordered by expected return value

• The best actions for a given budget can also be determined


The Dynamic Risk Model• Effects on risk model immediately

visible when exploitability and reproducibility change

• As new exploits come out, resources for rapid response can be allocated

• Allows targeting of resources to areas of the attack graph with high leverage on the overall risk posture


More information

• Paper: http://hhhh.org/trike/paper• Tool: http://hhhh.org/trike/tool• Contact: [email protected]• Mailing List:

[email protected] (subscribe at [email protected])

http://hhhh.org/trike/paper

http://hhhh.org/trike/tool

mailto:[email protected]

mailto:[email protected]

Hands-On Threat Modeling with Trike v1. Generating Threats.

Documents

Transcript of Hands-On Threat Modeling with Trike v1. Generating Threats.