Pattern Recognition and ApplicationsLab THREAT...

61
Pattern Recognition and Applications Lab University of Cagliari, Italy Department of Electrical and Electronic Engineering THREAT MODELING Giorgio Giacinto [email protected] Computer Security 2017

Transcript of Pattern Recognition and ApplicationsLab THREAT...

Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic

Engineering

THREATMODELING

Giorgio Giacinto

[email protected]

ComputerSecurity2017

http://pralab.diee.unica.it 2

Books

http://pralab.diee.unica.it

Definition

[Application]ThreatModeling – astrategicprocessaimedatconsideringpossibleattack scenarios andvulnerabilitieswithinaproposedorexistingapplicationenvironmentforthepurposeofclearlyidentifyingrisk andimpact levelsTonyUceda VelezandMarcoM.Morana, RiskCentricThreatModeling,2015

3

http://pralab.diee.unica.it

ThreatScenarios• Anapplicationcouldbecomeatarget whenanattack

providesareturnoninvestmenttotheattacker

• Threatscenarios1. Capturingtheapplicationbusinesscontextand

identifyingtheapplicationassets2. Identifyingthepossiblethreatagentsandtheirgoals

• Generalizationforallapplicationswithsimilarfunctionalitiesanddataassetsstoredandprocessed.

• Prioritization thesecuritymeasurestomitigatetherisk

4

http://pralab.diee.unica.it

Threats:TechnicalandBusinessImpactsThreat TechnicalImpact BusinessImpact

Malware infectedPCtakingoveronlinebankingcredentials

Lossofusers’authenticationdataallowingfraudsterstotakeovertheaccount(impersonation)

Money lossduetofraudulenttransactionsbyimpersonatingtheloggedusertomovemoneytofraudulentaccountsthroughthirdpartyaccounts(moneymules)

Externalthreatagentexploitingapplication’sSQLinjectionvulnerabilities

Unauthorizedaccesstousers’dataincludingconfidentialandPII,tradingsecrets,andintellectualproperty.

Liabilitiesforlossofusers’PII,lawsuitsforunlawfulnoncompliance, securityincidentrecoverycosts,andrevenueloss

Denialofserviceattackagainsttheapplication

Unavailabilityofwebserverduetoexploitofapplicationandnetworkvulnerabilitiesandlackofredundanciestocopewithtrafficoverloads

Revenuelossduetolossand/ordisruptionofservicedenyingcustomeraccesstoservicesandgoods.Lawsuitsfromcustomersandbusinessesandrecoverycosts

5

http://pralab.diee.unica.it

ThreatAgents• Characterizingthreatsisessentialforanalyzingrisks

• Threefactors– Thetypeofathreat– Thethreatagent– Thetargets

• ThreatAgents– Humans(hactivists,cyber-criminals,cyber-spies,etc.)– Tools

• Malware,key-loggers,spyware,etc.– Nonhuman

• Storms,earthquakes,tornados,etc.

6

http://pralab.diee.unica.it

ReasonstoThreatModel• Find securitybugsearly

• Understand yoursecurityrequirements

• Engineer anddeliverbetterproducts

• Address issuesothertechniqueswon’t

7

http://pralab.diee.unica.it

Addressingeachthreat

8

Mitigating Threats Eliminating Threats

Transferring ThreatsAccepting theRisk

http://pralab.diee.unica.it

Softwarethreatmodeling

9

http://pralab.diee.unica.it

SecurityDevelopmentLifecycle• DevelopedbyMicrosoftstartingin2002• Establishedasamandatorypolicyin2004forMicrosoft

products• Adoptedworldwidebymanysoftwaredevelopment

teamssinceitspublicreleasein2008

10https://www.microsoft.com/sdl/

http://pralab.diee.unica.it

ThreatModeling:afour-stepprocess

1. Whatareyoubuilding?

2. Whatcangowrongwithitonceit’sbuilt?

3. Whatshouldyoudoaboutthosethingsthatcangowrong?

4. Didyoudoadecentjobofanalysis?

11

http://pralab.diee.unica.it

Modelthesystem• Graphicalsketches

• IdentificationofTrustBoundaries

12

http://pralab.diee.unica.it

Whatcangowrong?• STRIDEtaxonomy(Microsoft)

– Spoofing

– Tampering

– Repudiation

– InformationDisclosure

– DenialofService

– ElevationofPrivilege

13

http://pralab.diee.unica.it 14

STRIDETHREAT PROPERTY VIOLATED TYPICAL VICTIM

Spoofing AuthenticationProcessesExternalentitiesPeople

Tampering IntegrityProcessesDatastoresDataflows

Repudiation Non-Repudiation Processes

InformationDisclosure ConfidentialityProcessesDatastoresDataflows

DenialofService AvailabilityProcessesDatastoresDataflows

Elevation ofPrivilege Authorization Processes

http://pralab.diee.unica.it

AddressingSpoofingTHREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE

Spoofingaperson Identificationandauthentication

Username&password,orbiometrics,tokens,etc.Issues:enrollment,expiration,etc.

Spoofinga“file”ondisk

LeveragetheOS FullPaths,ACL,etc.

CryptographicAuthenticators Digitalsignaturesorauthenticators

Spoofinganetworkaddress Cryptographic DNSSEC,HTTPS/SSL,IPSec

Spoofingaprograminmemory LeveragetheOS Application identifiers

enforcedbyOSs

15

http://pralab.diee.unica.it

AddressingTampering

16

THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE

TamperingwithafileOperatingSystems ACLs

Cryptographic Digitalsignatures, KeyedMAC

Racingtocreateafile(tampering theoperatingsystem)

Usingadirectorythat’sprotectedfromarbitraryusertampering

ACLs,PrivateDirectoryStructures,Randomizingfilenames,etc.

Tamperingwithanetworkpacket

Cryptographic HTTPS/SSL,IPSec

Anti-pattern Networkisolation

http://pralab.diee.unica.it

AddressingRepudiation

17

THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE

Nologs(youcan’tproveanything)

MaintainingaLog Logallthesecurityrelevantinformation

Logscomeunderattack Logprotection Sendoverthenetwork,ACL

Logsasachannelforattack Tightly specifiedlogs

Earlydocumentationoflogdesigninthedevelopmentprocess

http://pralab.diee.unica.it

AddressingInformationDisclosure

18

THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE

Network monitoring Encryption HTTPS/SSL,IPSec

Directoryorfilename LeveragetheOS ACLs

Filecontents

LeveragetheOS ACLs

Cryptography Fileencryption,Diskencryption

APIinformationdisclosure Design Designcontrol

Passbyreferenceorvalue

http://pralab.diee.unica.it

AddressingDenialofService

19

THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE

Network flooding Lookforexhaustibleresources

ElasticresourcesEnsurethatattackresourcesconsumption isashighasorhigherthanyours

NetworkACLs

Programresources

Carefuldesign Elasticresourcemanagement,proofofwork

Avoidmultipliers

LookforplaceswhereattackerscanmultiplyCPUconsumptiononyourendwithminimal effortontheirend

Systemresources LeveragetheOS OSsettings

http://pralab.diee.unica.it

AddressingElevationofPrivilege

20

THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE

Data/code confusionToolsandArchitecturesthatseparatedataandcode

PreparedstatementsorstoredproceduresinSQLLatevalidationthatdataiswhatthenextfunctionexpects

Controlflow/memorycorruption

Use atype-safelanguage

Type-safelanguagesprotectagainstentireclassesofattack

LeveragetheOSformemoryprotection Providedby mostmodernOS

Sandboxing

AppArmor inLinuxAppContainer inWindowsSandboxlib inMac OSCreateanewaccountforeachapp

Commandinjectionattacks Becareful Inputvalidation

Don’tsanitize.Logandthrowaway

http://pralab.diee.unica.it

Validationofthethreatmodel• Checkingthemodel

– Completeness– Accurateness– Coverageofallthesecuritydecisions– Representativenessofthediagram

• Updatingthediagram– Focusondataflow,ratherthanoncontrolflow– Changevagueargumentssuchas“sometimes”,“also”,byconsideringallthecases

– Don’thavedatasinks:showwhousesit– Showtheprocessthatmovesdatafromonedatastoretoanother

21

http://pralab.diee.unica.it

Structuredapproachestothreatmodeling

22

http://pralab.diee.unica.it

ThreeFocusAreas

23

Assets,Attackers,SoftwareExampleofadataflowdiagramoftheAcme/SQLdatabase

http://pralab.diee.unica.it

• ThingsAttackersWant– Userpasswords– SSN,identifiers– Creditcardnumbers– Confidentialbusinessdata

• ThingsYouWanttoProtect– Reputation– Goodwill– Unusedassets

• SteppingStones– Everythingthatcanbeusedtoattackotherassets

24

Focusingonassets

http://pralab.diee.unica.it

• Needalistoftypes ofattackers– Differentmotivations,skills,backgroundandperspective

• Humanizingtheattackerbearstheriskofendingupwith“noonewouldeverdothat”

RiskbasedThreatModelingfocusesonassets andonattackers

forprioritizing threatmitigation tasks

Security-CentricThreatModelingavoidsenumerating

andfocusesonthetechnicalanalysis

Focusingonattackers

25

http://pralab.diee.unica.it

Focusingonsoftware• Security-centricapproachtothreatmodeling

• Basedonsoftwaremodelsdescribedbydiagrams

– Dataflowdiagrams

– UML

– Swin LaneDiagrams

– Statediagrams

• BasedonthedefinitionofTrustBoundaries

26

http://pralab.diee.unica.it

FindingThreats

27

http://pralab.diee.unica.it

SpoofingThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Spoofing aprocessonthesamemachine

Createsafilebeforetherealprocess

Renaming/linking CreatingaTrojan“su”andalteringthepath

Renaming Namingyourprocess“sshd”

Spoofingafile

Createsafileinthelocaldirectory

Alibrary,executableorconfig file

Createsalinkandchangesit

Thechangeshouldhappenbetweenthelink beingcheckedandthelinkbeingaccessed

Createsmanyfilesintheexpecteddirectory

e.g.,automaticcreationof10,000filesinthe/tmpdirectorytofill alltheavailablespace

28

http://pralab.diee.unica.it

SpoofingThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Spoofing amachine

ARP spoofing

IPspoofing

DNSspoofing Forwardorreverse

DNScompromise CompromiseTLD,registrarorDNSoperator

IPredirection Attheswitchor routerlevel

SpoofingapersonSetse-mail displayname

Takeoverarealaccount

Spoofingarole Declaresthemselvestobethatrole

Sometimes openingaspecialaccountwitharelevantname

29

http://pralab.diee.unica.it

TamperingThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Tamperingwithafile

Modifiesafiletheyownandonwhichyourely

Modifyafileyouown

Modifiesafileonafileserverthatyouown

Modifiesafileontheirfileserver

Effectivewhenyouincludefilesfromremotedomains

Modifieslinksorredirects

Tamperingwithmemory

Modifiesyourcode

Hardtodefendagainstoncetheattackeris

runningcodeasthesameuser

Modifiesdatathey’vesupplied toyourAPI

Passbyvalues,notbyreferencewhencrossinga

trustboundary 30

http://pralab.diee.unica.it

TamperingThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Tamperingwithanetwork

Redirectstheflowofdatatotheirmachine Oftenstage1oftampering

Modifiesdataflowingoverthenetwork

Eveneasierwhenthenetworkiswireless(e.g.,WiFi,3G,etc.)

Enhancespoofingattacks

31

http://pralab.diee.unica.it

RepudiationThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Repudiatinganaction

Claimstohavenotclicked

Claimstohavenotreceived Howreliablearereceiptsofdelivery/download?

Claimstohavebeenafraudvictim

Usessomeone else’saccount

Usessomeoneelse’spaymentinstrumentwithout

authorization

Attackingthelogs

Noticesyouhavenologs

Putsattacksinthelogstoconfuselogs,log-readingcode,orpersonsreadingthelog

32

http://pralab.diee.unica.it

InformationDisclosureThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Informationdisclosureagainstaprocess

Extracts secretsfromerrormessages

Readstheerrormessagesfromusername/passwords toentiredatabasetables

Extractsmachinesecretesfromerrorcases

Can makedefenseagainstmemorycorruptionsuchasASLRfarlessuseful

Extractsbusiness/personal secretsfromerrorcases

33

http://pralab.diee.unica.it

InformationDisclosureThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Informationdisclosureagainstdatastores

TakesadvantageofinappropriateormissingACLs

Takesadvantageofbaddatabasepermissions

Findsfileprotectedbyobscurity

Findscryptokeysondisk(orinmemory)

Seesinterestinginformation infilenames

Readsfilesastheytraversethenetwork

Getsdatafromlogsortemp files

Getsdatafromswaporothertemp storage

Extractsdataby obtainingdevice,changingOS

34

http://pralab.diee.unica.it

InformationDisclosureThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Informationdisclosureagainstadataflow

Reads dataonthenetwork

Redirectstraffictoenablereadingdata onthenetwork

Learnssecretesbyanalyzingtraffic

Learnswho’stalkingtowhombywatchingtheDNS

Learnswho’stalkingtowhombysocialnetworkinfodisclosure

35

http://pralab.diee.unica.it

DenialofServiceThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Denialofserviceagainstaprocess

Absorbsmemory(RAMordisk)

AbsorbsCPU

Usesprocess asanamplifier

Denial ofserviceagainstadatastore

Fillsdatastoreup

Makesenoughrequeststoslowdownthesystem

Denialofserviceagainstadataflow Consumesnetwork resources

36

http://pralab.diee.unica.it

ElevationofPrivilegeThreats

THREATEXAMPLES WHATTHEATTACKERDOES NOTES

Elevationofprivilegeagainstaprocessbycorrupting theprocess

Sendsinputsthatthecodedoesn’thandleproperly

These errorsareverycommon,andhavehighimpact

Gainsaccesstoreadorwritememory inappropriately

Readingmemorycanenablefurther attacks

Elevationthroughmissedauthorizationchecks

Elevationthroughbuggyauthorizationchecks

Centralizingsuchchecksmakebugseasiertomanage

Elevationthroughdatatampering

Modifiesbitsondisktodothingsotherthanwhattheauthorizeduserintends

37

http://pralab.diee.unica.it

AttackTrees

38

http://pralab.diee.unica.it

Benefitsofmodelingwithattacktrees

Attacktrees provideaformal,methodical wayofdescribingthesecurityofsystems,basedonvaryingattacks.Basically,yourepresentattacksagainstasysteminatreestructure,withthegoalastherootnodeanddifferentwaysofachievingthatgoalasleafnodes

(BruceSchneier,1999)

39

http://pralab.diee.unica.it

Exampleofanattacktree

40

https://www.schneier.com/cryptography/archives/1999/12/attack_trees.html

http://pralab.diee.unica.it 41

Example ofanattack tree:Repudiationagainst aProcess

http://pralab.diee.unica.it

Exampleofanattacktree- SSL

42

mindmaprepresentation

http://pralab.diee.unica.it

MitigatingThreats

43

http://pralab.diee.unica.it

TacticsandTechnologies• Authentication->MitigatingSpoofing

– Tactics:cryptographickeys,PKI,CAs– Technologies:IPSec,SSH,Kerberos,hashes,etc.

• Integrity->MitigatingTampering– Tactics:permissions,cryptographicmechanisms,logs– Technologies:ACLs,digitalsignatures,hashes,etc.

• Non-Repudiation->MitigatingRepudiation– Tactics:fraudprevention,logsandcryptography– Technologies:loganalysistools,digitalsignatures,etc.

44

http://pralab.diee.unica.it

TacticsandTechnologies• Confidentiality->MitigatingInformationDisclosure

– Tactics:ACLs,cryptography– Technologies:ACLs,encryption,keymanagement,etc.

• Availability->MitigatingDenialofService– Tactics:proofofwork,ensuretheattackercanreceivedata– Technologies:filters,quotas,cloudservices,etc.

• Authorization->MitigatingElevationofPrivilege– Tactics:limitingtheuseofprivilegedaccounts,sandboxing,defenselayers,etc.

– Technologies:ACLs,RBAC,chroot,etc.

45

http://pralab.diee.unica.it

Risk-basedapproachtoApplicationthreatmodeling

46

http://pralab.diee.unica.it

TheDREADmodel• DamagePotential

– Howextensiveisthedamage(impact)uponavulnerabilitybecomingsuccessfullyexploited?

• Reproducibility– Howeasyisitforthistypeofattacktobereproduced?

• Exploitability– Howeasyisitforaknownvulnerabilitytobeexploited?

• AffectedUsers– Impactonauserbase

• Discoverability– Howeasilyavulnerabilityisdetected

47

http://pralab.diee.unica.it

RiskratingusingDREAD• ForeachelementoftheDREADmodelaqualitative

assessmentofriskisperformedbyassigningoneoutofthreevalues– HIGH or3– MEDIUMor2– LOW or1

48

THREAT D R E A D Total Rating

Attackerobtainauthenticationcredentialsby monitoringthenetwork 3 3 2 2 2 12 High

SQLcommandsinjectedintoapplication 3 3 3 3 2 14 High

http://pralab.diee.unica.it

ExampleofaThreatRatingTable

Threat HIGH (3) MEDIUM(2) LOW(1)

D DamagePotential

Theattackercansubvertthesecuritysystem; getfulltrustauthorization;runasadministrator;uploadcontent.

Leaking sensitiveinformation

Leakingtrivialinformation

R Reproducibility

Theattackcan bereproducedeverytimeanddoesnotrequireatimingwindow.

Theattackcanbereproduced,butonlywithatimingwindowandaparticularracesituation.

Theattackisverydifficulttoreproduce,evenwithknowledgeofthesecurityhole

E ExploitabilityAnovice programmercouldmaketheattackinashorttimeframe.

Askilledprogrammercouldmaketheattack,thenrepeatthesteps.

Theattackrequiresanextremelyskilledpersonandin-depthknowledgeeverytimetoexploit

49

http://pralab.diee.unica.it

ExampleofaThreatRatingTable

THREAT HIGH (3) MEDIUM(2) LOW(1)

A AffectedUsersAllusers,defaultconfiguration,keycustomers

Someusers,non-defaultconfiguration

Verysmallpercentageofusers,obscurefeature;affectsanonymoususers

D Discoverability

Publishedinformationexplainstheattack.Thevulnerabilityisfoundinthemostcommonlyusedfeatureandisverynoticeable

Thevulnerabilityisaseldom-usedpartoftheproduct,andonlyafewusersshouldcomeacrossit.Itwouldtakesomethinkingtoseemalicioususe.

Thebugisobscureanditisunlikelythatuserswillworkoutdamagepotential

50

http://pralab.diee.unica.it

Applicationthreatmodeling

51

http://pralab.diee.unica.it

PASTAProcessforAttackSimulationandThreatAnalysis

• Identifybusinessobjectives• Identifysecurity&compliancerequirements• Technical/Businessimpactanalysis

DefineObjectives

• EnumerateSoftwareComponents• Dependencies:Network/Software(COTS)/Services• Dataflowdiagramming• ThirdPartyInfrastructures(cloud,SaaS,ASPModels)

DefineTechnicalScope

• Usecases/Abuse(misuse)cases/Defineappentrypoints• Actions/Assets/Services/Roles/Datasources• DataFlowDiagramming(DFDs)/TrustBoundaries

ApplicationDecomposition

52

http://pralab.diee.unica.it

PASTAProcessforAttackSimulationandThreatAnalysis

• ProbabilisticAttackScenarios• Regressionanalysisonsecurityevents• ThreatIntelligencecorrelation&analytics

ThreatAnalysis

• Vulnerabilitydatabase(CVE)• Identifyingvulnerability&abusecasetreenodes• Designflaws&weaknesses• Scoring(CVSS/CWSS)

Vulnerability&weaknessesmapping

• AttackTreeDevelopment/AttackLibraryManagement• AttacknodemappingtoVulnerabilitynodes• Exploittovulnerabilitymatchmaking

AttackModeling

• Qualify&QuantifyBusinessImpact• ResidualRiskAnalysis• IDriskmitigationstrategies/Developcountermeasures

RiskandImpactAnalysis

53

http://pralab.diee.unica.it

Threat Modelling inPractice

54

http://pralab.diee.unica.it 55

Requirements-Threats-Mitigations

Requirements

Threats Mitigations

Impossibleto mitigateimpliesnon-requirement

Compliance

Threatshelp identifyrequirements

Realthreatsviolaterequirements

http://pralab.diee.unica.it

• Allowlisting theconcretethreatsoutoftheabstracttermsusedinSTRIDE

– CAPEC(MITRE)CommonAttackPatternEnumerationandClassificationV2.8(504attackpatterns)

– OWASPWebApplicationAttacks

56

AttackLibraries

http://pralab.diee.unica.it 57

ThreatModeling asoftwareproduct

http://pralab.diee.unica.it 58

ThreatModeling aninternalnetwork

http://pralab.diee.unica.it 59

ThreatModeling aOneTimeTokenAuthenticationSystems

http://pralab.diee.unica.it

ThreatModelingTools

60

http://pralab.diee.unica.it

Commercialtools• ThreatModeler

– Adefense-orientedtool– Itusesasetofattacklibraries

• CorporateThreatModeler

• MicrosoftSDLThreatModelingTool– AvailableforfreefromMicrosoft(latestrelease:2016)

61