Threat%20Modeling%20and%20the%20Zero%20Day%20Problem

1
Threat Modeling and the Zero Day Problem

• A quick look at how methodical threat modeling
  could combat an enterprises security problem
• Christopher Lee

2
Agenda

• Software Vulnerabilities are Out of Control!
• The Basic Vocabulary of Risk Management
• What is Threat Modeling
• How does Threat Modeling help, even in the face
  of Zero-day vulnerabilities?

3
Coping with Vulnerabilities

• Vulnerabilities are being reported at an alarming
  rate, despite vendors focus on writing secure
  code.

Year 2001 2002 2003 2004 2005 2006 2007 Q1-Q3
of vulnerabilities 2,437 4,129 3,784 3,780 5,990 8,064 5,568
CERT/CC Statistics 1988-2007
4
Cost of Reacting to Those Vulnerabilities

• Two major reactionary response to Software
  Vulnerabilities
• Patching
• System or- Software Reconfiguration
• 10 of machines will need to patched manually at
  a cost of 50/machine. - Marc Donner, executive
  director, Morgan Stanley
• 50 500 25,000 (plus the cost of patch
  management software and patch testing).
• and this is only for one patch in a 5000-node
  network
• Major software vendors have published their own
  Hardening Guidelines
• In essence, accept no system defaults and remove
  everything that you dont need.
• However, the operating system vendors harden
  recommendation could also prevent some
  application from working
• More importantly, system and/or software
  reconfiguration tend to cost even more than
  applying patches.
• Reactive measures are not the answer!

5
Lets be Proactive

• More Firewalls?
• More IDS/IPS?
• More Heuristics?
• More Security Widgets?
• More Consultants?
• Where is the end to this Madness!

6
Establish the Language

• Asset
• Control
• Threat
• Vulnerability
• Risk

7
Establish the Language - Asset

• Asset
• Something an organization has determined to be
  valuable and must be protected.
• e.g. Resource, Process, Product, Infrastructure,
  Engineering Diagrams, and etc

8
Establish the Language - Safeguard

• Control
• Product and/or processes employed to mitigate a
  specific threat( or a group of threats) to an
  acceptable level
• e.g. Firewall, Locked Doors, Smart Cards, DRP/BCP
  Processes, Insurance, and etc.

9
Establish the Language - Threat

• Threat
• Activity that represents possible dangers to the
  Assets
• e.g. Unexpected Destruction of Buildings, Loss of
  Power, Destructive Virus, Departure of key
  Technical Staff
• Not possible to protect against all threats

10
Establish the Language - Vulnerability

• Vulnerability
• Weakness that allow threats to materialize
• Absence of sufficient safeguard
• e.g. Poorly Designed Network, Improperly
  Configured Equipment, Poor Choice of Passwords,
  Lack of Redundancy, and etc.

11
Establish the Language - Risk

• Risk
• Threat Vulnerability Assets Values
• The degree for which the vulnerability can be
  exploited by one or more previous identified
  threats
• Assessed either Quantitatively or Qualitatively

12
Threat Modeling

• Overview of the methodology
• Identify Assets
• Identify Asset Access Mechanism
• Create Architecture Overview
• Identify Threats
• Document Threats
• Qualify Threats

13
Threat Modeling a Walkthrough

• ACME Inc.
• Financial Data Services
• Migrate from Global Dialer to Internet
• Client-Server application
• Client Visual C on Win32 platforms
• Server C on AIX
• Middleware WebSphere MQ-Series
• Database DB2

14
Threat Modeling a Walkthrough

• Step 1, Identify the Assets
• The financial data

15
Threat Modeling a Walkthrough

• Step 2, Identify Asset Access Mechanism
• The data is stored in database. And is created,
  modified, and queried by the end-user through the
  application server

16
Threat Modeling a Walkthrough

• Step 3, Create Architecture Overview

17
Threat Modeling a Walkthrough

• Step 4, Identify the Threats
• Eavesdropping Data during Transit
• Data Modification/Injection during Transit
• Single Points of Failure at
• Firewall
• Application Server
• Database Server
• Lack of communication control / physical
  separation to the DB2

18
Threat Modeling a Walkthrough

• Step 5, Document the Threats

Threat Description Eavesdropping Data during Transit
Threat Target Message between Client and Server
Risk ?????
Attack Technique Traffic Capturing
Countermeasure IPSEC Encryption
19
Threat Modeling a Walkthrough

• Step 6, Qualify the Threats
• The DREAD Model (4)

High 3 Medium 2 Low 1
Damage Potential The attacker can subvert the security system get full trust authorization run as administrator upload content. Leaking sensitive information Leaking trivial information
Reproducibility The attack can be reproduced every time and does not require a timing window. The attack can be reproduced, but only with a timing window and a particular race situation. The attack is very difficult to reproduce, even with knowledge of the security hole.
Exploitability A novice programmer could make the attack in a short time. A skilled programmer could make the attack, then repeat the steps. The attack requires an extremely skilled person and in-depth knowledge every time to exploit.
Affected Users All users, default configuration, key customers Some users, non-default configuration Very small percentage of users, obscure feature affects anonymous users
Discoverability Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable. The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use. The bug is obscure, and it is unlikely that users will work out damage potential.
20
Threat Modeling a Walkthrough

• Threat Eavesdropping Data during Transit
• Damage Potential 2
• Reproducibility 3
• Exploitability 2
• Affected Users 3
• Discoverability 2
• RISK 2 3 2 3 2 12

21
Apply the Results of Threat Modeling
22
Upcoming Advisories?
23
Time between Vulnerability Discovery and Patch
Release

• Microsoft Security Bulletin MS05-014
• Vendor Notified on Feb-16-2004 (6)
• Patch released on Feb-08-2005 (Previously
  released on Nov-2004)

24
The Zero-Day Problem

• Patches and workarounds are released after the
  fact
• So is Anti-Virus signatures
• So is Intrusion Prevention Signatures
• What happens between an exploit for a
  vulnerability is discovered and when one of the
  above is released?

25
Threat Modeling for the Zero-Day

• Threat Modeling gives us
• Identification of information assets
• Identification of threats and associated
  qualifications
• Basis for Risk Assessment
• Risk Mitigation Strategies
• Basis for implementation of Products Processes
• No more surprises, no more scrambling, and no
  more crisis.

26
Threat Modeling ? Silver Bullet

• You cant always eliminate the Risks!
• Effectiveness depends on Subject Matter Expertise
  on the implemented technology
• Evolution of Technology

27
Conclusion

• Race between Reactive Countermeasures and
  Vulnerability Discovery is a fact of life
• Systematic defense, build on thorough Threat
  Modeling methodology, is your best protection
• There is still no silver bullet!

28
References

1. CERT Statistics http//www.cert.org/stats/cert_st
   ats.html
2. Marc Donner, Bits, Bad Guys, and Bucks, Volume
   Three, Issue Two, Secure Business Quarterly,
   http//www.sbq.com/sbq/patch/sbq_patch_mdonner.pdf
   
3. Dana Epp, Dana Epp's ramblings at the Sanctuary
   Understanding Threat Modeling, retrieved on May
   22, 2005, http//silverstr.ufies.org/blog/archives
   /000611.html
4. J.D. Meier, Alex Mackman, Michael Dunner, Srinath
   Vasireddy, Ray Escamilla and Anandha Murukan,
   Microsoft Corporation, Threat Modeling,
   retrieved on May 22, 2005, http//msdn.microsoft.c
   om/security/securecode/threatmodeling/default.aspx
   ?pull/library/en-us/dnnetsec/html/thcmch03.asp
5. Carnegie Mellon Software Engineering Institute,
   Operationally Critical Threat, Asset, and
   Vulnerability Evaluation (OCTAVE) Framework,
   Version 1.0, retrieved on May 22, 2005
   http//www.sei.cmu.edu/publications/documents/99.r
   eports/99tr017/99tr017figures.html
6. Jouko Pynnonen (February, 2005). Posting to the
   BugTraq mailing list RE Internet Explorer zone
   spoofing with encoded URLs, retrieved on May 22,
   2005, http//www.securityfocus.com/archive/1/38985
   9/2005-02-03/2005-02-09/0

29
Questions?