Threat Modeling

1
Threat Modeling

• James Walden

2
Topics

1. Threat Generation.
2. Data Flow Diagrams.
3. Attack Trees.
4. Risk Modeling.
5. Threat Modeling Exercise.

3
Requirements

• Actors
• People (roles) who interact with system.
• Assets
• Specific pieces of data attacker wants.
• Actions
• What Actors do to Assets.
• Ex Create, Read, Update, Delete.

4
Trike7 Actors
5
Trike7 Actor-Asset-Action Matrix
6
Rules

• Rules apply to each Action.
• Limit circumstances in which Actions can occur.
• Boolean tree of conditionals.
• Actors are represented as rule
• User is in Role

7
Trike7 Part of Rules Tree
8
Threat Generation

• Use Actor-Asset-Action matrix.
• Two types of threats via Rules
• Denial of Service Actor prevented from
  performing allowed Action.
• Elevation of Privilege Actor performs an action
  which is prohibited by matrix.

9
Data Flow Diagrams

• Visual model of system data flow.
• Rectangles External actors.
• Circles Processes.
• Double Lines Data stores.
• Lines Data flows.
• Dotted Lines Trust boundaries.
• Hierarchical decomposition
• Until no process crosses trust boundaries.

10
Trike3 Example Data Flow Context Diagram
11
Trike3 Example Data Flow Diagram Level 0
12
Trike3 Example Data Flow Diagram Level 1
13
Attack Trees

• Root node is a threat.
• Subnodes are attacks to realize threat.
• Attacks may be re-used in other trees.
• Hierarchical decomposition
• Until determine risk is acceptable or not.

14
Trike7 Attack Tree Example
15
Attack Graph

• Encompasses all attacks vs system.
• Set of interlinked attack trees.
• Auto-generation
• High-level attack skeleton.
• Attack libraries
• Many sub-trees re-appear.
• Attached to tagged technologies in DFD.
• Need security expertise for full tree.

16
Risk Modeling

• Business assigns values() to Assets.
• Rate Actions on each Asset.
• 1-5 relative scale, with 5 being worst.
• Ranked twice denial, elevation
• Assign each Actor a risk level 1-5.
• Risk Value of Asset Action risk.

17
Trike7 Threat Risk Grid
18
Threat Modeling Process

• Preparation.
• Develop requirements, DFDs.
• Brainstorming.
• Brainstorm possible threats.
• Drafting.
• Review.
• Verification.
• QA team develops tests.
• Closure.

19
Exercise Online news site.

• Actors
• Authors, Editors, Readers.
• Data Stores
• Database articles, comments, users.
• Logs
• Processes
• Web server

20
Exercise Rules.

• Authors can submit Articles for publish.
• Editors can publish Articles.
• Editors can C, R, U, D Articles, Comments.
• Readers can read Articles, Comments.
• Readers can C, R, U, D their own Comments to
  Articles.
• Anonymous can create Reader accounts.
• Editors can C, R, U, D accounts.

21
Exercise Deliverables

• Actor-Asset-Action Matrix
• Rules Tree
• DFDs
• Attack Tree
• Risk Model

22
References

1. Ben Hickman, Application Security and Threat
   Modeling, http//cpd.ogi.edu/seminars04/hickmanth
   reatmodeling.pdf, 2004.
2. Michael Howard and David LeBlanc, Writing Secure
   Code, 2nd edition, Microsoft Press, 2003.
3. Paul Saitta, Brenda Larcom, and Michael
   Eddington, Trike v.1 Methodology Document
   draft, http//dymaxion.org/trike/, 2005.
4. Frank Swiderski and Window Snyder, Threat
   Modeling, Microsoft Press, 2004.
5. Peter Torr, Demystifying the Threat-Modeling
   Process, IEEE Security Privacy, Oct/Nov 2005.
6. Peter Torr, Guerilla Threat Modeling,
   http//blogs.msdn.com/ptorr/archive/2005/02/22/Gue
   rillaThreatModelling.aspx, 2005.
7. Trike Threat Modeling Tool, http//www.octotrike.o
   rg/, 2005.