Date post: | 04-Jan-2016 |
Category: |
Documents |
Upload: | hollie-thomas |
View: | 214 times |
Download: | 0 times |
Hands-On Threat Modeling with
Trike v1
Generating Threats
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Actors
• People who interact directly with the business of the system
• Not actors: Programs Programmers Network Administrators
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Assets• Concrete and attackable• Inherently meaningful in the
problem domain• Not assets:
Company reputation System uptime System hardware
• External asset represents other systems this system might affect
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Actions
• Actors perform Actions on Assets according to Rules
• Actions are create, read, update, and delete
• Actions can be combined: copy is create plus read
• No actions can be taken on external asset
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Rules
• Boolean tree of conditional clauses• Actor is really a rule “User is in
Role”• Repudiation and logging are
handled by rules
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Threats
• Generated programmatically from previous information
• Two categories: Denial of service: an intended action
can’t happen Elevation of privilege: action occurs
despite rules, or unintended action occurs
Constructing Attack Graphs
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Attack Graph
• Attacks form a semi-hierarchical, directed, cyclic graph
• Graph can be viewed as a set of interlinked trees
• Roots are threats• Leaf nodes are atomic hostile
actions
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Attack Stubs• Predefined trees in the attack graph• Rooted on elements of the model as
they are defined• Provide:
Organizing goals for child attack nodes Bridge between low-level attacks and
meaning to the system Structure to minimize gaps in manual
analysis
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Data Flow Diagrams• Show data flowing between actors,
processes and data stores• Decomposed until no process
contains an internal trust boundary• Annotations:
Trust boundaries Specific technologies in use Authentication, authorization, and
encryption mechanisms
Copyright 2003-2005 Brenda Larcom and Paul Saitta
DFD Attack Stubs
• Stubs defined per element type• Roots of stubs are goals for
abusing an element• DFD annotations allow elaboration
and refinement
Copyright 2003-2005 Brenda Larcom and Paul Saitta
State Machine• Describes system state• Shows the implementation of some of
the rules• All intended actions appear as
transitions• Supporting actions make up remaining
transitions• Transitions may have rules in addition
to prerequisite and postrequisite states
Copyright 2003-2005 Brenda Larcom and Paul Saitta
State Machine Attack Stubs
• Stubs are defined for states and transitions
• Roots of stubs are goals for violating the normal state progression
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Use Flows• Use flows are branching traces through
DFD• Start and end at the user• Map between state machine and DFD• Annotations mark:
When state transitions occur Enforcement points for remaining rules When intended and supporting actions finish Specific data flowing and processes
occurring
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Use Flows and Attack Stub Filtering
• Use flows allow filtering so only attacks against relevant DFD elements appear in the attack graphs for threats
• Determine the window of opportunity for attacks
Gathering Data for Risk Computations
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Actor and Asset Values
• Actors have a risk level, from 1 to 5
• Assets: Valued in currency amounts (dollars,
etc) Based on their value to the business Value should at least be accurate in
relation to other assets
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Relative Risk• Determine a set of relative business
risks for each possible action-actor-asset
• For all intended actions, create a denial of service risk
• For all actions with rules or which should not occur, create an elevation of privilege risk for taking the action in violation of the rules
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Attack Leaf Nodes
• Leaf nodes have two risk values: Reproducibility; how easy it is to
reproduce the circumstances under which the attack succeeds
Exploitability; how much expertise is required to succeed with the attack
• Can also map to actual code or configuration in the implementation
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Mitigations• Reduce or remove the effectiveness of
attacks• Each mitigation has:
Cost to implement (unless already deployed) New reproducibility and exploitability Scope in the attack graph over which it
applies
• One node may need multiple mitigations with different values if it can be reached by multiple paths
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Attacking Mitigations
• Mitigations can be attacked and have their own attack graphs
• New reproducibility and exploitability for a mitigated attack can be calculated by traversing the mitigation attack graph
Answering Interesting Queries
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Interesting Queries
• Graph structure of data model allows for complex and interesting queries of the system
• Live, calculated nature allows the system to be used for real time analysis
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Threat Exposure• Can be calculated with only the
requirements model and requirements-level risk data
• Gives a clear picture of the overall risk profile of the system with a small time investment
• Can be used to focus further work• Calculated by multiplying the value of the
asset by the risk level for the relevant actor and the asset and action specific risk level
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Threat Risk
• Calculated using the full attack graph
• Shows actual risk to the system• Takes into account both business
level values and implementation level likelihoods
• Values propagate up from the leaf nodes to the threats
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Vulnerabilities• An unmitigated path from a sufficient
set of leaf attack nodes to a threat• Represents a way in which a threat
can actually occur• Risk calculated by attack graph
traversal• Intermediate result for calculating
threat and weakness risks; not directly used
Copyright 2003-2005 Brenda Larcom and Paul Saitta
Weaknesses and Mitigations
• Weaknesses are a unmitigated leaf attack nodes
• Can be ordered by the reduction in overall risk from fixing them
• Unimplemented mitigations can be ordered by expected return value
• The best actions for a given budget can also be determined
Copyright 2003-2005 Brenda Larcom and Paul Saitta
The Dynamic Risk Model• Effects on risk model immediately
visible when exploitability and reproducibility change
• As new exploits come out, resources for rapid response can be allocated
• Allows targeting of resources to areas of the attack graph with high leverage on the overall risk posture
Copyright 2003-2005 Brenda Larcom and Paul Saitta
More information
• Paper: http://hhhh.org/trike/paper• Tool: http://hhhh.org/trike/tool• Contact: [email protected]• Mailing List:
[email protected] (subscribe at [email protected])