Threat Modeling Lessons from Star Wars Adam Shostack
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Threat Modeling
Lessons from
Star Wars
Adam Shostack
About Adam Shostack
https://associates.shostack.org
Why Are We Here Today? • Engineer more secure systems • Structured, systematic and comprehensive approach • Engineer a consistent & predictable lack of surprise • Works for you (as people and organization)
What Is Threat Modeling?
Agenda –A simple approach to threat modeling –Top 10 lessons
(Some history and) A simple approach to
4 Questions
What Are We Working On?
Customer
Web App DB
New
content
Our App
Content
creation
What Can Go Wrong? Remember STRIDE
Spoofing By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532
Tampering ttp://pinlac.com/LegoDSTractorBeam.html
Repudiation By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/
Information Disclosure
Information Disclosure
(and impact)
Photo by Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/Denial of Service Model by Nathan Sawaya http://brickartist.com/gallery/han-solo-in-carbonite/
Elevation of Privilege http://www.flickr.com/photos/prodiffusion/
STRIDE Mnemonic • Spoofing • Tampering • Repudiation • Information Disclosure • Denial of Service • Elevation of Privileges …Helps us be structured in how we think about threats
4 Questions
What Are We Going To Do About It?
Threat Property Mitigation approach
Spoofing Authentication • Passwords, multi-factor authN
• Digital signatures
Tampering Integrity • Permissions/ACLs
• Digital signatures
Repudiation Non-Repudiation • Secure logging and auditing
• Digital Signatures
(Accountability)
Information Disclosure Confidentiality • Encryption
• Permissions/ACLS
Denial of Service Availability • Permissions/ACLs
• Filtering
• Quotas
Elevation of privilege Authorization • Permissions/ACLs
• Input validationTOP TEN LESSONS
Trap #1: “Search your feelings!” Trap • “Think Like An Attacker” Fix • Serious work is helped by structure
Trap #2: “You’re Never Done Threat Modeling”
Model
Model
Identify
Threats
Identify
Validate
Threats
Mitigate
Mitigate
ValidateTrap #3: “The Way To Threat Model Is…”
Trap • Too much focus on specifics of how
– Use this framework (STRIDE)
– With this diagram type
Fix • Focus on helping people find good threats
• Focus on different skills, systems
– Developers
– OperationsTrap #3: Monolithic Processes
Trap Fix: Building blocks
Model
Identify
Threats
Mitigate
ValidateTrap #3: “The Way To Threat Model Is…”
Software
kl i sts
c
Ch e
PCI
Systems
Security mavens Experts in other areasTrap #4: Threat Modeling as One Skill
Trap • “I should learn to threat model”
Fix • Think of threat modeling
– Like software development
– Techniques & repertoire
• Technique: DFDs, STRIDE, Attack trees
• Repertoire:
– Tools: Firesheep, Hydra, Kali
– Books: Cuckoo's Egg to Countdown to Zero Day
• All used to analogize & reason about new systemsTrap #5: “Threat Modeling is Easy”
Trap • Thinking your first threat model will be easy
• “Driving is easy”
• Once you learn
• 40,000 US deaths per year
Fix • Plan to work, build muscleTrap #6: Threat Modeling is for Specialists
Trap • Thinking TM is for specialists
Fix • Make it like version control:
– Every developer, most sysadmins know some
– Some orgs have full time people managing trees
• This is a stretch goal for threat modelingTrap #7: The Wrong Focus
Trap • Start from your assets
• Start by thinking about your attackers
• Threat modeling should focus on finding threats
Fix • Remember trap #3: “The way to threat model is”
• Starting from assets or attackers work for some peopleTrap #8: Straining Against The Supply Chain
Trap • Trying to do it all
– Cost & feasibility of fixes changes
– Threats are “easy” to address at different parts
• SoC chipmaker can ship trusted boot
• Developers can add logging, not see onsite logs
Fix • Think about an alliance along your supply chain
– Security Operations Guide
– Non-requirementsTrap #9: Laser-Like Focus on Threats
Requirements
Requirements drive threats No mitigation?
Threats drive requirements Simplify requirements
Threats Mitigations
Threats need mitigation
Mitigations can be bypassed
Interplay of attacks, mitigations and requirementsTrap #10: Threat Model at the Wrong Time
“Sir, we’ve analyzed their
attack pattern, and there is
a danger”Summary • Anyone can threat model, and everyone should…soon! • The skills, techniques and repertoire can all be learned • There are many traps • Threat modeling can be the most effective way to drive security through your product, service or system
“All models are wrong,
some models are useful”
— George Box, FRSQuestions?
Resources:
• adam.shostack.org/blog
• Threatmodelingbook.com
• TM channel at OWASP slack
– https://owasp-slack.herokuapp.com
• https://www.linkedin.com/learning/instructors/adam-shostack
https://associates.shostack.orgThank you! • Star Wars: Episodes IV-VI • Great Creative Commons Lego brick art: – Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532 – http://pinlac.com/LegoDSTractorBeam.html – Seb H http://www.flickr.com/photos/88048956@N04/8531040850/ – Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/ – Kaitan Tylerguy http://www.flickr.com/photos/kaitan/3326772088/ – Nathan Sawaya, http://brickartist.com/gallery/han-solo-in-carbonite/ – http://www.flickr.com/photos/prodiffusion/
You can also read
