Real World Threat Modeling Using the PASTA Methodology - …

1 Real World Threat Modeling Using the PASTA Methodology Tony UcedaVelez Managing Partner, VerSprite OWASP AppSec EU 2012. Why Threat Modeling ? Threat Dissection Targeted Analysis Focused on understanding targeted attacks You can't mitigate all of your threats So, what are your most likely threats to your published sites/ services? Taxonomy of Terms 3. Asset Asset. An asset is a resource of value. It varies by perspective. To your business, an asset might be the availability of information, or the information itself, such as customer data. It might be intangible, such as your company's reputation. Threat Threat . A Threat is an undesired event. A. potential occurrence, often best described as an effect that might damage or compromise an asset or objective.

2 Relative to each site, industry, company; more difficult to uniformly define. Vulnerability (Weakness). Vulnerability. A vulnerability is a weakness in some aspect or feature of a system that makes an exploit possible. Vulnerabilities can exist at the network, host, or application levels and include operational practices. Attack Attack (or exploit). An attack is an action taken that utilizes one or more vulnerabilities to realize a Threat . Countermeasures Countermeasure. Countermeasures address vulnerabilities to reduce the probability of attacks or the impacts of threats. They do not directly address threats;. instead, they address the factors that define the threats.

3 Use Case Use Case. Functional, as designed function of an application. Abuse Case Abuse Case. Deliberate abuse of functional use cases in order to yield unintended results Attack Vector Attack Vector. Point &. channel for which attacks travel over (card reader, form fields, network proxy, client browser, etc). Attack Surface Attack Surface. Logical area (browser stack, infrastructure components, etc) or physical area (hotel kiosk ). Actor ( Threat Agent). Actor. Legit or adverse caller of use or abuse cases. Impact Impact. Value of [financial]. damage possibly sustained via attack. Relative. Attack Tress Attack Tree. Diagram of relationship amongst asset- actor-use case- abuse case-vuln- exploit- countermeasure What is PASTA ?

4 What is PASTA ? Why should I eat this? Process for Attack Simulation Current menu of application testing doesn't provide a full security meal & Threat Analysis Pen Tests: Exploit driven Integrated application Threat Risk Assessments: Subjective; lacks analysis meat Application Threat Modeling Static Analysis: Weakness, flaw driven;. Methodology disregards threats, narrow focus Vuln Scans: (C'mon! As if this could Risk or asset based approach; provide a decent meal!). great for business integration security testing deliverables are 7 stages building up to impact of adversarial Threat to application & business. Integrated disciplines are needed via a Aimed at addressing most unifying Methodology viable threats to a given Better form of risk analysis w/ more substance application target Encapsulates other security efforts Threat Modeling Comparisons Process for Attack Simulation &.

5 MS Approach Threat Analysis ( PASTA ). Define Biz Objectives Define Tech Scope App Decomposition Threat Analysis Vuln Detection Attack Enumeration Risk/ Impact Analysis STAGE I. Define The Business & security Objectives: Capture requirements for the analysis and management of web based risks . 18. Stage 1 Walkthru Understand Biz Objectives Business Objectives affect Web Apps Function req of supercookies (marketing). Persistent storage of PII. Easily accessible web services for internal APIs Internal' lets security guard down w/ authentication Over-scoping of functional requirements Orphaned features that lose maintenance Change Management System Web App Example Biz Objective: Track & Manage Changes Across Groups.

6 Easily accessible; Control Changes; Role based access Discovered Threats/ Vulnerabilities: Internet accessible, elevation of privileges, Threat Modeling Stage 1 Artifact Application Profile: Online Banking Application General Description The online banking application allows customers to perform banking activities such as financial transactions over the internet. The type of transactions supported by the application includes bill payments, wires, funds transfers between customer's own accounts and other bank institutions, account balance- inquires, transaction inquires, bank statements, new bank accounts loan and credit card applications. New online customers can register an online account Using existing debit card, PIN and account information.

7 Customers authenticate to the application Using username and password and different types of Multi Factor Authentication (MFA) and Risk Based Authentication (RBA). Application Type Internet Facing Data Classification Public, Non Confidential, Sensitive and Confidential PII. Inherent Risk HIGH (Infrastructure , Limited Trust Boundary, Platform Risks, Accessability). High Risk YES. Transactions User roles Visitor, customer, administrator, customer support representative Number of users 3 million registered customers Merging Business & security Requirements Project Business Objective security and Compliance Requirement Perform an application risk assessment Risk assessment need to assess risk from attacker perspective and to analyze malware banking attacks identify on-line banking transactions targeted by the attacks Identify application controls and Conduct architecture risk analysis to identify the application processes in place to mitigate the security controls in place and the effectiveness of these controls.

8 Threat Review current scope for vulnerability and risk assessments. Comply with FACT Act of 2003 and Develop a written program that identifies and detects the relevant FFIEC guidelines for authentication in warning signs or red flags of identity theft. Perform a risk the banking environment assessment of online banking high risk transactions such as transfer of money and access of Sensitive Customer Information Analyze attacks and the targets that Analyze attack vectors used for acquisition of customers'PII, include data and high risk transactions logging credentials and other sensitive information. Analyze attacks against user account modifications, financial transactions ( wires, bill-pay), new account linkages Identify a Risk Mitigation Strategy That Include stakeholders from Intelligence, IS, Fraud/Risk, Legal, Includes Detective and Preventive Business, Engineering/Architecture.

9 Identify application Controls/Processes countermeasures that include preventive, detective ( monitoring) and compensating controls against malware-based banking Trojan attacks Baking in GRC. Serve as inherent countermeasures in the form of people, process, technology Policies (for people). Standards (for technology). Prior risk assessments help build app risk profile Historical RAs provide prior risk profile of app Regulatory landscape taken into consideration, but not the driver Key here is to not retrofit compliance; more costly Web Related Example: Tech: Using Nessus OWASP template to audit for PHP & ColdFusion hardening guidelines OWASP Input Validation Cheat Sheets CIS Web Technology Benchmarks STAGE II.

10 Define The Technical Scope: Defining the scope of technical assets/ components for which Threat enumeration will ensue . 24. Stage 2 Walkthru Define Tech Scope The Application Architecture Scope 26. Technical Scope Definition Define the scope from design artifacts: Application components with respect to the application tiers (presentation, application, data). Network topology Protocol/services being used/exposed from/to the user to/from the back end ( data flow diagrams). Use case scenarios ( sequence diagrams). Model the application in support of security architecture risk analysis The application assets ( data/services at each tier). The security controls of the application ( authentication, authorization, encryption, session management, input validation, auditing and logging).