Alex Hutton & Allison Miller review their research and application of threat modeling. This version was presented at SOURCE Barcelona (2010), a previous version was presented at Black Hat.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
1. Threat Modeling
Alex Hutton
Principal, Risk & Intelligence - Verizon
Business
http://securityblog.verizonbusiness.com
http://www.newschoolsecurity.com
Society of Information Risk Analysts
http://societyinforisk.org/
@alexhutton on the twitter
LIVE
Allison Miller
Group Manager, Account Risk & Security -
PayPal
2. what is this presentation about?
- new way to look at risk management via
data and threat modeling
5. Managing risk means aligning
the capabilities of the
organization, and the exposure
of the organization with the
tolerance of the data owners
- Jack Jones
6. Managing risk means aligning
the capabilities of the
organization, control, influence
over outcome
and the exposure
of the organization with the
tolerance of the data owners
threats manifest
as loss of assets
how much
can you
afford to
lose?
12. Evolution strongly favors
strategies that minimize the
risk of loss, rather than which
maximize the chance of gain.
Len Fisher
Rock, Paper, Scissors: Game Theory in Everyday Life
13. system models are
different from maps,
they include dynamics
and boundaries
35. Complex Adaptive
Systems:
You can’t make
point probabilities
(sorry ALE) you can
only work with
patterns of
information
36. How Complex Systems Fail
(Being a Short Treatise on the Nature of Failure; How Failure
is Evaluated; How Failure is Attributed to Proximate Cause;
and the Resulting New Understanding of Patient Safety)
Richard I. Cook, MD
Cognitive technologies Laboratory
University of Chicago
http://www.ctlab.org/documents/How
%20Complex%20Systems
%20Fail.pdf
37. Because we’re dealing with
Complex Adaptive Systems
engineering risk statements = bankrupt
(sorry GRC)
39. Complex Systems Create a business process
Process is a collection of system interaction
(system behavior)
Process has human interaction
(human behavior)
47. What is the Verizon Incident Sharing (VERIS)
Framework?
-A means to create metrics
from the incident narrative
- how Verizon creates measurements for the
DBIR
- how *anyone* can create measurements from
an incident
- https://verisframework.wiki.zoho.com
48. What makes up the VERIS framework?
+ $ $ $
demographics incident classification (a4)
discovery
& mitigation impact classification
1 > 2 > 3 > 4
information about
the
organization;
including
their size, location,
industry, & security
budget (implied)
information about
the
attack (traditional
threat model);
including (meta)
data
about agent, action,
asset, & security
attribute (C/I/A)
information about
incident
discovery,
probable
mitigating
controls, and
rough state of
security
management.
information about
impact
categorization (a
la’ FAIR & ISO
27005), aggregate
estimate of loss
(in $), & qualitative
description of
damage.
49. 49
The Incident Classification section employs Verizon’s
A4 event model
A security incident (or threat
scenario) is modeled as a series of
events. Every event is comprised of
the following 4 A’s:
Agent: Whose actions affected
the asset
Action: What actions affected the
asset
Asset: Which assets were
affected
Attribute: How the asset was
affected
chain of events>
Incident as a 1 > 2 > 3 > 4 > 5
56. in VERIS we see THREE events.
1 > 2 > 3
phishing
malware infection
credential theft
57. in VERIS we see THREE events.
1 > 2 > 3
phishing
malware infection
credential exfiltration
in addition we can describe
FOUR fraud events
58. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
59. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
1
> AGENT: external, organized crime,
eastern europe
ACTION: social, type: phishing,
channel: email, target: end-user
ASSET: human, type: end-user
ATTRIBUTE: integrity
60. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
2
> AGENT: external, organized crime,
eastern europe
ACTION: malware, type: install additional malware
or software
ASSET: end-user device; type: desktop
(more meta-data possible)
ATTRIBUTE: integrity
61. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
3
> AGENT: external, organized crime,
eastern europe
ACTION: malware, type: harvest
system information
ASSET: end-user device, type:
desktop (more meta-data
possible)
ATTRIBUTE: integrity,
confidentiality
62. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
4
> AGENT: external, organized crime,
eastern europe
ACTION: impersonation
63. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
5
> AGENT: external, organized crime,
eastern europe
ACTION: impersonated
transaction
64. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
6
> AGENT: external, organized crime,
eastern europe
ACTION: Buy goods or transfer
funds
65. from the initial narrative, we now have a threat
event model with SEVEN objects
1 > 2 > 3 > 4 > 5 > 6 > 7
7
> AGENT: external, organized crime,
eastern europe
ACTION: Goods/Funds extraction
66. we can study the event model to understand
control opportunities
1 > 2 > 3 > 4 > 5 > 6 > 7
end user could have made better choices
67. we can study the event model to understand
control opportunities
1 > 2 > 3 > 4 > 5 > 6 > 7
Wouldn’t it be nice if
end users had desktop
DLP?
68. we can study the event model to understand
control opportunities
1 > 2 > 3 > 4 > 5 > 6 > 7
Why is Mrs. Francis Neely, 68 years
of age from Lexington, KY suddenly
purchasing items from European
websites to be shipped to Asia???
70. if patterns can be defined, they
can be stored for later use.
demograp incident discover impact
1> 2> 3> 4> 5 + $ $ $
1 2 + $ $ $
> > > 4> 5
1> 2> 3> 3
4> 5 + $ $ $
1> 2> 3> 4> 5 + $ $ $
1> 2> 3> 4> 5 + $ $ $
1> 2> 3> 4> 5 + $ $ $
a
b
c
d
e
f
3
71. if they can be stored for later use,
they can be used to Detect,
Respond, and Prevent.
demographic incident classification (a4) discovery impact
1> 2> 3> 4> 5 + $ $ $
1 2 + $ $ $
> > > 4> 5
1> 2> 3> 3
4> 5 + $ $ $
1> 2> 3> 4> 5 + $ $ $
1> 2> 3> 4> 5 + $ $ $
1> 2> 3> 4> 5 + $ $ $
a
b
c
d
e
f
3