SlideShare uma empresa Scribd logo

Attack modeling vs threat modelling

Invisibits
Invisibits

Threat modeling involves identifying potential threats to a system from the defender's perspective in order to mitigate risks. It includes identifying system assets, potential threats using frameworks like STRIDE, and how threats could be realized. Attack modeling takes the attacker's perspective to show how an attacker would exploit vulnerabilities to compromise a system. It involves identifying vulnerabilities, rewards for attacks, and ways to exploit vulnerabilities. While threat modeling is important for protection, attack modeling helps understand attacks more fully to improve security.

Tecnologia
1 de 15
Baixar para ler offline
AppCrypto Team 12/8/2015
What is the difference between threat modeling and attack modeling in software system?
Let’s first try to understand the difference between a threat and an attack? guru
guru A threat is the possibility of something bad happening. An example threat: sensitive customer data getting exposed to unauthorized parties. In other words, a potential violation of security. A personal life example: there is a possibility that your car get hijacked.
guru An attack is any action that exploit a vulnerability to realize a threat. There won’t be any attacks without a threat. Example attack: Exploiting SQL injection vulnerability to access sensitive customer data stored in the database. If there is nothing to gain, then there is nothing to attack. In other words, an event that results in a security violation. A personal life example: Use a fake key to hijack the car (fake key works because of a vulnerability).
Attacks Active Attacks Passive Attacks They do not alter resources while trying to learn information. E.g. wiretapping, port scanning They alter resources. E.g. spoofing, DoS attacks, buffer overflows guru There are two types of attacks based on the intention of the attacker.
Attacks Outside Attacks Inside Attacks Attacks initiate within the security perimeter by an authorized user. E.g. Insider attacks (A privileged DBA copying customer information.) Attacks initiates from the outside of security perimeter by an unauthorized user. E.g. An attacker performing a SQL injection attack via a vulnerable app. guru Also, there are two types of attacks based on the origin of the attacker.
Now that we have a good grip on a threat vs. an attack, Let’s go back to our original question: threat modeling vs. attack modeling? guru
guru Threat modeling is thinking ahead of time what could go wrong and acting accordingly. Threat modeling is done from the defender’s perspective. In formal terms, threat modeling is the process of identifying your system (assets), potential threats against your system. Defender Attacker Asset
Identify your system Threat Modeling is a process… System Architecture Entities Processes Data Data Flows Identify the threats Eg: STRIDE framework Spoofing Tampering Repudiation Information disclosureDoS Elevation of privileges Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Eg: DREAD classification Eg: Attack Trees
Identify your system Identify the threats Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Three tier e-commerce web site (browser, app server, database) User authentication credentials get disclosed. Wiretapping the connection between browser and app server. High risk Always use TLS between browser and app server. Let’s look at an example…
Now we understand what threat modeling is. Let’s get our hands on attack modeling and identify how it is different from threat modeling? guru
guru Attack modeling is thinking how the system can be broken by exploiting vulnerabilities. Attack modeling is done from the attacker’s perspective. In other words, it shows how an attacker would go about breaking the system exploiting vulnerabilities.
Identify the system to be attacked Attack Modeling is also a process… Identify vulnerabilities Quantify the rewards of the attack Learn about the system by playing with it and going through documentation. E.g.: old version x of a database Study publicly available vulnerability database. E.g. identify a vulnerability in an unpatched version of database x that allows to escalate privileges. E.g. use the escalated privilege to infiltrate sensitive customer data. Come up with ways to exploit the vulnerabilities E.g. gain access to the database x as a regular user and escalate privilege exploiting the vulnerability. As a defender, you will be looking into counter measurements. E.g. Patch the database x.
As an architect/designer/developer/tester, you will most likely be using threat modeling to protect your system. However, it is important to think from the point of view of attackers in order truly protect your system. guru

Recomendados

Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 

Recomendados

Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
Sem 004
Sem 004Sem 004
Sem 004
SelectedPresentations
 

Mais conteúdo relacionado

Mais procurados

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 

Mais procurados (20)

Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Application Security
Application SecurityApplication Security
Application Security
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 

Destaque

Basic Network Concepts
Basic Network ConceptsBasic Network Concepts
Basic Network Concepts
Abhishek Singh
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and Subnetting
cbtvid
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
Dsunte Wilson
 
Subnetting
SubnettingSubnetting
Subnetting
swascher
 

Destaque (20)

Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
Sem 004
Sem 004Sem 004
Sem 004
 
Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)
 
Lan internetworking devices
Lan internetworking devicesLan internetworking devices
Lan internetworking devices
 
Troubleshooting basic networks
Troubleshooting basic networksTroubleshooting basic networks
Troubleshooting basic networks
 
Types of VPN
Types of VPNTypes of VPN
Types of VPN
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
 
Basic Network Concepts
Basic Network ConceptsBasic Network Concepts
Basic Network Concepts
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO ConferenceHoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO Conference
 
Http Vs Https .
Http Vs Https . Http Vs Https .
Http Vs Https .
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and Subnetting
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and BenefitsVPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and Benefits
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
 
Subnetting
SubnettingSubnetting
Subnetting
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
 

Semelhante a Attack modeling vs threat modelling

Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
Jennifer Campbell
 
Research Paper on STRIDEPresented By.docx
Research Paper on STRIDEPresented By.docxResearch Paper on STRIDEPresented By.docx
Research Paper on STRIDEPresented By.docx
ronak56
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...
franco_bb
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
Mandy Cross
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
bestip
 

Semelhante a Attack modeling vs threat modelling (20)

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
software-security.ppt
software-security.pptsoftware-security.ppt
software-security.ppt
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Security
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
 
Research Paper on STRIDEPresented By.docx
Research Paper on STRIDEPresented By.docxResearch Paper on STRIDEPresented By.docx
Research Paper on STRIDEPresented By.docx
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...
 
Cyber.pptx
Cyber.pptxCyber.pptx
Cyber.pptx
 
Unit-I PPT.pptx
Unit-I PPT.pptxUnit-I PPT.pptx
Unit-I PPT.pptx
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Security in network computing
Security in network computingSecurity in network computing
Security in network computing
 
PHP Security Basics
PHP Security BasicsPHP Security Basics
PHP Security Basics
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
Mim Attack Essay
Mim Attack EssayMim Attack Essay
Mim Attack Essay
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Attack modeling vs threat modelling

  • 2. What is the difference between threat modeling and attack modeling in software system?
  • 3. Let’s first try to understand the difference between a threat and an attack? guru
  • 4. guru A threat is the possibility of something bad happening. An example threat: sensitive customer data getting exposed to unauthorized parties. In other words, a potential violation of security. A personal life example: there is a possibility that your car get hijacked.
  • 5. guru An attack is any action that exploit a vulnerability to realize a threat. There won’t be any attacks without a threat. Example attack: Exploiting SQL injection vulnerability to access sensitive customer data stored in the database. If there is nothing to gain, then there is nothing to attack. In other words, an event that results in a security violation. A personal life example: Use a fake key to hijack the car (fake key works because of a vulnerability).
  • 6. Attacks Active Attacks Passive Attacks They do not alter resources while trying to learn information. E.g. wiretapping, port scanning They alter resources. E.g. spoofing, DoS attacks, buffer overflows guru There are two types of attacks based on the intention of the attacker.
  • 7. Attacks Outside Attacks Inside Attacks Attacks initiate within the security perimeter by an authorized user. E.g. Insider attacks (A privileged DBA copying customer information.) Attacks initiates from the outside of security perimeter by an unauthorized user. E.g. An attacker performing a SQL injection attack via a vulnerable app. guru Also, there are two types of attacks based on the origin of the attacker.
  • 8. Now that we have a good grip on a threat vs. an attack, Let’s go back to our original question: threat modeling vs. attack modeling? guru
  • 9. guru Threat modeling is thinking ahead of time what could go wrong and acting accordingly. Threat modeling is done from the defender’s perspective. In formal terms, threat modeling is the process of identifying your system (assets), potential threats against your system. Defender Attacker Asset
  • 10. Identify your system Threat Modeling is a process… System Architecture Entities Processes Data Data Flows Identify the threats Eg: STRIDE framework Spoofing Tampering Repudiation Information disclosureDoS Elevation of privileges Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Eg: DREAD classification Eg: Attack Trees
  • 11. Identify your system Identify the threats Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Three tier e-commerce web site (browser, app server, database) User authentication credentials get disclosed. Wiretapping the connection between browser and app server. High risk Always use TLS between browser and app server. Let’s look at an example…
  • 12. Now we understand what threat modeling is. Let’s get our hands on attack modeling and identify how it is different from threat modeling? guru
  • 13. guru Attack modeling is thinking how the system can be broken by exploiting vulnerabilities. Attack modeling is done from the attacker’s perspective. In other words, it shows how an attacker would go about breaking the system exploiting vulnerabilities.
  • 14. Identify the system to be attacked Attack Modeling is also a process… Identify vulnerabilities Quantify the rewards of the attack Learn about the system by playing with it and going through documentation. E.g.: old version x of a database Study publicly available vulnerability database. E.g. identify a vulnerability in an unpatched version of database x that allows to escalate privileges. E.g. use the escalated privilege to infiltrate sensitive customer data. Come up with ways to exploit the vulnerabilities E.g. gain access to the database x as a regular user and escalate privilege exploiting the vulnerability. As a defender, you will be looking into counter measurements. E.g. Patch the database x.
  • 15. As an architect/designer/developer/tester, you will most likely be using threat modeling to protect your system. However, it is important to think from the point of view of attackers in order truly protect your system. guru