Forem: Iza Hedlund

Engineer your security architecture - Using threat modeling & cyber-attack simulations

Iza Hedlund — Mon, 22 Feb 2021 14:02:03 +0000

Background

Managing IT, especially risk and security, is difficult and costly. There is a constant struggle and the main solution seems to be to throw more manpower on the problem. However, there are two issues with this solution; 1) finding and keeping competent people is not easy, and 2) the IT problems today are often too large and complex for any person, even the most skilled one, to handle without computerized help. Plus, is pumping water out of a leaking ship the best use for your highly skilled staff?
Thus, it is time to be the engineers we are trained to be, also when it comes to IT and security. With the right engineering tools, we can analyze our current security posture and design future architectures that meet our security requirements.

Introduction

In mature engineering disciplines, it is a golden standard to use tools when making decisions, designing new products, and making changes. When constructing a bridge, manufacturing a new car or an airplane, blueprints are being used instead of designing these based on gut feeling. These design specifications and blueprints are often created and tested using Computer Aided Design (CAD) tools. Besides just presenting a description these tools can often also simulate and analyze important aspects of the product under design.

Another aspect related to design is that in most disciplines, it is easier to design something that is way too strong or way too weak. The trick is to find a balance and related to IT security, it is the balance between security and usability that needs to be handled.

It is about time that IT and IT security start following the same principle when implementing and changing the IT landscape with new systems and features incl. security countermeasures such as firewalls and encryption. That is an architectural description acting as a blueprint that different stakeholders have agreed upon implemented in a CAD tool so that security and risk analysis can be automated (quantitative and data-driven).

Case study - securiCAD

Created with foreseeti's Threat Modeling tool securiCADIn securiCAD, a model of the existing or planned architecture is created. The model is usually created manually, similar to drawing architecture in VISIO. The model can be enriched with existing data sources, such as vulnerability scanners or logs, but it is usually not important to have all the details in place in the model before the first simulation is run.

Once the model is created, an attacker is placed somewhere in the model. Where the attacker is placed depends on what kind of attacker the user wishes to study. It could be, e.g. an external attacker coming from the Internet, or a disgruntled employee with legitimate access to the internal network and a laptop.

Depending on where the attacker is in the model, it will have different opportunities of collecting credentials, making use of missing security patches, listening to and making use of legitimate communication and access as well as finding security flaws in web applications, just to mention some of them. Then, when the attacker has achieved some of these operations, other operations might become available and then the attacker will take a new look around in its new position.

In securiCAD, we can follow this attacker's whereabouts in our model to see what our weak spots are most likely to be. To be more specific, we will see what methods the attacker is expected to use, how much effort/time it is expected to take, and what assets in the model the attacker is expected to make the most use of.
Based on the results, the user can explore the effects of potential mitigations and design suggestions in the model and run the simulation over again.

Conclusions

Being responsible for a ship, you don't want your crew to run around searching for and fixing leaks, if they are not busy pumping water, that is. And you don't want them to go around hammering different parts of the construction (the parts they can easily hammer-on), to see if it will break. What you would like to do instead is to let your staff use tools to foresee where problems will occur next, how bad they will be and in what way they are related, based on the ship's design and the quality of the material used. That is what threat modeling with attack simulation is all about.

Attack Vector Concept — Additional Gateways — Security analysis with Threat Modeling

Iza Hedlund — Thu, 18 Feb 2021 09:46:43 +0000

Additional Gateways — Description

What I mean by “additional gateways” is when a host inside the architecture is opening an extra gateway to external networks like the Internet. Depending on the configuration of the work stations, this might be possible. Situations, when this might happen, is for instance when employees like office users or IT managers need to access external resources that are blocked by the ordinary gateway/router/firewall of the company (fetching external e-mail via IMAP if disabled, accessing repositories of updates, downloading non-company-standard software for testing and so on). Depending on the configuration of their hosts, it might be possible to connect the host to the Internet using a cell phone or a similar mobile broadband router.

Model

Created with foreseeti’s Threat Modeling tool securiCAD

Attack Vector Attenuation

Attenuating this attack vector is a bit tricky since it is representing a network- and firewall related attack path which means it is better to look at this scenario with an approach like “What would happen if an external communication path were to be opened by a host in this network zone?”.

Conclusions

When introducing an extra gateway like this, it is up to the configuration of the external gateway (the mobile broadband set-up of the work station) to take responsibility for the gateway protection parameters i.e. the “Enabled” and the “KnownRuleSet” parameters of the “Mobile GW FW” object. Actually, the user starting this external connection has more or less the same role as the IT staff running the main external gateway of the company.

Both the “Administration” and the “Communication” connections of the “Mobile GW” router shall be connected to the “Local WS Net” zone since the connection is managed by the work station.

In this attack scenario, the attacker is not gaining access to the “Internal Zone” network immediately/only by bypassing the “Mobile GW” protective mechanisms. Instead it will first arrive at the extra gateway (virtual) interface of the work station and then will have to continue the attack from there. This is not considered hard, but the attack needs to traverse the work station before reaching the other network zones it is connected to.

Threat Modeling — Step by Step

Iza Hedlund — Tue, 16 Feb 2021 12:49:08 +0000

What is Threat Modeling?

While there is not one exact industry wide definition, Threat Modeling can be summarized as a practice to proactively analyze the cyber security posture of a system or system of systems. Threat Modeling can be conducted both in the design/development phases and for live system environments. It is often referred to as Designing for Security. In short, Threat Modeling answers questions as “Where am I most vulnerable to attacks?”, “What are the key risks?”, and “What should I do to reduce these risks?”.

More specifically, Threat Modeling identifies cybersecurity threats and vulnerabilities and provides insights into the security posture, and what controls or defenses should be in place given the nature of the system, the high-value assets to be protected, the potential attackers’ profiles, the potential attack vectors, and the potential attack paths to the high-value assets.

Threat Modeling can consist of the following steps:

1.Create a representation of the environment to be analyzed
2.Identify the high value assets, the threat actors, and articulate risk tolerance
3.Analyze the system environment from potential attackers’ perspective:

How can attackers reach and compromise my high value assets? I.e. what are the possible attack paths for how attackers can reach and compromise my high-value assets?
What of these paths are easier and harder for attackers?
What is my cyber posture — how hard is it for attackers to reach and compromise my high-value assets?

If the security is too weak/risks are too high,

4.Identify potential measures to improve security to acceptable/target levels

5.Identify the potential measures that should be implemented — the most efficient ways for your organization to reach acceptable/target risk levels

Why Threat Model — The Business Values

Threat Modeling is a very effective way to make informed decisions when managing and improving your cybersecurity posture. It can be argued that Threat Modeling, when done well, can be the very most effective way of managing and improving your cyber risk posture, as it can enable you to identify and quantify risks proactively and holistically and steer your security measures to where they create the best value.

Identify and manage vulnerabilities and risks before they are implemented and exploited

Before implementation: Threat Modeling enables companies to “shift left” and identify and mitigate security risks already in the planning/ design/ development phases, which is multiples — often 10x, 100x, or even more — times more cost-effective than fixing them in the production phase.

Before exploited: As rational and effective cyber defenders we need both proactive and reactive cyber capabilities. Strengthening security proactively, before attacks happen, has clear advantages. However, it also comes with a cost. An effective Threat Modeling enables the user to make risk-based decisions on what measures to implement proactively.

Prioritize security resources to where they create the best value

One of the very key challenges in managing cybersecurity is to determine how to prioritize and allocate scarce resources to manage risks with the best effect per dollar spent. The process for Threat Modeling, presented in the first section of this text, is a process for determining exactly this. When done effectively, it takes into consideration all the key parts guiding rational decision making.

There are several additional benefits to threat modeling. One is that all the analyses are conducted on a model representation of your environment, which creates significant advantages as the analyses are non-intrusive and that analyzers can test scenarios before implementations. Another set of values are that threat models create a common ground for communication in your organization and increase cybersecurity awareness. To keep this text concise, we here primarily highlight the values above. We also want to state that there are several other excellent descriptions of the values of threat modeling, and we encourage you to explore them.

Who does Threat Modeling and When?

On the question “Who should threat model?” the Threat Modeling Manifesto says “You. Everyone. Anyone who is concerned about the privacy, safety, and security of their system.” While we do agree with this principle in the long term, we want to nuance the view and highlight the need for automation.

Threat Modeling in development:
This is the ”base case” for Threat Modeling. Threat modeling is typically conducted from the design phase and onward in the development process. It is rational and common to do it more thoroughly for high criticality systems and less thorough for low criticality systems. Threat modeling work is typically done by a combination of development/DevOps teams and the security organization.

More mature organizations typically have more of the work done by the development/DevOps teams and the less mature organizations have more work support from the security organization.

Threat Modeling of live environments:
Many organizations also do threat modeling on their live environments. Especially for high criticality systems. As with the Threat Modeling in development, organizations have organized the work in different ways. Here, the work is typically done by a combination of operations/DevOps teams and security organization. Naturally, it is advantageous when Threat Models fit together and evolves over time from development through operations and DevOps cycles.